Why WiFi-6e?

WiFi-6e is the new kid on the block and it’s a game changer for WiFi. The fundamentals of WiFi haven’t changed much in years. Sure, there’s been evolution across 802.11b/g/a/n/ac, and we’ve gone from WEP, to TKIP and AES, but there hasn’t been a proper revolution in years. WiFi-6e is here to shake things up.

We’ve had the same 3x 2.4GHz and 19x 5GHz none-overlapping channels for years. Updates to 802.11 since it was released have squeezed more performance from those channels, but as more and more people have adopted WiFi, the demand for reliable performance has outstripped what the protocols can do in these small, congested frequency blocks. WiFi-6e overcomes these challenges by massively expanding the amount of channels we have available.

In the UK and Europe, WiFi-6e gives us an extra 500MHz of channel space, from 5925MHz to 6425MHz. We lose 10 MHz at either end of the range, which leaves us with 480MHz that provides 24 glorious new channels to use. By adding 24 more channels to the existing 21 we have available, WiFi-6e more than doubles the amount of none-overlapping channels we can use. WiFi-6e also provides higher transmit power limits (250mW indoors @ 6GHz in the UK/EU), and we still benefit from WiFi-6’s enhancements around BSS Colouring, OFDMA, and MU-MIMO. The arrival of WiFi-6e means we have more channels and we can squeeze more bandwidth from each of them. The 24-channel-wide block also means we can make full use of WiFi-6e’s channel bonding capabilities, giving us up to three 160MHz channels, six 80MHz channels, or twelve 40MHz channels. The amount of bandwidth we can extract from these channels blocks is phenominal.

It’s not all about channels though, WiFi-6e is also more secure. Gone are the days of Open networks and even WPA2 is out of the door; WiFi-6e is a WPA3-only world.

Anyway… I mentioned there’s a new AP. It’s the Cisco Catalyst 9136 and it’s a beast! Slightly bigger than its Cisco Catalyst 9130 little sister, the 9136 packs in loads of extra features, higher performance and with a revised facia, I think its better looking than it’s siblings too. Here’s the run down:

Cisco Catalyst 9136 WiFi-6e Access Point

WiFi

• WiFi-6e
• UL-OFDMA, DL-OFDMA & MU-MIMO

Transceivers

• 1x 4x4:4 6GHz Radio
• 1x 8x8:8 5GHz Radio (*)
• 1x 4x4:4 2.4GHz Radio
• 1x IoT/BLE Radio
• 1x Scanning Radio

Security

• 1024 QAM
• WPA3-SAE Hash to Element(H2E) and Hunting & Pecking (H&P)
• OWE, SAE & 802.1x-SHA256
• CCMP128, CCMP256, GCMP128, GCMP256

LAN

• 2x 5Gbps mGig
• Dual PoE Power Redundancy
• Supports 802.3bt/at/af

Extras

• Environmental Sensor (**)
• USB (9W)
• Uses standard Cisco mounting brackets
• Improved access to Ethernet interfaces

(*) The 8x8:8 radio will be software configurable as two 4x4:4 radios in a future release.

(**) The Sensor is not likely to be enabled until software 17.8 is released.

Pictures

Impact on the LAN

The extra performance and efficiency from WiFi-6 and the extra capacity from WiFi-6e combine in the Cisco Catalyst 9136 Access Point to deliver the best WiFi experience I’ve ever seen. So improved is the performance that even with ‘only’ the limited 500MHz available to us in the UK and EU (compared to an extra 1200MHz in the USA!), it’s still realistic that a single Access Point using a sensible set of channel widths in a busy inner-city area, could pull down more than 1Gbps on its LAN interface. With a fair wind, networks in less busy environments could realistically see over 2Gbps on the LAN. The upshot of this is that 2x 1Gbps or mGig-capable Access Layer switches are going to be required if you’re to get the most from the new Catalyst 9136 WiFi-6e Access Point.

All the extra radios and performance the 9136 delivers also means more power is required. To get the most out of the 9136 you’re going to need 802.3bt (UPoE). The 9136 does run at 802.3at (PoE+) and 802.3af (PoE) too, but with increasingly diminishing capabilities and performance.

UPoE mGig switches aren’t particularly cheap, or commonplace, so the 9136 also lets you Etherchannel the interfaces together, so the majority of people that ‘only’ have a 1Gbps Access Layer can still get around 2Gbps out of the AP. If you lack UPoE, you can also power the Access Point using a Power Injector. I did my testing using a Meraki MA-INJ-6 (UPoE, 10G mGig) and had no issues at all.

Where Access Points are particularly mission critical, the 9136 also supports PoE redundancy. Either mGig interface can be used to provide PoE and if one interface should fail, the other will take over. Only one interface at a time provides PoE.

Performance Testing

I’ve had my hands on the 9136 for a little while now. Plenty long enough for me to upgrade my laptops to use Intel’s AX210 NICs and to get my hands on a little mGig switch so I can really put the pressure on the AP to see what it can do. It does not disappoint!

With three different laptops, all upgraded to use Intel AX210 NICs with the latest drivers (22.110.1, at the time of writing) and on the latest release of Windows 11, I subjected the 9136 to as many different permutations as I could.

Each set of tests was run with one Client laptop connected to each radio via a WPA3-SAE (H2E) SSID. I used iPerf3 in TCP mode on all three Clients at the same time to ensure the AP was seeing full load on all of its radios. The AP was connected on a single 2.5Gbps interface in Flex Connect mode, and controlled by a 9800-CL WLC on standard 17.7.1 code.

iperf3.exe -c x.x.x.x -i5 -t600 -P20

In the interest of full disclosure, the higher-speed tests exceeded the performance of my 2.5Gbps mGig switch so I couldn’t test all of the radios in parallel at the same time for these.

Results

Analysis

A dose of reality needs applying to any test reults, but nevertheless, I’m super impressed!

In the real-world, using 20MHz for all three radios seems unnecessarily stingy in all but the most extreme of scenarios. Likewise, any tests using 160MHz aren’t particularly realistic in the UK/EU because of the limited extra space we get unless you have a very isolated network. This still leaves a very healthy middle ground of between 750 to 1400Mbps of real data throughput for a single AP. In the real world, mixed-capability Clients will bring these figures down as WiFi-6 isn’t yet ubiquitous. As we look to the future and anticipate the possibility of 3SS devices hitting the market though, these figures could also go up. The total throughput figures are also likely to go up when the 8x8:8 5GHz radio is able to be split in to two separate 4x4:4 radios.

Client Support

Support for WiFi-6e and the newer versions of WPA3 is only really available in the latest releases of code and Client hardware. Be prepared to update your things if you want to take full advantage of WiFi-6e.

Cisco Catalyst 9136 WiFi-6e Access Point is supported on the 9800 WLC only, with 17.7.1 code or higher.

Apple iOS (15.3) on iPhone7 or later only seems to support WPA3-SAE with Hunting and Pecking; Hash to Element mode failed in my tests.

Apple iPhone 11 (or newer) is required if you want to support the new, even more secure, 192-bit version of WPA3 Enterprise.

Windows devices with recent Intel NICs that wish to run WPA3-SAE with Hunting & Pecking enabled (less secure) need to run Windows 10 v1903 or later, with Intel 21.10.X or later.

Windows devices with recent Intel NICs that wish to run WPA3-SAE with Hash to Element (H2E) enabled (more secure) need to run Windows 10 v21H2 or later, with Intel 22.100.X or later.

Design Challenges

The motives of improved performance and security are compelling reasons to move to WiFi-6e, but there are barriers to adoption that we need to overcome.

WPA3 has been out for years, but adoption has been very slow; I’m not aware of anybody running pure WPA3 networks yet. This presents an adoption barrier for WiFi-6e because WPA2/WPA3 mixed mode across 2.4 / 5 / 6GHz doesn’t work. WiFi-6e is WPA3-only.

WiFi-6 has been out for a while now, and despite a rocky period in 2020 where Intel and Microsoft caused some issues with reliability, it is now very reliable. The 6GHz extensions to WiFi-6 are still obviously very new, with relatively untested drivers. 6GHz has different Transmit Power limits and propagates differently to 5GHz, so AP locations are likely to need re-surveying if seamless 6GHz coverage is required.

We’ve yet to see how things pan out in terms of support offered by Clients drivers for mixed-mode networks, but I suspect we’ll end up creating WPA3-specific SSIDs across all three frequencies and running them alongside existing WPA2 networks for a period while Client devices are upgraded to properly support WPA3. The 6GHz part of WiFi-6e also presents challenges because even well surveyed networks today may not provide seamless 6GHz coverage and Clients may find themselves dropping down to 2.4 or 5GHz as a result.

Environmental Sensor

Perhaps the most unexpected (and welcome!) move from Cisco is the addition of environmental sensors to the Access Point. The COVID-19 pandemic and the public’s interest in Air Quality Monitoring is no doubt what drives this change, but we’re told they won’t be enabled until IOS-XE v17.8 comes out.

The secondary benefits of Cisco getting in to the Sensor market is that it provides another string to the DNA Spaces bow, which is where we expect the Sensor data to be streamed to, and it helps IT keep a handle on IoT-sprawl. Sensors are nothing new and many Estates teams have been deploying them for years. By bringing the Sensor IoT in to IT though, Administrators can sleep more soundly (and pass their Cyber Essentials + audits more easily!) by knowing that their sensors are secure and kept up to date.

Site-Survey Mode

We no longer need to use EWC mode on an AP when doing surveys. A new mode of operation, survey mode, gives access to a nice simple GUI that’s got everything you need to use the AP for survey work. Joy! This makes surveying, and switching APs between modes, much simpler.

Improved cable routing

It’s very hard to take a picture of this, but there’s a small lip at the outer edge of the 9100-series Access Points, where the Ethernet cables feed in to the Access Point. In the Catalyst 9130, this lip was sometimes in the way a little when inserting thick Cat6A cables. The new Catalyst 9136 has a smaller, less prominent lip, which makes it much easier to insert even the thickest of cables in to the AP. It’s a small change, but anything that makes deployments easier is a welcome development.

Summary

The Catalyst 9136 is a great piece of technology that genuinely responds to the demands I see from my Customers. With dual 5Gbps mGig interfaces and PoE redundancy, Cisco are clearly stating their intent around supporting the 9136 and WiFi-6e as a mission-critical piece of technology. The performance and reliability provided by WiFi-6e will markedly improve the WiFi experience and will allow people to use WiFi across even more applications. The inclusion of Environmental Sensors in the AP is also a great move - it addresses demand, helps IT move away from Estates-lead IoT sprawl. Sensors can genuinely impact how Estates are managed and how people interact with their physical environment, which is a very welcome move from my perspective.

Further Reading

Cisco

Cisco Wireless Portfolio

Cisco WPA3 Deployment Guide

Apple

Apple device WiFi Protocol Support

Intel

WiFi-6e Overview

Support for WPA3

Support for WPA3-OWE

Microsoft

Support for WiFi-6 and WPA3