We are pleased to announce the immediate availability of the IOS-XE release 17.4.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:
https://software.cisco.com/download/home/286316412/type/282046477/release/Bengaluru-17.4.1
Cisco Catalyst 9800-80 Wireless Controller |
Cisco Catalyst 9800-40 Wireless Controller |
Cisco Catalyst Wireless Controller for Cloud |
Cisco Catalyst Embedded Wireless Controller for Switch |
Cisco Catalyst 9800-L Wireless Controller |
Cisco Embedded Wireless Controller on Catalyst Access Point |
Cisco Catalyst 9100 Series Access Points
Indoor Access Points
Outdoor Access Points
The section below provides information about the key new features and enhancements in the 17.4.1 release.
Multiple customers tend to use cookie-cutter configuration across the sites and branches. This includes local DHCP servers configured with the same subnet. Before 17.4, when the Controller learns the same IP from two different Sites (which is valid), is detected as IP Theft and the client would be blacklisted.
To overcome this limitation, Cisco has introduced “ZONE ID” in combination with IP addresses to distinguish clients across sites. This ZONE ID is unique to each Flexconnect group/Site. With this new ZONE ID concept, the Controller can support Overlapping IP address across different flex sites and still provide all the functionalities that are supported in the flex deployments. Use of non-zero zone-id in IP address key to allow IP overlap helps to achieve cookie-cutter configuration.
This feature is designed for C9800 Platforms managing multiple sites with Flexconnect deployments. This feature is not included in EWC as the EWC deployments are per site, this feature is not applicable. This feature is designed to support Local Switching Sites and cannot be used VLAN based Central Switching and Central DHCP deployments.
Today AP ignores Option12 in the DHCP responses. In 17.4, this feature is to make AP consume the DHCP Option 12.
Option12 holds the Hostname for the respective APs (DHCP Pool in the DHCP server will have MAC-Hostname Mapping). APs propagates the DHCP hostname to the WLC during CAPWAP Discovery/Join processes.
C9800 can be pre-configured with an appropriate filter based on AP Name Regex to push the policies based on AP hostname fields. Once AP CAPWAP goes into RUN state, C9800 can provision the AP with the correct Policy, Site, and RF tags based on the configured policies
This is supported by all C9800 Platforms.
Note: In the DHCP server, it is required to create an individual DHCP pool for each AP based on MAC address for this feature. AP will in turn uses this address and hostname while joining the WLC.
Starting from 17.4, we will support EWC in Catalyst 9105AXI Access Point.
9105AXI supports EWC. 9105AXW-X (wall-plate) SKU doesn’t support the EWC controller function but can serve clients in EWC deployment by joining the EWC network as a subordinate AP. EWC in C9105AXI Access Point supports all the features that exist in other EWCs.
The Embedded Wireless Controller (EWC) on Catalyst Access Points is specifically designed and built for single or multisite enterprise locations by operating in Flexconnect Mode and provides the best performance by leveraging the sites’ wired performance.
For Single site manageability, the Customer can opt-out Cisco DNA License and manage the network using EWC.
For multisite control, add Cisco DNA software subscriptions to your Embedded Wireless Controller access points and manage the EWC deployed across sites using Cisco DNA Center.
In 17.4, there is a new EWC Mobile App Update. Add EWC with Domain Name.
Just select the Domain Name option from the drop-down and Add domain name and Site & press Add to List. Automatically the EWC shows in Managed Networks List.
User Entity Behavior Analytics (UEBA) looks at the patterns of users/entitys’ behavior and then applies algorithms and statistical analysis to detect meaningful anomalies.
Stealthwatch Cloud is the Cisco cloud solution for UEBA. SWC receives a wide variety of network telemetry and logs, it uses entity modeling to determine each network entity’s role and determine the entity’s normal behavior is.
If an entity exhibits new, abnormal behavior or signs of malicious activity, an alert is generated, so security professionals can quickly investigate and respond
In 17.4, Stealthwatch-Cloud can be a Flow Collectors. This is for EWC (C9100 series)
EWC DNA License opt-out option
Best choice for Mid-Market Needs. DNA OPT-OUT - No License Subscription Required. Essential wireless capabilities, Optimized RF, High Availability, DevOps integration, and IOT optimized will be available.
Network Expansion: When a customer is planning to expand the network by adding more sites with multiple EWCs, the customer can purchase a Cisco DNA License at any time at will and get the benefit of centralized management capabilities using the Cisco DNA Center.
This opt-out option provides better flexibility to Customers in purchasing licenses upon network needs.
In 17.4, full-fledged configuration via the CLI in the Day0 of the box. It’s ready for access point and client join post-Day0 CLI Wizard.
This feature is supported on all physical appliances and the 9800-CL private cloud.
Configurations such as HA SSO, Certificate Management, Wireless Management Interface, NTP can be configured during this Day 0 CLI Enhancements.
Note: There is no support for public cloud since the images are bootstrapped and don’t need a day0 configuration
In 17.4, we have options to Configure Thresholds and added Forensic Capture support. These configurations can be done through Cisco DNA Center.
Rogue rules added in DNA Center, configurable thresholds, and forensic capture is only available through Cisco DNA Center
Rogue rules /rouge containment and aWIPs can be configured from WLC C9800
sC9800 has very limited combinations for configuring call-station-IDs in radius attributes on the device Today.
Following new call-station-id Attributes are included in 17.4.1 for Wireless Authentication & Accounting. The purpose is to bring in more combinations with Site-Tags, Policy-Tags, Flex Profiles
New call-station-id Attributes |
|
policy-tag-name |
ap-macaddress-ssid-sitetagname |
flex-profile-name |
ap-ethmac-ssid-flexprofilename |
ap-macaddress-ssid-flexprofilename |
ap-ethmac-ssid-policytagname |
ap-macaddress-ssid-policytagname |
ap-ethmac-ssid-sitetagname |
This is a wireless specific requirement. The requirement is to support a set of new Vendor-Specific Attributes per WLAN for Authentication and Accounting requests. The attributes to be sent can be different for authentication and authorization requests
The support is required only for RADIUS packets.
Attributes configured will be sent during ACCESS REQUEST and ACCOUNTING START, ACCOUNTING INTERIM, and ACCOUNTING STOP
This is supported in all C9800 flavors. EWC support is present
Flex Central Auth with Local switching will be supported and Flex Local Auth is NOT SUPPORTED
In 17.4.1, we have introduced IPv6 support in HA deployments. With the addition we can have RMI over IPv6, Gateway IP Check with Native IPv6, Controller Monitoring through RMI IPv6, and Dual-Stack support with RMI IPv6.
Prior to release 17.4, the HA is designed to work purely in the IPv4 network, considering the expansion of the IPv6 network in the field, this new feature can bring in additional flexibility to build/deploy a HA environment either purely an IPv6 network or a Dual-Stack support.
Now, the Cisco C9800 has the capability to take HA decisions based on IPv6 network health and it provides an additional option to monitor the Controller through the IPv6 network.
Default Gateway Failure detection interval is 8 sec. Whenever Gateway is not reachable, it will wait for 8 seconds, 4 ICMP responses, and 4 ARP responses.
If Gateway is not reachable in 8 seconds, SSO will be initiated.
In Release 17.4 this interval is configurable, [6 sec – 12 sec], the default being 8. This configuration option provides flexibility to the network admin to set the threshold based on their network capability and design.
SL Today |
What’s new in 17.4.1 (Smart Licensing using Policy) |
Mandatory evaluation mode Registration to CSSM/satellite for compliance Licenses reported at regular intervals SL flow per device - Device is aware of Smart Account/Virtual account (SA/VA) SLR for off-line customers |
No registration or evaluation mode Allows unlimited usage of un-enforced licenses Usage reports gathered and sent later The Device has no knowledge of SA/VA No SLR for greenfield - [policy download] |
Support all the remote-id format options as in AireOS, along with delimiter ‘:’ Attains Feature Parity with AireOS based controllers.
Helps in adoption without making config changes to Network Infrastructure
Following remote-id options supported:
DHCP Option-82 Remote ID format options were introduced in C9800 from Day 1 (16.10.x release)
The colon ‘:’ delimiter was missing in some options like apname:ssid, which is supported now to achieve feature parity
When we speak about Client Session Timeout, there is small differences in how it is handled in our legacy WLC and C9800. In 17.4.1 we have made in similar in 9800 WLCs for Dot1x WLANs.
Session timeout behavior remains the same for non-dot1x WLANs as in the previous release.
Session timeout configuration in C9800 is under policy-profile. The default timeout value is 1800 seconds.
The following information has the details on how Session Timeout is implemented if a network is upgraded from Pre-17.4 to 17.4
Scenario 1:
Timer configured as 0 in pre 17.4 (Timer not running for the session)
After upgrade to 17.4, the timer value is retained as 0, resulting in the timer not running for the session.
Scenario 2:
- Timer configured between 1-299 seconds in pre-17.4.
After ISSU, the remaining timer in the session will continue to run.
(Example: If set to 100 seconds and the ISSU happened after 30 seconds, the timer will run for 70 seconds after ISSU)
After re-auth, the timer will be set to 86400 seconds (refer to Table 3)
Scenario 3:
Timer configured >=300 seconds in pre-17.4
After ISSU, the remaining timer in the session will continue to run.
(Example: If set to 600 seconds and the ISSU happened after 330 seconds, the timer will run 270 seconds after ISSU)
After re-auth, the timer will be set to the timer configured.
This requirement is a parity feature to add support for Rogue Events notification through SYSLOG
Before 17.4.1, the Rogue Events are reported only through SNMP Traps, this enhancement brings in support to include the rogue events notification in SYSLOG as well
New config CLI is introduced to enable/disable Syslog notification of rogue events. The Syslog notification can be enabled in the Policy Profile.
Cisco’s Fastlane+ is a co-developed solution with Apple that significantly improves the experience of any Wi-Fi 6 capable iPhone or iPad connected to a Cisco Wi-Fi 6 network. Fastlane+ enhances Wi-Fi 6’s powerful OFDMA scheduler, enabling iOS 14, iPadOS 14 and later Wi-Fi 6 capable Apple devices to stream high-quality voice and video content efficiently under congested RF environments.
In a Wi-Fi 6 network, multiple Wi-Fi 6 endpoints can pass traffic to the same access point in parallel and dramatically increase the RF efficiency using uplink MU-OFDMA (Multi-User – OFDMA). Uplink MU-OFDMA reduces network latency and maintains a great user experience well beyond the levels that previous generations of Wi-Fi could. However, even Wi-Fi 6 eventually faces efficiency loss and increased latency with higher network demand, negatively impacting the end-user experience.
How Fastlane+ Solves the Problem
Fastlane+ solves this problem by enhancing the existing Wi-Fi 6 MU-OFDMA solution and directly cooperates with Wi-Fi 6 capable Apple endpoints running iOS 14 and later software. Rather than requiring the AP to poll the endpoints for BSRs periodically, when an iOS endpoint decides to use a voice or video application, they will automatically send an Advanced Scheduling Request (ASR) trigger to the AP.
This ASR trigger informs the access point:
Once the Cisco Catalyst 9130 access point receives an ASR trigger, the AP initiates an ASR session with the iOS endpoint. Using the ASR trigger’s data, the AP can now intelligently manage endpoint BSRs without polling. This method reduces the overhead and load on the network while still providing the dynamic information required to schedule efficiently. With less bandwidth required, latency is significantly reduced, and a high-quality voice and video experience can be maintained, even in a congested network.
The following table depicts the benefits brought upon by Fastlane+,
Metrics |
Performance Increase |
Benefit |
MOS Score |
40% Increase |
Better Voice and Video Quality |
Latency |
30% Decrease |
More Reliability |
Jitter |
10% Decrease |
More Reliability |
Throughput |
20% Increase |
High-Definition Streaming |
With a significant improvement in MOS, latency, jitter, and throughput, these metrics together directly translate into a better user experience not only for Cisco and Apple VoIP applications such as WebEx and FaceTime but all voice and video traffic in general. In summary, Fastlane+ takes the already efficient Wi-Fi 6 solution to the next level by lowering network latency for the entire network and ultimately improving the experience of even non-Fastlane+ supported devices.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: