Cisco WLC LDPE Images

With the release of WLC code version 7.0.116.0 (otherwise known as J MR1) came a slew of new features despite the MR tag. Among those images is one that is sure to cause a significant amount of confusion – especially those that may not be familiar with the dance that is Cisco software images. That feature is Licensed Data Payload Encryption (LDPE). Data Payload Encryption allows for the data that travels between the Access Point and the WLC to be DTLS encrypted. This is normally not done. Once client data is transmitted to the Access Point, the Access Point will decrypt it (this is your traditional WEP, TKIP, AES-CCM), then tag it to the correct VLAN (if applicable) and send it on it’s unencrypted merry way! If you have a need to encrypt the data on your wire – for example, if you’re joining Access Points to your controllers across a public Internet connection, this feature is what you need. This used to be an optional (paid for) feature that was included in the WPLUS license, but this was rolled into the base WLC license and is now available free of charge on all modern WLC platforms. It should be noted that if you’re using 2000, 2100, 4000, 4400, ISR modules, or WiSM 1 platforms, these do not support encrypting your data payload and none of this article is applicable to you. 🙂

There are two different implementations of this feature – one that is an all inclusive image, one that is a separate image. Depending on the platform you’re using, you get one of those. If you are upgrading a 5500 WLC to J MR1, this is likely where you’re going to run across this for the first time which is the two image variation. On CCO, you’ll find two images:

  • AIR-CT5500-K9-7-0-116-0.aes
  • AIR-CT5500-LDPE-K9-7-0-116-0.aes

The image that requires a license to enable this feature is the second LDPE image.

Which one do you need?

The most straightforward answer to this question is that if you did not specifically purchase a 5500 with the LDPE image, you cannot install the J MR1 LDPE image onto it. This means that if you’re upgrading an existing installation, you have one choice – the ‘regular image’ AIR-CT5500-K9-7-0-116-0.aes.

The second place you’re likely going to run into this image is when you’re quoting a new controller. To decide which image you should select is going to take a bit more thought and to come up with an answer, you should probably know why the heck Cisco split this feature out to begin with. This all boils down to regulatory restrictions in Russia. So, the short version of your thought process should be, “If I’m not installing this WLC in Russia, I shouldn’t be selecting the LDPE image version”. If you are indeed selecting this version, the license itself is a $0 option, but does need to be discreetly selected.

Now, if you’re ordering a new 2504, WiSM2 or 7500 WLC, you don’t have to select a different software image, but you do need to select the $0 license if you want this feature enabled:

To wrap up, if you’ve got 5500 controllers running today, Cisco made it so you cannot install the LDPE image, so move past it when you’re doing your code upgrade. If you’re ordering new, and not in Russia, make sure your VAR/partner gets the correct DTLS license for you!

Advertisements

Securing your small WiFi tools

I find myself lugging around a variety of tools recently – more so than I usually do courtesy of #TechFieldDay. While I typically carry a Spectrum Analyzer, it is usually one of those ‘dedicated pockets in the laptop bag’ kind of tools that gets packed in with my trusty CB21AG survey card. Those of you keeping notes would realize that any machine purchased in the last 3 years or so is lacking a CardBus slot so we’ve been relegated to keeping our old machines around for compatibility with our trusty tools or using a clunky ExpressCard to CardBus adapter if we want to keep compatible. This works okay if your new machine sports a shiny new ExpressCard slot but those of us moving (back) to the Mac platform and not wanting to chunk out the change for a 17 inch Mac Book Pro which has the coveted ExpressCard slot but weighs a ton (not good for survey work!).

The answer? USB. Most everything has a work-alike or a preferred card that is USB so I find myself with:

Orinoco 8494 card for the AirMagnet products (Survey, and WiFi Analyzer)

MetaGeek Wi-Spy DBx with device finder antenna

AirMagnet Spectrum XT

and to round it all out, a Ralink (thanks @sevanjaniyan) based adapter for compatibility with WildPackets Omnipeek for next weeks CWAP Beta class!

The challenge: All of these things have been rolling around in my bag (in the WiSpy DBx box actually) which is a less than graceful way to treat your tools. I needed a sturdy case that could hold it all and not be so large I wouldn’t want to pack it wherever I went. Enter the Pelican 1120 case. With inside dimensions of 7.25″ x 4.75″ x 3.06″, it’s the smallest ‘small case’ they make. Being a fan of the larger 1510 case for my survey gear, and being priced (with shipping) for a modest $35, it was pretty well a done deal. Pictures of my handywork (pick and pluck style) to follow: