Migration impact of Cisco’s wireless launch

Last week, Cisco announced long-awaited enhancements to its Aironet wireless LAN product portfolio. Many of the management and security-centric improvements, including a new version of the CiscoWorks Wireless LAN Solutions Engine, directly challenge the so-called WLAN “switch” companies in that they strengthen an enterprise’s ability to centrally configure, upgrade, secure, and manage hundreds or thousands of wireless access points.

If you are an existing Cisco shop attempting to digest the implications of Cisco’s new “wireless-aware” software features, including its support of Wi-Fi Protected Access (WPA), you might well have some product-migration questions. Here are some insights, paraphrased largely from a conversation I had with Bruce Alexander, a technical marketing manager at Cisco:

* If I’m running VxWorks-based Aironet products, such as the Aironet 350 or 1200, will they continue to be supported? Or do I have to upgrade my APs to run Cisco IOS software?

Cisco will provide support for VxWorks devices going forward. So if your environment is not changing and is well served by this operating system, there is no immediate reason to change.

However, the VxWorks operating system will not gain any of the new or future enhancements. If you want your APs to run WPA and the new Cisco wireless-aware capabilities, you must upgrade to IOS-based APs. The 1200 series is upgradable from VxWorks, but the 350 is not. Another model, the 1100 series AP, was an IOS device out of the chute. Cisco has a tool that enables automated, mass conversion from VxWorks to IOS for 1200 series APs. The tool also enables en masse configuration of IOS-based APs. 

* Should I support the Cisco Wireless Security Suite, WPA, or both in my Cisco Aironet products?

There is a whole matrix of how you can mix and match capabilities from both security sets.  But the basic decision boils down to what clients your organization supports. If you are a 100% Cisco shop, you can just continue using Cisco’s own Wireless Security Suite on both your APs and clients.

For mixed-client environments, you should note that WPA Temporal Key Integrity Protocol (TKIP) and Cisco TKIP (CKIP) – algorithms for generating dynamic encryption keys – do not work together. So you would likely continue supporting the Cisco Wireless Security Suite (including CKIP) on your APs and add WPA (with WPA-TKIP). This would enable your APs to communicate with both Cisco-proprietary and WPA clients.  Meanwhile, Cisco and its Cisco-Compatible Extensions (CCX) partners will begin offering WPA-certified client cards late this summer.

* Can I upgrade my existing WLSE to Version 2?

Yes, from a software perspective. You’d do this if you would like the new features but don’t need to scale beyond 500 APs. The software for the new appliance, which manages up to 2,500 APs, can run on the older appliance, but with the old 500-AP limit.