Showing results for 
Search instead for 
Did you mean: 

IOS-XE 17.4.1 Blog

Cisco Employee
Cisco Employee

We are pleased to announce the immediate availability of the IOS-XE release 17.4.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:





Supported Hardware and Virtual Platforms


Cisco Catalyst 9800-80 Wireless Controller

Cisco Catalyst 9800-40 Wireless Controller

Cisco Catalyst Wireless Controller for Cloud

Cisco Catalyst Embedded Wireless Controller for Switch

Cisco Catalyst 9800-L Wireless Controller

Cisco Embedded Wireless Controller on Catalyst Access Point


Support Access Points

Cisco Catalyst 9100 Series Access Points

  • Cisco Catalyst 9105AX Access Points
  • Cisco Catalyst 9115AX Access Points
  • Cisco Catalyst 9117AX Access Points
  • Cisco Catalyst 9120AX Access Points
  • Cisco Catalyst 9130AX Access Points

Indoor Access Points

  • Cisco Aironet 1800 Series Access Points
  • Cisco Aironet 2800 Series Access Points
  • Cisco Aironet 3800 Series Access Points
  • Cisco Aironet 4800 Series Access Points


Outdoor Access Points

  • Cisco Aironet 1540 Series Access Points
  • Cisco Aironet 1560 Series Access Points
  • Cisco Industrial Wireless 3700 Series Access Points
  • Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
  • Cisco 6300 Series Embedded Services Access Point


The section below provides information about the key new features and enhancements in the 17.4.1 release.

FlexConnect IP Overlap across different Sites

Multiple customers tend to use cookie-cutter configuration across the sites and branches. This includes local DHCP servers configured with the same subnet.  Before 17.4, when the Controller learns the same IP from two different Sites (which is valid), is detected as IP Theft and the client would be blacklisted. 

To overcome this limitation, Cisco has introduced “ZONE ID” in combination with IP addresses to distinguish clients across sites. This ZONE ID is unique to each Flexconnect group/Site.  With this new ZONE ID concept, the Controller can support Overlapping IP address across different flex sites and still provide all the functionalities that are supported in the flex deployments. Use of non-zero zone-id in IP address key to allow IP overlap helps to achieve cookie-cutter configuration.

This feature is designed for C9800 Platforms managing multiple sites with Flexconnect deployments. This feature is not included in EWC as the EWC deployments are per site, this feature is not applicable. This feature is designed to support Local Switching Sites and cannot be used VLAN based Central Switching and Central DHCP deployments.


Today AP ignores Option12 in the DHCP responses. In 17.4, this feature is to make AP consume the DHCP Option 12.

Option12 holds the Hostname for the respective APs (DHCP Pool in the DHCP server will have MAC-Hostname Mapping). APs propagates the DHCP hostname to the WLC during CAPWAP Discovery/Join processes.

C9800 can be pre-configured with an appropriate filter based on AP Name Regex to push the policies based on AP hostname fields. Once AP CAPWAP goes into RUN state, C9800 can provision the AP with the correct Policy, Site, and RF tags based on the configured policies

This is supported by all C9800 Platforms.

Note: In the DHCP server, it is required to create an individual DHCP pool for each AP based on MAC address for this feature. AP will in turn uses this address and hostname while joining the WLC.



Starting from 17.4, we will support EWC in Catalyst 9105AXI Access Point.

9105AXI supports EWC. 9105AXW-X (wall-plate) SKU doesn’t support the EWC controller function but can serve clients in EWC deployment by joining the EWC network as a subordinate AP. EWC in C9105AXI Access Point supports all the features that exist in other EWCs.

The Embedded Wireless Controller (EWC) on Catalyst Access Points is specifically designed and built for single or multisite enterprise locations by operating in Flexconnect Mode and provides the best performance by leveraging the sites’ wired performance.

For Single site manageability, the Customer can opt-out Cisco DNA License and manage the network using EWC.

For multisite control, add Cisco DNA software subscriptions to your Embedded Wireless Controller access points and manage the EWC deployed across sites using Cisco DNA Center.


EWC Wireless Mobile App Update 1.1.2 

In 17.4, there is a new EWC Mobile App Update. Add EWC with Domain Name.

Just select the Domain Name option from the drop-down and Add domain name and Site & press Add to List. Automatically the EWC shows in Managed Networks List. 

StealthWatch Cloud integration EWC

User Entity Behavior Analytics (UEBA) looks at the patterns of users/entitys’ behavior and then applies algorithms and statistical analysis to detect meaningful anomalies.

Stealthwatch Cloud is the Cisco cloud solution for UEBA. SWC receives a wide variety of network telemetry and logs, it uses entity modeling to determine each network entity’s role and determine the entity’s normal behavior is.

If an entity exhibits new, abnormal behavior or signs of malicious activity, an alert is generated, so security professionals can quickly investigate and respond

In 17.4, Stealthwatch-Cloud can be a Flow Collectors. This is for EWC (C9100 series)

 EWC DNA License opt-out option

Best choice for Mid-Market Needs. DNA OPT-OUT - No License Subscription Required. Essential wireless capabilities, Optimized RF, High Availability, DevOps integration, and IOT optimized will be available. 

Network Expansion: When a customer is planning to expand the network by adding more sites with multiple EWCs, the customer can purchase a Cisco DNA License at any time at will and get the benefit of centralized management capabilities using the Cisco DNA Center.

This opt-out option provides better flexibility to Customers in purchasing licenses upon network needs.

Day 0 CLI Enhancements

In 17.4, full-fledged configuration via the CLI in the Day0 of the box. It’s ready for access point and client join post-Day0 CLI Wizard.

This feature is supported on all physical appliances and the 9800-CL private cloud.

Configurations such as HA SSO, Certificate Management, Wireless Management Interface, NTP can be configured during this Day 0 CLI Enhancements.

Note: There is no support for public cloud since the images are bootstrapped and don’t need a day0 configuration

Rogue enhancements

In 17.4, we have options to Configure Thresholds and added Forensic Capture support. These configurations can be done through Cisco DNA Center.

Rogue rules added in DNA Center, configurable thresholds, and forensic capture is only available through Cisco DNA Center

Rogue rules /rouge containment and aWIPs can be configured from WLC C9800

Enhanced Called-Station ID

sC9800 has very limited combinations for configuring call-station-IDs in radius attributes on the device Today.

Following new call-station-id Attributes are included in 17.4.1 for Wireless Authentication & Accounting. The purpose is to bring in more combinations with Site-Tags, Policy-Tags, Flex Profiles 

New call-station-id Attributes










RADIUS Vendor-Specific Attributes

This is a wireless specific requirement. The requirement is to support a set of new Vendor-Specific Attributes per WLAN for Authentication and Accounting requests. The attributes to be sent can be different for authentication and authorization requests

The support is required only for RADIUS packets.


This is supported in all C9800 flavors. EWC support is present

Flex Central Auth with Local switching will be supported and Flex Local Auth is NOT SUPPORTED

HA Enhancements – RMI Over IPv6

In 17.4.1, we have introduced IPv6 support in HA deployments.  With the addition we can have RMI over IPv6, Gateway IP Check with Native IPv6, Controller Monitoring through RMI IPv6, and Dual-Stack support with RMI IPv6.

Prior to release 17.4, the HA is designed to work purely in the IPv4 network, considering the expansion of the IPv6 network in the field, this new feature can bring in additional flexibility to build/deploy a HA environment either purely an IPv6 network or a Dual-Stack support.

Now, the Cisco C9800 has the capability to take HA decisions based on IPv6 network health and it provides an additional option to monitor the Controller through the IPv6 network.

HA Enhancements - Configuration of Gateway Failure Detection Interval

Default Gateway Failure detection interval is 8 sec. Whenever Gateway is not reachable, it will wait for 8 seconds, 4 ICMP responses, and 4 ARP responses.

If Gateway is not reachable in 8 seconds, SSO will be initiated.

In Release 17.4 this interval is configurable, [6 sec – 12 sec], the default being 8. This configuration option provides flexibility to the network admin to set the threshold based on their network capability and design.

Smart Licensing Enhancements


SL Today

What’s new in 17.4.1

(Smart Licensing using Policy)

Mandatory evaluation mode

Registration to CSSM/satellite for compliance

Licenses reported at regular intervals

SL flow per device - Device is aware of Smart Account/Virtual account (SA/VA)

SLR for off-line customers 

No registration or evaluation mode

Allows unlimited usage of un-enforced licenses

Usage reports gathered and sent later

The Device has no knowledge of SA/VA

No SLR for greenfield - [policy download]


DHCP Option 82

Support all the remote-id format options as in AireOS, along with delimiter ‘:’ Attains Feature Parity with AireOS based controllers.

Helps in adoption without making config changes to Network Infrastructure

Following remote-id options supported:

  • AP MAC

DHCP Option-82 Remote ID format options were introduced in C9800 from Day 1 (16.10.x release)

The colon ‘:’ delimiter was missing in some options like apname:ssid, which is supported now to achieve feature parity 

Session Timeout Changes

When we speak about Client Session Timeout, there is small differences in how it is handled in our legacy WLC and C9800. In 17.4.1 we have made in similar in 9800 WLCs for Dot1x WLANs.

Session timeout behavior remains the same for non-dot1x WLANs as in the previous release.

Session timeout configuration in C9800 is under policy-profile. The default timeout value is 1800 seconds.

The following information has the details on how Session Timeout is implemented if a network is upgraded from Pre-17.4 to 17.4

Scenario 1:

Timer configured as 0 in pre 17.4 (Timer not running for the session)

After upgrade to 17.4, the timer value is retained as 0, resulting in the timer not running for the session.

Scenario 2:

- Timer configured between 1-299 seconds in pre-17.4.

After ISSU, the remaining timer in the session will continue to run.

    (Example: If set to 100 seconds and the ISSU happened after 30 seconds, the timer will run for 70 seconds after ISSU)

After re-auth, the timer will be set to 86400 seconds (refer to Table 3)

Scenario 3:

Timer configured >=300 seconds in pre-17.4

After ISSU, the remaining timer in the session will continue to run.

    (Example: If set to 600 seconds and the ISSU happened after 330 seconds, the timer will run 270 seconds after ISSU)

After re-auth, the timer will be set to the timer configured.

Syslog support for Rogue Events

This requirement is a parity feature to add support for Rogue Events notification through SYSLOG

Before 17.4.1, the Rogue Events are reported only through SNMP Traps, this enhancement brings in support to include the rogue events notification in SYSLOG as well

New config CLI is introduced to enable/disable Syslog notification of rogue events. The Syslog notification can be enabled in the Policy Profile.



Cisco’s Fastlane+ is a co-developed solution with Apple that significantly improves the experience of any Wi-Fi 6 capable iPhone or iPad connected to a Cisco Wi-Fi 6 network. Fastlane+ enhances Wi-Fi 6’s powerful OFDMA scheduler, enabling iOS 14, iPadOS 14 and later Wi-Fi 6 capable Apple devices to stream high-quality voice and video content efficiently under congested RF environments.


Congested Networks without Fastlane+

In a Wi-Fi 6 network, multiple Wi-Fi 6 endpoints can pass traffic to the same access point in parallel and dramatically increase the RF efficiency using uplink MU-OFDMA (Multi-User – OFDMA). Uplink MU-OFDMA reduces network latency and maintains a great user experience well beyond the levels that previous generations of Wi-Fi could. However, even Wi-Fi 6 eventually faces efficiency loss and increased latency with higher network demand, negatively impacting the end-user experience. 

How Fastlane+ Solves the Problem

Fastlane+ solves this problem by enhancing the existing Wi-Fi 6 MU-OFDMA solution and directly cooperates with Wi-Fi 6 capable Apple endpoints running iOS 14 and later software. Rather than requiring the AP to poll the endpoints for BSRs periodically, when an iOS endpoint decides to use a voice or video application, they will automatically send an Advanced Scheduling Request (ASR) trigger to the AP.

This ASR trigger informs the access point:

  1.          That the endpoint is about to start uplink voice or video traffic.
  2.          And provides the access point with the endpoint’s required traffic periodicity and bit rate.

Once the Cisco Catalyst 9130 access point receives an ASR trigger, the AP initiates an ASR session with the iOS endpoint. Using the ASR trigger’s data, the AP can now intelligently manage endpoint BSRs without polling.  This method reduces the overhead and load on the network while still providing the dynamic information required to schedule efficiently. With less bandwidth required, latency is significantly reduced, and a high-quality voice and video experience can be maintained, even in a congested network.

The following table depicts the benefits brought upon by Fastlane+,


Performance Increase


MOS Score

40% Increase

Better Voice and Video Quality


30% Decrease

More Reliability


10% Decrease

More Reliability


20% Increase

High-Definition Streaming



With a significant improvement in MOS, latency, jitter, and throughput, these metrics together directly translate into a better user experience not only for Cisco and Apple VoIP applications such as WebEx and FaceTime but all voice and video traffic in general. In summary, Fastlane+ takes the already efficient Wi-Fi 6 solution to the next level by lowering network latency for the entire network and ultimately improving the experience of even non-Fastlane+ supported devices.













1 Comment
Cisco Employee

Team, I'm trying to set a Day-0 configuration wizard via GUI, I'm using this latest Bengaluru code, I was trying to deploy an OVA but when I get to Initial Configuration Dialog, I don't exactly know what type of network settings need to be done to at least have a static ip and reach the GUI, is that even possible for a C9800 VM that is into a nested Esxi 6.0? Thanks. 

Recognize Your Peers
Content for Community-Ad