Cisco 2106 Wireless LAN Controller and Location Appliance

When Cisco Systems acquired AireSpace in 2005 it took on a sophisticated wireless monitoring and security system that was already ahead of its time. It hasn't sat on its laurels since then either and has continued to development these products and in this exclusive review we take a closer look at its 2106 Wireless LAN Controller. Aimed at small to medium businesses and enterprise branch office deployments this desktop box runs pretty much the same code as its bigger brethren and as such integrates with Cisco's WCS software and its 2710 location tracking appliance. Cisco delivered the complete solution to our labs so this allowed us to conduct live tests on rogue AP identification and RFID tag tracking as well.

The 2106 controller has eight Fast Ethernet ports two of which are PoE enabled and it's designed to facilitate the deployment of Cisco's AiroNet lightweight access points. This partnership forms the foundation of Cisco's wireless security solution as the APs are used to provide secure network access but also to monitor wireless networks and identify rogue APs, clients and Ad-Hoc networks. The main concept here is that clients use the AiroNet APs and all other devices are considered rogues unless expressly permitted to function.

For testing we used both AiroNet 1130AG and 1242AG APs with the latter supporting both 2.4GHz and 5GHz operations. These all run the LWAPP (lightweight access point protocol) and so cannot be accessed individually and can only be configured via the 2106. Essentially, you plug the APs in whereupon they contact the controller and automatically receive all their security settings and general configuration details.

Installation of the 2106 is simple enough and it provides a quick-start wizard for setting up the management port along with the interfaces for communicating with the access points. The web interface opens with a complete overview of wireless clients along with all AiroNet APs and details of which 802.11a, b or g services are being provided. The main page also provides a list on all detected rogue APs and clients and choosing the former gives you the low-down on each one's associated wireless clients. During testing we were impressed with the efficiency of the AiroNet devices as even before we deployed them outside the main testing lab they were picking up APs not only across our office block but also in adjacent buildings on the campus.

The AiroNet APs are managed using policies which contain details on security settings and wireless services. Policies are used to enforce encryption and authentication whilst QoS parameters can restrict the number of clients that are allowed to associate with a particular AP. It gets very interesting if you use the containment policies but be very, very careful. With these in action the AiroNet APs will stop clients associating with rogue APs and Ad-Hoc networks by sending out continuous de-auth packets. Naturally, these are deactivated by default and you'll receive plenty of warnings when you opt to activate them. AiroNet APs included in a containment policy can be configured either to act only as a monitor or as an active AP as well as you can decide what percentage of their CPU is dedicated to each task.

Multiple controllers can be managed more effectively with Cisco's WCS (wireless control system) software. Group templates can be used to configure multiple controllers and APs and WCS brings mobility groups into the picture to allow seamless roaming. When a client accesses the network the AP used first is designated as their anchor. When they move to another AP in the same subnet the anchor passes their credentials across and promotes the next AP as the new anchor. Along with Layer 2 the groups work at Layer 3 so if a user moves to an AP on a different subnet their anchor remains the same but the new AP will tunnel through to the anchor allowing the client's IP address to stay the same.