Cisco WLC New Features

Cisco just released wireless LAN controller code version, which includes a laundry list of new features. Many of these new features have been in development for quite some time, and both partners and customers have been anxiously awaiting several.

Visit Cisco's website to see the full release notes for this code version.

Here are some of the notable new features and what they will mean for customers:
  • WIPS Enhanced Local Mode
    This feature places a subset of Adaptive WIPS capabilities into access points operating in Local or H-REAP modes. Traditionally, Cisco aWIPS required Monitor mode APs. Now customers can get most of the benefits of an in-depth aWIPS deployment with the same access points that service client connections, without having to spend additional money on dedicated monitor APs. The solution still requires the WCS and MSE platforms, but can reduce CapEx and OpEx costs for customers. It is designed primarily for retail customers with distributed branch offices needing to maintain PCI compliance in the face of expanding mobile retail initiatives.

    By my count, ELM supports detection of 35 of 48 attacks available in the full aWIPS solution (~73%). The majority of missing attack detections are comprised of some RF DoS and Zero-Day attack detection capabilities, which are arguably not the most severe attacks (DoS) and are notoriously hard to baseline against false-positives / negatives (Zero-Day).

    Additionally, the focus of ELM attack detection is on the current operating channel of the AP, and has limited visibility into off-channel attacks through RRM off-channel scanning. This makes sense since the network infrastructure is performing double-duty serving clients and detecting attacks. This should not be an issue for larger network deployments with multiple APs covering most or all of the available channels. For smaller installations, this could present a serious problem however, and reduce effectiveness of the solution. However, this solution is arguably aimed at the larger retail deployments where the expense of deploying dedicated Monitor mode APs has been a problem.

    All in all, larger customers should take a look, while smaller customers will probably opt for a dedicated WIPS solution.

  • H-REAP Fault Tolerance
    Cisco has been improving Hybrid REAP mode functionality in leaps and bounds in order to compete in distributed WLAN architecture scenarios, with the likes of Aerohive's Cooperative Control, Aruba's Instant virtual controller, Motorola's Adaptive APs, etc.

    H-REAP fault tolerance improves operation by removing the requirement for H-REAP mode APs to reboot when moving from standalone back to a connected state. Previously, H-REAP APs move into standalone mode without affecting locally-switched clients, but when re-joining a controller they were required to reboot and download a complete configuration which caused a service disruption during the fail-back process. Now the AP is able re-join the controller without impacting client service or rebooting, assuming it can verify the configuration matches.

    In addition, H-REAP WAN latency may now exceed 100ms (upwards of 2 seconds) provided customers use H-REAP Local Authentication of clients using the internal user list pushed to the access points.

  • H-REAP Opportunistic Key Caching (OKC)
    Previously, H-REAP access points only supported CCKM key caching for fast roaming. Now it supports both CCKM and OKC, which should provide much broader support for fast roaming with many more clients in typical customer environments. Note that both CCKM and OKC still require the 802.1x/EAP key derivation to be completed through the controller. Any keys derived while the H-REAP AP is in standalone mode (disconnected) will not support fast roaming between multiple APs.

    I will also be awaiting 802.11r Fast BSS Transition support in H-REAP APs once broader market support and adoption are achieved through the Wi-Fi Alliance Voice Enterprise Certification (due out in 2011).

  • Cisco Identity Services Engine (ISE) Support
    Cisco's next-generation ISE product provides context based access controls and integrates several services into a cohesive platform, including the Cisco Secure ACS authentication and Network Admission Control (NAC / Clean Access) products. This platform enables organizations to enforce network access policies based on a combination of user and device identity, and will be integrated into wireless, switch, and router platforms with software updates.

    ISE addresses customer needs for granular access control beyond VLANs and IP subnet policies, acknowledging the need for deeper insight into the context of the client session to drive policy enforcement. A common scenario for this today might be differential network and application access based on user and device, differentiating access by an employee on a laptop versus an iPad. ISE is part of the Cisco TrustSec solution.

  • VLAN Select
    This feature enables pooling of multiple VLANs into a group for assignment to a single WLAN SSID or AP Group. Large wireless installations have traditionally required a single large subnet and broadcast domain to accommodate the number of wireless clients on a single SSID, dynamic VLAN assignment, or the use of multiple SSIDs which can introduce roaming latency and problems. VLAN Select allows client connections to a single SSID to be round-robin load-balanced into multiple network VLANs to reduce subnet size and broadcast / multicast forwarding concerns.

    Another use-case for VLAN Select is with guest termination in a DMZ environment. Large guest networks also traditionally required large subnets or multiple anchor controllers to segment the client population into smaller broadcast domains. This resulted in additional CapEx to buy more anchor controllers, since a single anchor controller could only use a single VLAN attached to a WLAN. Now, multiple VLANs can be tied to the same WLAN through VLAN Select, reducing the need for multiple anchor controllers.
I have update my post on H-REAP Deployment Guidelines and Feature Limitations to include these new enhancements, as well as a few others including security feature integration with Cisco switches. It's worth a read to review the current state of H-REAP functionality and limitations with the new code release.