Choosing Wi-Fi Access Points: Cisco CW916x and C9136 versus MR57

Choosing wireless access points

Wi-Fi technology has gone through several rounds of changes to accommodate the large increase in mobile device usage and Internet of Things (IoT) connectivity. What was once a few devices connected to a single access point could now be hundreds in a mid-sized or large organization. An enterprise needs the right Wi-Fi equipment to support performance, stable connectivity, and security.  Cisco manufactures several enterprise-tier Wi-Fi access points to support large organizations that will likely have several connected devices both for guests and for critical business resources. Once you know that access points are necessary within your network design, administrators need to choose the Cisco product that supports business requirements. We recommend Cisco CW916x, Cisco C9136 and Cisco MR57 products.

All three Cisco products bring several technologies to the table, and some clients migrate to the Cisco MR57 after installing CW916x products. Customers ask about the minor differences between the three Cisco products, and the differences can determine which product you choose to install in your environment. All three are fairly similar, but they have minor differences that affect your choice. This article should help you understand the differences and help you decide on the right product for your network environment.

Wi-Fi 6E Support

Performance is what most businesses worry about when they shop around for Wi-Fi access points. The latest version of Wi-Fi standards is 6E. It’s the most recent standard introduced in 2020. The Cisco Wi-Fi access points covered in this article offer the Wi-Fi 6 standard as well, which was introduced in 2019 and quickly replaced by Wi-Fi 6E.

Essentially, the new Wi-Fi 6E standard supports any IEEE 802.11ax product and has the fastest performance, largest bandwidth, and lowest latency on the market. As you can guess, performance and low latency are especially important for products that need to be “always on” with little interruption. For example, an environment that supports medical equipment must have Wi-Fi support for various IoT and network devices with speeds to support fast transfers of large files (e.g., medical images) and without constant disconnects from high-latency connections. This type of environment is where the C9136 might be the better choice.

The speed and bandwidth of the new Wi-Fi 6E is mostly from the new 6GHz bands available for use. With the 6GHz feature, more airwaves are open for routers to broadcast Wi-Fi signals. Instead of competing with numerous devices and other surrounding Wi-Fi networks for airwaves, the Wi-Fi 6E allows for wider channels, faster speeds, and a much larger number of concurrently connected devices.

Both Cisco CW916x and MR57 allow for configurations to use dual 5GHz bands, or administrators can take full advantage of the new 6GHz tri-band configurations. The configurations you use depend on devices that you plan to connect to the access points. Every product manufacturer builds backwards compatibility into their devices to support legacy technology, but not every older device will support the latest WI-Fi 6GHz technology. Administrators should take an audit of devices that must connect to the Wi-Fi access point to ensure that it’s compatible with older devices. For environments with several legacy devices, it might be more feasible to work with other Cisco Wi-Fi access points to avoid incompatibility issues.

A distinctive difference with the MR57 and Cisco C9136 product is dual 5 Gbps mGig active failover.  These units are built for mission critical applications and network resource connectivity, so it has several redundant features to ensure stability and uptime. With failover, network resources have a much lower chance of losing connectivity to the environment, which can cause severe issues in a mission critical environment and its applications.

Reduction of Costs Using Power Over Ethernet (PoE)

Most infrastructure works with DC adapters, which means that hardware including Wi-Fi access points should be placed in close proximity to power outlets. Another option is stringing extension cords from the device to a power outlet. Managing power for equipment costs money and careful planning. With PoE, much of this overhead is alleviated using network Ethernet cables to power devices. PoE lowers your power consumption, and therefore lowers power costs.

All three Cisco Wi-Fi access points provide PoE options, which can benefit new installations where power outlets are already installed. Instead of finding a location for an access point that might cause lower quality signals for devices based on proximity to power outlets, the access point can be placed farther away from a power outlet provided an Ethernet cable can be strung to the access point location.

Both the Cisco MR57 family of access points and Cisco CW916x are 802.3at/bt PoE+ and UPoE compliant. The Cisco C9136 access point has PoE redundancy, which means that power will continue to flow to the access point should a single source of power fail. All three can still use DC adapters if it’s preferred.

Physical and Virtual Security

All Cisco Wi-Fi products have security features, but the MR57 product has a couple additional features compared to the CW916x product. The few common security features include:

  • Layer 7 firewall protection with mobile device policy management
  • Real-time WIDS/WIPS
  • Support for all newer WPA3 wireless security standards
  • VLAN tagging (802.1q) and tunneling with IPsec VPN
  • PCI compliant reporting
  • Enterprise Mobility Management (EMM)
  • Kensington locks and security screw protection

The major advantage of the Cisco MR57 product is its ability to integrate with Cisco Identity Services Engine (ISE). You can read a more in-depth overview of Cisco ISE in this post, but ISE helps administrators build security policies based on user roles. The advantage is that administrators can provide access to various network resources at the Cisco Wi-Fi access point based on current security policies configured on the network with ISE.

The Cisco CW916x and C9136 products have support for the Internet Content Adaptation Protocol (ICAP). This protocol allows administrators to configure the access point to analyze HTTP traffic and scan content for viruses and block specific unauthorized content. It’s a great way to add web browsing content filtering to your environment. It shouldn’t be the sole method for blocking malicious content, but it can work well with other cybersecurity policies and features to add a layer of protection from users accessing sites that host malware or drive-by downloads.

Another small difference between the CW916x and MR57 Cisco products is that the CW916x access point supports Advanced Encryption Standard (AES) ciphers and the MR57 supports AES and Temporal Key Integrity Protocol (TKIP). TKIP was created to solve the issue of WEP (Wired Equivalent Privacy) vulnerabilities. TKIP was deprecated in 2012, but administrators still might have reasons to support it within their environment. Note, though, that TKIP is vulnerable to attacks from bad actors located within the same network, so it should be deprecated in your enterprise environment.

Analytics for Tracking and Reporting

In an enterprise environment, administrators need analytics to ensure that cybersecurity is working properly, users have access to the resources they need to perform their job functions, and to understand the way users access data. All three Cisco Wi-Fi access points provide reports and dashboards so that administrators can audit their access points for any anomalies. It’s also great for administrators to identify if they need additional access points to support better performance and bandwidth as more user devices, IoT, and network resources are added to the environment.

One of the most useful reports is analytics on the layer 7 firewall. Layer 7 firewalls block malicious traffic (e.g., SQLi or cross-site scripting) from accessing critical web application services. Administrators can review reports on layer 7 malicious content sent to infrastructure to better understand any potentially targeted attacks on the organization. It can also be used to investigate any successful content injection attacks on applications.

Administrators can use analytics on the Cisco MR57 and CW916x models to track various usage patterns such as visitor capture rate, visit timeframe, and repeat visit rate. This feature ties in with security features for incident response and investigations. With the ISE feature integrated into your environment, administrators can better understand unauthorized access and potential insider threats.

Cloud Management

For all Cisco Wi-Fi access points, administrators can manage the device in the cloud. Some administrators might prefer to manage the access points locally without connecting resources to the cloud, but the cloud management systems makes it easier for administrators working with remote network resources. Connecting the access points to the cloud also makes it easier to keep firmware updated, which is an important step in managing devices for bug updates and patching them with the latest security updates.

Cloud management gives administrators better visibility over all access points, especially when several of them exist in remote locations. They can review reports, configure the access points remotely, and update firmware from one location. It’s a feature that dramatically lowers overhead for administrators responsible for an enterprise network across locations. Even though cloud management is an option, administrators can still choose to manage the access points on-premises with Cisco Catalyst Wireless LAN Controllers (WLCs).

Miscellaneous Features

The above are just a few useful features that stand out between the three different Cisco access points, but each one has several miscellaneous configuration options and features that could benefit your organization in some way. A few additional features that might interest you:

  • All three have guest access features along with security configurations to control content browsing and downloads.
  • Voice and video optimizations for remote meeting applications (e.g., Zoom) with Quality of Service (QoS) built into the products.
  • Cisco MR57 will prioritize voice and audio traffic to ensure quality communication.
  • Meraki health analytics with artificial intelligence (AI) and machine learning (ML) anomaly detection, root cause analysis help, performance and connectivity information, and network benchmarking to compare metrics with your normal standards to help identify unknown issues.
  • Update scheduling using Meraki cloud management.

To get started with your next migration or network infrastructure planning, contact us.