WLAN/SSID Security Migration into 6GHz Networks

With the introduction of Wi-Fi 6E/6GHz, there is a huge increase in available RF space, multiplying the overall total capacity of any wireless network, and at the same time, removing sources of interference and noise. This increase in performance and quality of the wireless connections will be really exciting and bring multiple opportunities, but this will come with the price of new and better security requirements for our WLAN/SSID configuration migration.

The new standard did not leave security out of the picture and any new device supporting 6GHz, will be required to “only” support the following security standards while in the new band:

◉ WPA3: this enforces mandatory Protected Management Frames (PMF/802.11w)

◉ Opportunistic Key Encryption (OWE). This replaces the concept of “Open SSID”, and allows to have encryption across devices, without any authentication

◉ Simultaneous Authentication of Equals (SAE). This takes the role of PSK (also called “personal”) authentication methods but makes it resistant to offline password attacks, with improved cryptographic algorithms

There are as well provisions for more advanced encryption methods (WPA3 Enterprise-192), and several mandatory things that must “not be supported“, for example:  PMF disabled/optional, TKIP, WEP, etc.

What does this mean for 6GHz deployments?

Well… in the rare case of a greenfield 6GHz deployment, it would be just “awesome, we get new improved security standards by default”…

The problem is that almost deployments will not be greenfield.  You will have to support the coexistence of all current networks and devices with the new standard and migrate existing networks to include the new 6GHz access points and clients.

What is more: with few honorable exceptions, most of the current WLAN/SSIDs configured out there for 2.4 and 5, will “not” work over 6GHz radios, as they do not meet the new security requirements.

This means that your SSID supporting WPA2 Enterprise (802.1x), can’t be broadcasted directly in 6GHz… same for any existing Webauth or WPA2-PSK SSIDs. All of them will need to be changed to conform to the new standard. In order to ensure things can be done properly, this will need planning, and quite possibly, careful testing.

Changes also mean concerns about backward compatibility, and any older devices may not like or support the new security settings, so this is not just a matter of flipping a configuration switch and hoping it works.

The good thing is that there are different options on how to handle brownfield scenarios, with proper and natural coexistence of the new APs and clients supporting WPA3 and 6GHz, with older devices still stuck supporting WPA2 or older standards. Each one has its benefits and implementation costs, so it is important to plan properly.

Figure 1. Radio Policy and 6GHz support

Transition mode

Some people may come back with “But transition mode is available, we should be able to set this WLAN with WPA2/WPA3 transition and get it done”, unfortunately,  things are not so simple. This mode was created to introduce WPA3 into legacy bands, not to make it easy for 6GHz adoption.

WPA3 describes transition mode as a kind of hybrid WPA2/WPA3 scenario, with PMF set to optional, and the group key using legacy crypto, but this is not allowed in 6GHz, so we can’t just flip the existing WLAN from WPA2 to transition mode and get it done…it simply can’t be supported in the new band.

Transition mode is an excellent way to handle a migration into a more secure standard in the legacy band. Older devices can coexist on the same SSID with new devices supporting WPA3/PMF, allowing a smoother migration, but the price to pay is compatibility. Multiple clients may behave erratically, or simply, fail to connect to a transition mode SSID, even if what they support is still allowed, plus this alone can’t solve the 6GHz  security mandatory requirements.

One word of caution: There is a related feature called “Transition Disable”, which can be set in the WLAN Security tab, in the WPA Parameters area.

Figure 2. Transition Disable location

This setting tells the client, that once it has connected successfully to WPA3, it should migrate its SSID profile to support “only” WPA3, and not connect back to WPA2 if that is the only option available. On one side, this is good for security, as it will migrate all client devices to WPA3 only, as they join the transition mode WLAN, but if the network is composed of multiple physical locations, for example, some are set to WPA2, others to WPA3/WPA2 transition mode, this will cause the migrated clients to fail when moved to a location with WPA2 only.

This is a possible scenario for some large networks, with the same SSID covering different controllers/AP setups and with configurations not matching  100%.  The largest example would be Eduroam, which shares the same SSID name worldwide. Setting this could have serious issues for clients  moving across different network providers, so please use this with care, and only if you can ensure the same security setting is set properly across all network locations

So, what options do we have?

Option 1: Everybody Moves

This is the most radical solution. Here we move all SSIDs to WPA3, SAE, or OWE, with a single SSID across all bands. This means that all legacy security support will be removed across all SSIDs.

This is only feasible for the Greenfield scenario, or when we have absolute control of all clients’ device versions and configurations. It is highly probable that customers will never go this route.

Client support

◉ Apple IOS: on 15.1, it does support WPA3/PMF, and SAE, but it does not support OWE. SAE support is not compatible with 6GHz requirements

◉ Android: Supports WPA3/PMF/SAE since version 10

◉ Windows: supported in 11, but should work on version 10-2004

Cons

◉ There is a large list of compatibility issues regarding some of the requirements, and implementing this option will lead to compatibility issues as soon as any older device tries to connect

◉ Migrating the SSID profile on clients may be problematic, depending on operating systems. Several devices will use right away the higher security offerings, others will need to be adjusted

Pros

◉ No need for additional SSIDs

◉ Removes any older low-security SSIDs

Option 2: Tailored SSIDs

In this scenario,  the idea is to create new SSIDs, specifically focused on functionality, with support on each band as needed. New SSIDs would be created for 6GHz support, optionally broadcasted in other bands.

This maximizes backward compatibility, as it leaves anything existing  “untouched”.

For example, a company may have an existing SSID design as:

◉ Legacy SSID: mycompany, broadcasted in 5 GHz supporting WPA2 Enterprise

◉ Guest SSID: mycompanyGuest, supporting webauth in 2.4 and 5 GHz

◉ IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry devices in 2.4 GHz

What we would add:

◉ Wi-Fi 6 specific SSID: mycompanyNG, broadcasted on 5 and 6GHz, using WPA3 with 802.1x authentication and PMF

Cons

◉ A new SSID will need to be created and broadcasted

◉ Additional profile configuration across devices. Depending on client management being available, this can be a daunting task

◉ SSID names are a sensitive subject for customers. Selecting a new name may not be simple in some instances

Pros

◉ No impact on anything already existing

◉ You can have a gradual migration of devices supporting the new security standards (WPA3) to the new SSID, without having to do a risky forklift in the client profile configuration

◉ Fast roaming supported between bands for the same WLAN

Option 3:  Same SSID, two WLAN profiles, using transition mode

Keeping the same SSID across bands, touches your existing WLAN profile changing it to WPA3 transition mode and restricting it to 2.4 and 5GHz. Plus adds a new profile, just for 6GHz, with the required security settings.

Following on our previous example:

◉ Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. Modified now to supporting WPA2 Enterprise and WPA3 in transition mode

◉ Guest SSID: mycompanyGuest, supporting webauth in 2.4 GHz

◉ IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry devices in 2.4 GHz

What we would add:

◉ Wi-Fi 6 specific WLAN profile: same mycompany, SSID, with different profile name, mycompanyNG  broadcasted on 6GHz, using WPA3 with 802.1x authentication and PMF

Cons

◉ Several client vendors have issues handling WPA3 transition mode properly

◉ Clients may not like the same SSID with different security settings across bands.

◉ Roaming is not supported across WLANs. A client authenticated in 5 GHz, will have to do full authentication when moving into 6

Pros

◉ No new SSIDs on the client side to be managed

◉ Devices supporting WPA3 will connect in legacy bands with the higher security standard. This will help with security migration

◉ As we have the same SSID name across bands, clients will be able to fallback from 6 to 2.4/5, in case of any coverage problem

Option 4:  Same SSID, two WLAN profiles, no transition

This is basically a small variation of option 3.  The existing profile is left untouched, and we add a 6GHz specific WLAN profile:

◉ Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. WPA2-Enterprise

◉ Guest SSID: mycompanyGuest, supporting webauth in 2.4 GHz

◉ IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry devices in 2.4 GHz

What we would add:

◉ Wi-Fi 6 specific WLAN profile: same mycompany, SSID, with different profile name, mycompanyNG  broadcasted on 6GHz, using WPA3 with 802.1x authentication and PMF

Cons

◉ Clients may not like the same SSID with different security settings across bands. This is yet to be confirmed, so far, no issues reported in testing

◉ Roaming across WLANs is not supported. A client authenticated in 5 GHz, will have to do full authentication when moving into 6

◉ Legacy bands will be stuck on lower security protocols

Pros

◉ No new SSIDs to be managed on the client side

◉ As we have the same SSID name across bands, clients will be able to fallback from 6 to 2.4/5, in case of any coverage problem

◉ Avoids any client interoperability issues with transition mode

Too many options, but which is the best?

For most customers, option 4 (new WLAN profile, same name, new security), is what will be implemented most of the time, as it allows deployments, reducing most risks.

For customers that want better security, option 2 (specific SSID), or option 3 (change to transition mode, add new profile for 6), will be the best suited.

And for sure, don’t move WPA2 networks to WPA2/WPA3 transition mode, without validating with your existing clients, especially if there are any legacy or custom devices present.

Source: cisco.com

Continue reading

Wi-Fi 6E: Changing the game for Sports and Entertainment venues

We hear a lot about how Wi-Fi 6E is going to change the way we work and play. With the ability to achieve higher throughput and lower latency due to more frequency availability and less congestion, combined with better security, Wi-Fi 6E has given us a new playbook of applications and use cases.

As a Distinguished Engineer in Cisco’s CX CTO organization, I spend a lot of time working within large public venues such as sports stadiums and music festival/concert venues to connect fans and create exceptional wireless experiences. I have the pleasure of working with professional sports leagues, Olympic Organizing Committee, U.S. Open, Live Nation, Clair Global and so many others to design, architect, and deliver networks capable of supporting the needs of tens of thousands of excited fans.  As an avid sports and music fan myself, it makes work fun!

Wi-Fi 6E connecting fans like never before

With the advent of Wi-Fi 6, we were able to make a huge difference in the efficiency and overall quality that Wi-Fi enabled venues provide to their guests. With the entry of Wi-Fi 6E, we take advantage of the same technologies and protocols but add the new 6 GHz band. This brings in stronger encryption (mandatory WPA3), better reliability, and most of all increased efficiency which leads to greater throughput. The E in Wi-Fi 6E is representative of the 6GHz band which further extends available spectrum and channels, providing much more space for devices. With its ability to carry more data than both 2.4 and 5 GHz, the 6GHz band allows fans to flawlessly stream and share their favorite moments.

OFDMA and Uplink MU-MIMO

Wi-Fi 6/6E makes use of Orthogonal Frequency-Division Multiple Access (OFDMA) and introduces Uplink Multiple-Input, Multiple-Output (UL MU-MIMO). These technologies provide the ability to deliver simultaneous bidirectional communication between Wi-Fi 6/6E access points and clients.  While MU-MIMO has been around since Wi-Fi 5, the ability to have clients utilize this on the uplink is new to Wi-Fi 6/6E.  This means more simultaneous users getting a better experience because the network can prioritize and schedule traffic and applications.

This is particularly important to the large stadiums and concert venues I spend a lot of time in. Uplink traffic typically far exceeds the downlink due to the number of connected users taking photos and videos and having those instantly uploaded to the cloud.  See below graphic from a recent event in a large stadium where the uplink traffic more than doubled the downlink traffic.

1200 MHz of wide-open spectrum

Wi-Fi 6E includes up to 1200 MHz of additional spectrum in the 6GHz band. The additional spectrum adds a ton more space for devices with plenty of channels. This helps us avoid the excessive collisions and contention for airtime that has become normal in these types of venues. In case you’re not aware, contention and collisions cause slow response times, introduce latency, disconnect devices from the network, and ultimately, drive less than positive experiences. Now apply this to large sports venues and music festivals and you can see how the additional spectrum allows fans to flawlessly stream and share their favorite moments without interruption.   It’s like adding a ton of additional lanes to a congested highway!

Something to keep in mind, some countries, such as the U.S. and Canada are allocating the entire 1200 MHz while others, only a portion. The below map is current from the date of this posting:

Source: Wi-Fi Alliance  https://www.wi-fi.org/countries-enabling-wi-fi-6e

OpenRoaming and Wi-Fi 6E: seamless and fast

Many of Cisco’s customers, especially those that specialize in entertainment, are jumping onto the OpenRoaming train. OpenRoaming, a technology developed by Cisco and standardized by the Wireless Broadband Alliance, enables seamless and secure connectivity to participating networks. Events such as Live Nation’s BottleRock and the USGA’s U.S. Open, to name a few, use OpenRoaming to automatically connect thousands of attendees to the Wi-Fi network without the use of usernames or passwords. Add in Wi-Fi 6E and its ability to support faster speeds and more devices, and you have the recipe for exceptional guest Wi-Fi experiences.

All in all, Wi-Fi 6E at large venues is a game changer that enables more devices to connect with less contention for space, increased speed, better reliability, and more robust security. It’s a match made in IT heaven.

Stay tuned for more on Wi-Fi 6E!

Source: cisco.com

Continue reading

Cisco and Intel: Next-Gen Wireless Client Visibility with Intel Connectivity Analytics!

Introducing Intel Connectivity Analytics

Cisco and Intel present a new analytics solution, Intel Connectivity Analytics, that gives granular driver-level wireless client insights for any client using the latest Intel driver and wireless chipsets while connected to a supported Cisco wireless network (visit Intel Connectivity Analytics FAQ for the SW/HW compatibility matrix). This feature significantly impacts the enterprise PC vertical, where Intel Wi-Fi 6/6E chipsets make up the majority of the market share. With the Intel Connectivity Analytics capability built directly into the Intel wireless drivers, it eliminates the need to install any client-side agent, enabling this feature to be leveraged in even non-corporate settings.

More than just telemetry, Intel Connectivity Analytics provides intelligent reports that allow network administrators to understand what to do next for any problem and ensure a great user experience in even the most complex wireless deployments by addressing the use cases in Figure 1 below.

Figure 1. Intel Connectivity Analytics Use Cases

Six Intelligent Reports to Solve All Your Problems

Intel Connectivity Analytics generates six reports (Figure 2) in real-time based on information forwarded by wireless clients to the AP and then Cisco Catalyst controller or Meraki Dashboard that directly addresses the use cases depicted in Figure 1.

Note: Station information, Neighboring AP, and Failed AP reports are generated at client association, while others are triggered when the situation arises.

Figure 2. Intel Connectivity Analytics Reports Details

Identifying out-of-date Driver, Validating New Drivers, and Identifying Hardware issues:

The Station Information report provides network administrators with driver-level client information that would not have been available in typical telemetry. This additional information allows network administrators to pinpoint the specifications such as software driver or hardware model that clients experiencing poor Wi-Fi are on and target just them.

Figure 3. Identifying Hardware Issues with Intel Connectivity Analytics

Figure 4. Station information or Device Classifier WebUI Output on the Catalyst 9800 Controller

Outdated wireless drivers can also be a common culprit for a poor wireless experience. The station information report gives network administrators peace of mind when rolling out software updates knowing they have complete visibility on the Catalyst or Meraki controller.

Figure 5. Identifying Out of Date Drivers (Left) & Validating New Drivers (Right) with Client Connectivity Analytics

Troubleshooting Roaming:

When a client roams, it’s entirely a wireless client’s decision to do so, and the network has little to no visibility into the reason. Thanks to Intel Connectivity Analytics, we have reports that will share these insights with reason codes such as Low RSSI, 11v Recommendations, Missed Beacons, and Better AP. Based on these insights, a network administrator can determine whether the suspicious client roam was for a legitimate reason or not.

Figure 6. Troubleshooting Roaming with Client Connectivity Analytics

Figure 7. Roaming Scenario Report WebUI Output on the Catalyst 9800 Controller

Identifying Poor Connectivity:

When a wireless client’s RSSI falls below a certain threshold, a Low RSSI report will be generated to alert network administrators about possible coverage holes. These issues can then be proactively addressed by increasing the Tx power on an AP, deploying additional APs, and monitoring if more Low RSSI reports are generated.

Figure 8. Identifying Poor Connectivity with Client Connectivity Analytics

Identifying Misbehaving APs:

Intel Connectivity Analytics supported clients will report if an AP is broadcasting invalid IEs in their beacons, probes, and association responses that would cause connectivity and security concerns. In fact, failed AP reports will even go deeper at the packet level and highlight problematic authentication frames, association frames, or missing response frames.

Intel Connectivity Analytics can even detect rogue AP behavior with the Unknown AP report, which is used to identify and flag rogue BSSID’s (BSSIDs that are not part of an earlier neighbor report)

Figure 9. Identifying Misbehaving APs with Client Connectivity Analytics

Figure 10. Unknown AP Report CLI Output on the Catalyst 9800 Controller

How Does It Work?

Intel Connectivity Analytics uses a Cisco Catalyst 9800 series controller and Catalyst 9100 access point topology from the Cisco Enterprise Network side. The controller enables the features by default on a per WLAN basis. Intel Connectivity Analytics supported client sends the driver-level telemetry back to the access point, which is then processed and presents users with intelligent reports and insights.

Figure 11. Intel Connectivity Analytics Topology

For a technical understanding, refer to the following points:

1. All Intel Connectivity Analytics packet exchanges are protected using PMF for security purposes.

2. Cisco network running IOS XE 17.6.1 or later with the feature enabled will advertise Intel Connectivity Analytics feature support in the Beacon frames.

3. Supported Intel clients will detect and begin forwarding telemetry periodically via a protected Action frame.

As you can see, Intel Connectivity Analytics provides network administrators with granular client-side telemetry in an agentless package at a level never seen in the past. With its wide range of use cases, minimum day 0 requirements, there’s no reason why you wouldn’t leverage such a powerful wireless analytics solution! Take the wireless experience of your network to the next level with Intel Connectivity Analytics today!

Source: cisco.com

Continue reading

Cisco Catalyst 9100 series, much more than Wi-Fi connectivity

Are you one of those people who, when entering a new building (such as a hotel, corporate office, stadium, hospital—literarily any building) the first thing you do is look up to spot the presence of an access point (AP)?

What? You don’t? You don’t know what you are missing!

Yes, I am one of those people. Call it professional deviation, but when entering a building I must check if there is a Wi-Fi signal, where the APs are located, what’s the AP brand, how have the access points been mounted, what type of antennas they us. Sometimes I even take pictures, but don’t tell anyone.

Ok, but even if you are not a human Wi-Fi sentinel like myself, I am quite sure that when you see an access point, you immediately think of a reliable, secure (and yes, hopefully free!) wireless connection. Today it is all about Wi-Fi 6, so you have even greater expectations, right?

I agree with you, the primary role of the AP is to provide reliable coverage and a secure connection, with the bandwidth needed for your devices and applications to work properly.

But what if I told you that there is much more than connectivity to a Cisco Access Point? Cisco has embedded so many cool innovations into the Catalyst Access Point that by the end of this blog, you will look at an access point in a totally different prospective.

When you think about it, the AP can do much more than just offer Wi-Fi connectivity: you have these intelligent network devices sitting in the ceiling  with a privileged view of people and things moving around. The APs are in the perfect spot to capture a lot of useful information beyond the client data packets. For example, getting the location of movable devices.

The AP can act as a multi-protocol (multi-language) gateway, capable of enabling multiple wireless technologies. It can also open up a lot of interesting use cases in the IoT world, for example simplifying Retail management using integrated remote shelf labeling solutions.

We have built the Catalyst AP with this idea in mind: to make it a multi-function and multi-purpose platform for innovation. We do this first by embedding a dedicated, software programmable radios in the access point. The main purpose of this radio is to grab and analyze RF information so that the system can make intelligent decisions. Cisco brings the benefits of programmable hardware to the edge of the network: being programmable, it allows Cisco to introduce technology innovations without requiring a hardware refresh. For the Catalyst Wi-Fi 6 access points, the built-in programmable radio is called Cisco RF ASIC.

We then combine it with the Cisco IoX framework, bringing the possibility to load a Cisco or 3rd party containerized application directly on to the Catalyst AP in a completely automated manner. This combination of programmable hardware and embedded software capabilities is an industry first and allows Cisco to bring new innovative wireless solutions faster to market.

Let’s look under the AP hood and understand the benefits of these innovations. The first focus of an Access Point is the Wi-Fi connectivity, so we built a  state-of-the-art Wi-Fi 6 AP with an awesome RF design capable of embedding ten different antennas in a small form factor. It’s actually 25% smaller and lighter than the previous models, allowing for easier mounting and even more pleasant aesthetics:

But Cisco goes beyond the Wi-Fi standard in multiple ways; first, thanks to a close collaboration with device vendors (Apple, Samsung, and Intel), Cisco has embedded additional functionalities to make sure that these vendor devices have a better experience on a Cisco wireless network. Apple Analytics, Apple FastLane and Fastlane+, Samsung and Intel Analytics are some of the most recent examples of this partnerships. The insights Cisco gets from client devise are super critical for troubleshooting because they provide the client view of the RF network, which is usually different from the access points’ view.

With the introduction of the Cisco RF ASIC as a third dedicated radio, the wireless connectivity is optimized because this offloads all the heavy-duty work from the client-serving radios: resulting 25% increase in client performance is expected for all clients, not only Wi-Fi 6 clients. The dedicated programmable radio is continuously scanning and grabbing a lot of critical information about the RF environment, client onboarding, interferences and analytics in general. From there, it’s streamed efficiently and securely to the cloud and use Machine Learning (ML) and Artificial Intelligence (AI) in DNAC Assurance and DNA Spaces to make the data actionable. A clear example of this is Intelligent capture in DNAC Center Assurance which provides a new way of proactively troubleshooting the network.

This is going to save you and your team a lot of time, effort  and busy work.

And finally, the AP can act as an IoT gateway, supporting multiple IoT protocols via software. A Cisco or third party APP can be installed directly on the AP in a fully automated fashion. This opens a lot of opportunities for. One example is an IoT gateway for remote shelf labelling that allows customer to save operational and capital expenses by not deploying a parallel IoT network.

So, I am sure you agree with me that a Cisco Catalyst Access Point is much more than just Wi-Fi connectivity; and next time you enter a building you will turn your head up and look for those great pieces of wireless innovation.

Source: cisco.com

Continue reading

Simply Faster than the Rest, Cisco Wi-Fi 6 + Multigigabit Switching

It’s a typical day, and as you’re mindlessly scrolling through your phone again, *ding*, a notification reads, “Flying cars will be available for purchase in just one year!”.

Wow, that’s exciting!

But would you be surprised?

The fact is, technology is advancing so fast that before we can adjust to the current innovation, a better version is already available. Just look at where we were with virtual reality, self-driving cars, and IoT smart homes only a few years back. The point is, our expectation for what is possible has never been higher, and as a technology fanatic, life is good!

But while we’re busy geeking out, let’s not forget that all this upcoming innovation requires an equally powerful network infrastructure to support it. For example, let’s look at 8K VR gaming, a technology that’s right around the corner and will require a minimum of 1 Gbps for gameplay and above 2 Gbps for an optimal experience. With a growing thirst for technology to provide a more HD, a more next-gen, and a more seamless experience, we can expect that the required data consumption will skyrocket as well.

The question is no longer whether innovation is coming but if your network can handle it.

Next Level Wireless Speeds with Multigigabit Switching

Wi-Fi 6, with all its glory, has been the star of the networking show since the launch of Cisco’s Catalyst wireless access point (AP) product line. From our flagship Catalyst 9130 Access Point boasting a ridiculous max PHY of 5.37 Gbps down to the small Catalyst 9105, they’re truly the gold standard of enterprise wireless.

But what if I told you there is a way to further enhance their already incredible prowess?

By simply combining Cisco Catalyst APs with Catalyst Multigigabit Switching, we can witness what can only be described as network performance at its finest. A bold statement, but I can prove it by showing you the throughput numbers tested within Cisco’s wireless lab using a Catalyst 9130 Wi-Fi 6 AP on software version 17.5.1 and a Catalyst 9300 multigigabit switch.

Numbers Speak for Themselves

But first, let’s take a step back; if we connect a Catalyst 9130 AP to a gigabit switch, the 5.38 Gbps max PHY is actually significantly bottlenecked as the throughput capabilities become limited from the wired side.  With this topology, we achieved an average throughput of just below 1 Gbps using the IxChariot performance testing tool.

Figure 1. 3x Intel AX200 endpoints on 2.4 GHz at 20 MHz and 15x Intel AX200 on 5GHz at 80 MHz

Don’t get me wrong; these data rates are fast; it’s just that it could be so much faster!

To properly enjoy the true power of Wi-Fi 6, we connected the same Catalyst 9130 AP to a ten-gigabit port of a multigigabit switch and were able to achieve over 2 Gbps consistently.

Figure 2. 3x Intel AX200 endpoints on 2.4GHz at 20MHz and 3x Intel AX200 on 5GHz at 80MHz

With the only differing factor being the multigigabit switch, we were able to over double the throughput! With these blazing fast throughput numbers combined with Wi-Fi 6’s OFDMA and MU-MIMO, you’ve got yourself a wireless powerhouse that’s unmatched by any other vendor in the world and is ready for whatever the future throws at it.

Source: cisco.com

Continue reading

WiFi-6E 6GHz- WiFi Spectrum Unleashed

In April 2020, the Federal Communications Commission (FCC) allocated 1,200 megahertz of spectrum for unlicensed use in the 6GHz band. That was the largest fleet of spectrum approved for WiFi since 1989. This Opening of the 6 GHz band more than doubles the amount of spectrum available for Wi-Fi, allowing for less congested airwaves, broader channels, and higher-speed connections and enabling a range of innovations across industries. Since the FCC decision to open the 6 GHz band, 70 countries with 3.4B people have approved or have 6 GHz regulations under consideration (Source- WiFi-Alliance)

Currently, as organizations increase their use of bandwidth-hungry video, cope with increasing numbers of client and IoT devices connecting to their networks and speed up their network edge. As a result, wireless networks are becoming oversubscribed, throttling application performance. This frustrates all network users by negatively impacting the user experience, reduces productivity.

Throughout this post, I have tried to cover the basics and the operating rules for Wi-Fi 6E in the 6 GHz band.

What is the “E” in Wifi6E?

The 802.11ax standard (Wi-Fi 6) also operates in the 2.4 GHz and 5 GHz bands. Due to this, Wi-Fi in the 6 GHz band will be identified by the name of WiFi-6E. This naming was chosen by the WiFi-Alliance to avoid confusion for 802.11ax devices that also support 6 GHz. The “6” represents the sixth generation of Wi-Fi and the “E” represents extended.

WIFI-6E: Increase in number of channels

The 6 GHz band represents 1200 MHz of spectrum that will be available from 5.925 GHz to 7.125 GHz. Knowing that 2.4 GHz band only had 11 channels, with the new spectrum, Wi-Fi will have access to 59 20-MHz channels, 29 40-MHz channels, 14 80-MHz channels, and 7 160-MHz channels. In addition to 2.4GHz and 5GHz, this not only represents a lot of channels, but also a lot of wide channels to operate on high speeds.

Advantage of a huge spectrum

Wi-Fi has always had a very less amount of spectrum. Typically, Wi-Fi had only 80 MHz of spectrum in the 2.4 GHz band and 500 MHz in the 5 GHz band. DFS channel occupy a part of the 500MHz on 5GHz band.

This left very limited contiguous spectrum. It made it difficult to find or enable 80 MHz or 160 MHz channel width, but the maximum Wi-Fi data speeds can only be achieved with these channel widths.

With the 59 20-MHz channels, Wi-Fi 6E will effectively remove congestion issues. At least for the foreseeable future, there will always be at least one 20 MHz channel available without congestion. Thanks to the contiguous spectrum and the 14 80-MHz channels or the 7 160-MHz channels to choose from, a radio will be able to find a channel available, free of congestion. This enables the technology to deliver the highest speeds.

Background on Wi-Fi Standards

Two main groups are responsible for shaping Wi-Fi’s evolution. The Wi-Fi Alliance and IEEE. The IEEE 802.11 defines the technical specifications of the wireless LAN standard. The WiFi-Alliance focuses on certification of Wi-Fi devices for compliance and interoperability, as well as the marketing of Wi-Fi technology

Over time, different classifications of WiFi networks were given different naming conventions by the Wi-Fi Alliance. Rather than “802.11b”, it’s just “WiFi 1.” Much like how mobile phone companies refer to 3G and 5G as different network speeds even though the term is almost always just a marketing tool. This classification is supposed to help make it easier for consumers to understand — instead of understanding a whole alphabet soup, users can just look for “WiFi 4” or “WiFi 6” as what they need.

The IEEE 802.11ax standard for high efficiency (or HE) covers MAC and PHY layer operation in the 2.4 GHz, 5 GHz and 6 GHz bands.

IEEE Rules for WIFI-6E

HE (High Efficiency) only operation in the 6 G

One of the most important decisions made by the IEEE 802.11ax group is that it disallows older generation Wi-Fi devices in the 6 GHz band. This is very important because it means that only high efficiency 802.11ax devices will be able to operate in this band.

Generally, upcoming Wi-Fi standards have always provided backward compatibility with previous standards. This was a boon to customers as well as vendors, since network equipment doesn’t need to be completely overhauled at each new standard. The flip side to this is it will be a source of congestion on the protocol, since legacy equipment is also sharing the available spectrum with the newer devices. In the 6 GHz however, only new high efficiency devices will be allowed to operate.

When using the analogy of road transport to describe Wi-Fi, the 2.4 GHz and 5 GHz band can be compared to congested roads where both fast and slow vehicles travel, while the 6 GHz band is the equivalent of a new, large highway that only allows the fastest cars.

Fast Passive Scanning

With 1200 MHz of spectrum and 59 new 20 MHz channels, a station with a dwell time of 100 ms per channel would require almost 6 seconds to complete a passive scan of the entire band. The standard implements a new efficient process for clients to discover nearby access points (APs). In Wi-Fi 6E, a process called fast passive scanning is being used to focus on a reduced set of channels called preferred scanning channels (PSC). For 6 GHz-only operation, a specific subset of channels will be identified as preferred scanning channels (PSC) where the primary channel of a wide channel BSS should reside, limiting the channels a client needs to scan to discover a 6 GHz-only AP. PSCs are spaced 80 MHz apart, so a client would only need to scan 15 channels

Out of band discovery

Dual-band or tri-band APs operating in the 6 GHz band as well as in a lower band (2.4 GHz or 5 GHz) will be discoverable by scanning the lower bands. In the lower band, APs will include information about the 6 GHz BSS in a reduced neighbour report in beacons and probe response frames. The client will first go into the lower bands, discover the AP there and then move to the 6 GHz band. This will reduce the probe requests that are sent by stations just trying to find APs because it will not be allowed unless it is a PSC channel.

Wi-Fi 6E Channelization

The 802.11ax standard defines channel allocations for the 6 GHz band. This allocation determines the center frequencies for 20 MHz, 40 MHz, 80 MHz, and 160 MHz channels over the entire 6 GHz band. However, regulatory domains specifications take precedence over the IEEE specification and channels that are falling on frequencies or overlapping on frequencies that are not supported in a regulatory domain cannot be used.

AFC and Avoiding Incumbent Users

The FCC defines two types of device classifications with very different transmit power rules. The goal here is to avoid potential interference with existing 6 GHz incumbents. Several classes of APs are being defined to adapt to the U-NII bands and conditions where they will be operating. The standard power (SP) AP and the low power indoor (LPI) AP and very low power (VLP) AP. The low power APs, as the name implies, have reduced power levels since they are only used indoors.

The outdoor, or standard power APs, have a serious potential of interfering with existing 6 GHz users in the geographic area. Fixed satellite services (FSS) used in the broadcast and cable industries might already have a license for the channels in use. Therefore, any new unlicensed users (Wi-Fi) must ensure they do not impact the current services. The answer to this is to create a way to coordinate the spectrum use to avoid interference issues. The basic concept would be that a new wireless device (access point) will consult a registered database to confirm its operation will not impact a registered user. For 6 GHz operation, this is called an Automated Frequency Coordination (AFC) provider.

Standard power APs must use an AFC service to protect incumbent 6 GHz operations from RF interference.

Source: cisco.com

Continue reading

The Whole Shebang with the Cisco Catalyst 9105 Access Point

If you’re reading this blog, I’m betting you’re a technology enthusiast and that you’ve heard of all the hottest innovations in wireless today. Whether it be the gargantuan increase in throughput-efficiency with Wi-Fi 6, the exciting new possibilities enabled by the Internet-of-Things (IoT), or the powerful yet easy-to-setup wireless home office solutions, they’ve all become a reality and are deployment-ready today!

This begs the question, what is the right wireless platform that will benefit us from these innovations?

Assuming you’ve caught up on the news, you’ve probably heard the commotion from the different wireless companies boasting about their flagship access points (AP), lined up with insane hardware specifications. Something on the lines of having 8×8 radios to support the densest of the client environments, being armed with some state-of-the-art chip that provides users with full visibility into the RF, and integration with their ultra-modern software application for complete network control. You might be thinking, soon enough, well, even some built-in AI software that will predict your future!

Jokes aside, what a time to be alive; all this incredible innovation, and it’s just a matter of time before they’re adopted by enterprises all over the world. However, are these flagship APs right for everyday people like us in our current situation?

It’s not news that most of us are working from home, so if your corporate adopts these new APs, we won’t be able to experience it for days to come. In addition to having a high price point, with standard smartphones and most laptops maxing out with just 2×2 radios, all that fancy hardware specifications on these APs are unfortunately overkill for a simple household anyways.

So, what platform should we use to support our remote working situation?

Introducing the Catalyst 9105

Well, I’m proud to present to you our newest and cutest AP in Cisco’s Wi-Fi 6 portfolio, the Catalyst 9105AXI (Infra model), and 9105AXW (Wall Plate Model). With robust 2×2 radios capable of performing Wi-Fi 6, state-of-the-art software supporting Cisco’s IoT solution, and an efficiently designed internal hardware enabling its small form-factor design, the Catalyst 9105 is not only the perfect AP for small to mid-size offices but also your home.

Figure 1. Catalyst 9105AXW (left) and 9105AXI (right)

With the Catalyst 9105AXI and 9105AXW having dimensions of just 5.9″ x 5.9″ x 1.2″ and 6.3″ x 3.5″ x 1.3″ respectively, these two APs are by far the smallest members of the Catalyst 9100 family. However, when we hear the word small, we automatically assume less powerful, but let me assure you; this platform is far from weak, so why don’t we speak a language that deters any skepticism. Let’s talk numbers.

Wi-Fi 6 with 2×2 Radios

Before we get into the specific features of Wi-Fi 6, I’d like to set the stage by directly presenting to you the raw speeds the Catalyst 9105 can execute with single 2×2 Wi-Fi 6 endpoints associated with its 80 MHz channel. From the tables below, you can see that regardless of the endpoint’s model, each can achieve between 700 to 800 Mbps downstream and 500 to 700 Mbps upstream. For an access point smaller than an average book, these numbers are incredible.

Figure 2. Cisco internal Catalyst 9105 throughput test results

To bring it up a notch, let me ask you this. What is the first thing we think of when the topic of Wi-Fi 6 comes up? Faster speeds? Lower latency? Higher security? Less interference? How about all of the above, enabled by Wi-Fi 6 specific features such as OFDMA, BSS Coloring, Target Wake Time, WPA3, and 1024 QAM. Quite the list of innovations, and while both Catalyst 9105 models support each of these features, let’s focus on the most exciting one, OFDMA!

To my experienced wireless readers, why OFDMA is under constant spotlight comes as no surprise.  However, for those who are new to wireless, OFDMA stands for Orthogonal Frequency-Division Multiple Access and, when enabled, significantly improves the wireless network’s efficiency in serving multiple clients at a time. Before OFDMA, we had OFDM, where a single wireless frame would take up an entire channel’s width for a certain period, essentially forcing each packet regardless of size to wait in a queue. With the introduction of OFDMA, the channel can now be shared by multiple packets simultaneously, enhancing the network’s ability to serve multiple endpoints in parallel.

Figure 3. OFDM vs Wi-Fi 6’s OFDMA

For a more technical explanation, let takes a 20 MHz channel, for example. When using OFDM, a 20 MHz channel has only a single subcarrier (consisting of 242 resource units). As an analogy, this can be interpreted as a one-lane highway, only capable of processing a single packet at a time. When it comes to OFDMA, the 20 MHz channel can be divided into a maximum of 9 subcarriers (consisting of just 26 resource units). The highway’s overall width that we’ve mentioned earlier remains the same but can be divided into multiple narrower lanes and are adjusted based on the incoming packets’ sizes. This means that an AP that supports the full capability of OFDMA can serve nine endpoints at the same time. Since the Catalyst 9105 is intended for less dense environments, it’s designed to support four endpoints in parallel, which is not only incredible, it’s revolutionary for an AP of this size.

Figure 4. A 20MHz channel divided into resources units with OFDMA

To prove what I said is not just colorful marketing, let’s talk numbers. We’ve had Miercom, the well-known third-party network testing firm, run performance tests with Cisco’s 9105, Aruba’s AP505, and Ruckus’s R550 with OFDMA enabled to compare performance. During the test, the APs were first loaded with ten endpoints and gradually up to eighty endpoints passing traffic in parallel. You’ll observe that Cisco’s 9105 maintained a significantly superior throughput lead from the graph below than the other two vendor’s APs. In fact, you’ll observe that even with 80 endpoints associated, Cisco’s 9105 can provide almost the same throughput experience as the other vendor’s APs with just ten endpoints associated. The takeaway is obvious, while the Catalyst 9105 is small in size, it is mighty!

Figure 5. Miercom’s scaled multi-vendor OFDMA TCP performance test

Innovation within the Internet of things

But apart from the raw ability to execute Wi-Fi exceptionally, the Catalyst 9105 will also seamlessly fit into any business’s IoT solution. For readers unfamiliar with the Internet of Things, it’s the ability to leverage a wireless network to monitor and transfer data through smart devices, allowing the user to accomplish tasks in an efficient and often automated manner. Many of you probably have IoT devices in your home right now, such as a Google Home, Amazon Alexa, or a Nest thermostat. These devices being both user-friendly and practical in function, have naturally become an integral part of our day-to-day lives. This seamless enhancement is precisely what the Catalyst 9105 can accomplish but, on an enterprise-level, creating powerful yet fiscally efficient IoT solutions.

So, why do we need this? What problem are we solving?

As you can imagine, for an IoT solution to operate on an enterprise level, it requires an intricate control network that provides full visibility into every corner of the solution to ensure security. However, given that all enterprises will already have a pre-existing network, building a separate one for dedicated IoT usage is costly, complicated, and redundant.

This is where Cisco’s Application Hosting on the Catalyst Access Point feature solves these problems. Customers can now acquire custom Dockerized IoT applications from Cisco’s Solution Partner Marketplace, load them into the built-in containers on the Catalyst 9105 through Cisco DNA Center, and use them as IoT gateways to begin communicating with surrounding IoT devices.

Figure 6. The Catalyst 9105AXW integrated with Cisco’s Application Hosting IoT Solution

By allowing users to utilize their existing low-cost Catalyst 9105 network for IoT, it eliminates the looming pain of building a second network for IoT management. Integrating this solution with Cisco DNA Center, users now have an application life cycle manager that provides them full visibility into the deployment status of each IoT application. In fact, Cisco DNA Center allows users to deploy different applications to different areas of their Catalyst 9105 network, providing the ability to support multiple IoT solutions on a single network!

When it comes to real-life IoT use cases, the possibilities are endless. They can range from retail optimization with electronic shelf labels to motion sensors or cameras for building management systems and even medical wearables for health care solutions. The best part of all this is that it can be automated, creating a genuinely self-sufficient IoT solution.

Wireless Home Office Solution

Up to this point, we’ve reviewed the Catalyst 9105’s Wi-Fi 6 and IoT capabilities; however, the caveat is that most of us are still working remotely, so how can we benefit from these innovations?

As hinted earlier, the Catalyst 9105 can be deployed directly in your home. With Cisco’s remote worker solution, simply connect your Catalyst 9105 to your home network, and it will automatically associate with your company’s corporate Wireless LAN Controller (WLC) and begin broadcasting your corporate’s SSID in Wi-Fi 6.

Can it really be this easy?

Absolutely, and the solution is simple, we use Cisco’s day-0 provisioning solution, Plug-n-Play (PnP). Before shipping the AP to the end-user, the network administrator managing this solution simply needs to create a profile for this AP on Cisco’s PnP Connect cloud portal, then point it to the IP address of the company’s WLC. When the AP receives an IP address, it’ll automatically know to reach out to Cisco’s PnPConnect server through its built-in PnP agent code and will get re-directed to and join the WLC. The fact is, only step one in the diagram below is executed by the end-user; the remaining steps are completely black-boxed, making the workflow incredibly simple.

Figure 7. Remote worker solution’s three-step onboarding process

It’s no doubt convenient, but is it secure?

It’s a resounding yes, and to explain, let’s refer to the architectural diagram below. The left side of the diagram depicts a user’s home network, and you’ll observe the deployed Catalyst 9105 can associate to the corporate office’s WLC (sitting in a public DMZ) through NAT. This connection is not only secured by Cisco Umbrella but also DTLS encrypted, meaning it has the highest level of security segmentation possible.

After the Catalyst 9105 joins the WLC, it can now utilize all its back-end infrastructure, such as the radius server for corporate 802.1x network access, and even Cisco DNA Center. With Cisco DNA Center, the network administrator managing the remote worker networks can leverage features such as Network Assurance and Intelligent Capture to monitor and troubleshoot any issues in the case that they occur, ensuring a phenomenal end-user wireless experience.

Figure 8. Remote worker solution architecture

By combining this wireless trifecta of Wi-Fi 6, Internet-of-Things, and remote worker solution, the Catalyst 9105 is not only a powerful and versatile small form-factor AP, but a multipurpose networking hub, and indeed a force to be reckoned with.

Continue reading