Cisco WLC LDPE Images

With the release of WLC code version 7.0.116.0 (otherwise known as J MR1) came a slew of new features despite the MR tag. Among those images is one that is sure to cause a significant amount of confusion – especially those that may not be familiar with the dance that is Cisco software images. That feature is Licensed Data Payload Encryption (LDPE). Data Payload Encryption allows for the data that travels between the Access Point and the WLC to be DTLS encrypted. This is normally not done. Once client data is transmitted to the Access Point, the Access Point will decrypt it (this is your traditional WEP, TKIP, AES-CCM), then tag it to the correct VLAN (if applicable) and send it on it’s unencrypted merry way! If you have a need to encrypt the data on your wire – for example, if you’re joining Access Points to your controllers across a public Internet connection, this feature is what you need. This used to be an optional (paid for) feature that was included in the WPLUS license, but this was rolled into the base WLC license and is now available free of charge on all modern WLC platforms. It should be noted that if you’re using 2000, 2100, 4000, 4400, ISR modules, or WiSM 1 platforms, these do not support encrypting your data payload and none of this article is applicable to you. 🙂

There are two different implementations of this feature – one that is an all inclusive image, one that is a separate image. Depending on the platform you’re using, you get one of those. If you are upgrading a 5500 WLC to J MR1, this is likely where you’re going to run across this for the first time which is the two image variation. On CCO, you’ll find two images:

• AIR-CT5500-K9-7-0-116-0.aes
• AIR-CT5500-LDPE-K9-7-0-116-0.aes

The image that requires a license to enable this feature is the second LDPE image.

Which one do you need?

The most straightforward answer to this question is that if you did not specifically purchase a 5500 with the LDPE image, you cannot install the J MR1 LDPE image onto it. This means that if you’re upgrading an existing installation, you have one choice – the ‘regular image’ AIR-CT5500-K9-7-0-116-0.aes.

The second place you’re likely going to run into this image is when you’re quoting a new controller. To decide which image you should select is going to take a bit more thought and to come up with an answer, you should probably know why the heck Cisco split this feature out to begin with. This all boils down to regulatory restrictions in Russia. So, the short version of your thought process should be, “If I’m not installing this WLC in Russia, I shouldn’t be selecting the LDPE image version”. If you are indeed selecting this version, the license itself is a $0 option, but does need to be discreetly selected.

Now, if you’re ordering a new 2504, WiSM2 or 7500 WLC, you don’t have to select a different software image, but you do need to select the $0 license if you want this feature enabled:

To wrap up, if you’ve got 5500 controllers running today, Cisco made it so you cannot install the LDPE image, so move past it when you’re doing your code upgrade. If you’re ordering new, and not in Russia, make sure your VAR/partner gets the correct DTLS license for you!