In this post we will see how to configure a WGB for multiple VLAN in unified wireless environment. This is useful when we want to have wired client behind WGB in different VLAN.
WGB connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The WGB provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the WGB as a wireless client.
Remembering Points:
- The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8) JEB or greater (on 16-MB access points).
- On the wireless LAN controller, we should have software version 4.1.185.0 or later. The WGB mode is not supported on the controller on any of the earlier versions.
- We do not need to configure anything on the controller to enable the WGB to communicate with the lightweight access point. However, to ensure proper communication, we should create a WLAN on the controller that matches the SSID and security method that was configured on the WGB.
- LAP is acting as root AP for WGB.
- We can only configure one radio for WGB mode to connect to LAP.
- By default, access points treat workgroup bridges as client device.
- WGB can support maximum 20 clients.
- These lightweight features are supported for use with a workgroup bridge:
- Guest N+1 redundancy
- Local EAP
- These lightweight features are not supported for use with a workgroup bridge:
- Cisco Centralized Key Management (CCKM)
- Hybrid REAP
- Idle timeout
- Web authentication
- These features are not supported for wired clients connected to a workgroup bridge:
- MAC filtering
- Link tests
- Idle timeout
My topology for this LAB:
Core Switch——-WLC——-LAP~~~~~~~~~~WGB———–Switch——Client
- The Dynamic Host Configuration Protocol (DHCP) is configured for VLAN 80(On Core Switch) and 81(On WLC).
- The WLC has the dynamic interfaces created for VLAN 80 and 81.
- The WGB has sub-interfaces for required VLANs — 80 and 81.
- The switch behind the WGB has required VLANs — 80 and 81.
- WLC is connected with trunk port to Core switch and AP001 (LAP) is connected with access port.
- WLC1 is configured with 2 dynamic interfaces: 80(Test) and 81(Coding)
- Created a SSID”Test” with WPA2/AES – PSK as shown below.
Config. on Core Switch:
First we have to create DHCP pool and SVI interface for the management VLAN so that LAP and WGB can get the IP address. Here I created DHCP Pool “WGB” for VLAN 80 and configured the WLC and AP port with right configuration as shown below.
ip dhcp excluded-address 10.35.80.1 10.35.80.100
ip dhcp excluded-address 10.35.80.120 10.35.80.254
!
ip dhcp pool WGB
network 10.35.80.0 255.255.255.0
default-router 10.35.80.254
option 43 ip 10.35.80.1
lease 3
!
vlan 80
name Management
!
vlan 81
name coding
!
interface FastEthernet1/24
description LAP - AP001
switchport access vlan 80
switchport mode access
!
interface FastEthernet0/25
description *** WLC1 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 80,81
switchport mode trunk
!
interface Vlan80
ip address 10.35.80.245 255.255.255.0
Configuration on WLC:
WLAN Configuration:
Step1: As shown in pic, I created a SSID Test with WPA2-PSK security policy and management interface assigned to it.
Step2: DHCP Scope for VLAN 81:
Wired client behind the WGB will get the IP from VLAN 81 so we have to create a DHCP scope for them in WLC.
Step3: Also enable the WGB by WLC CLI:
(WLC1) >config wgb vlan enable
By default its disabled and we must enable it to get WGB VLAN client connectivity.
Config of WGB:
- I am using the WGB to configured for the 2.4-GHz and that is 802.11b radio is 0. (We can only configure one radio for WGB mode to connect to LAP).
- To support multiple VLAN on WGB we have to use VLAN tagging feature which enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB.
WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.
In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC.
In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.
To enable VLAN tagging, we have to use this command:
(WLC1) > workgroup-bridge unified-vlan-client
- If you faced this kind of problem while testing: When wired client got connection to WGB but after sometime it automatically removed because of extended of time(specially the connected switch to WGB was losing IP address). To stop this we have to configure aging time on WGB. By using this command:
(WLC1) > bridge brige-group-number aging-time 65535
So here is the complete config for WGB:
hostname WGB
!
dot11 ssid Test
vlan 80
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 105A0C0A114640585851
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 80 mode ciphers aes-ccm
!
ssid Test
!
station-role workgroup-bridge --> To define the role of this AP as WGB
!
interface Dot11Radio0.80
encapsulation dot1Q 80 native
no ip route-cache
bridge-group 1
!
interface Dot11Radio0.81
encapsulation dot1Q 81
no ip route-cache
bridge-group 81
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.80
encapsulation dot1Q 80 native
no ip route-cache
bridge-group 1
!
interface FastEthernet0.81
encapsulation dot1Q 81
no ip route-cache
bridge-group 81
!
interface BVI1
ip address dhcp
no ip route-cache
!
ip default-gateway 10.35.80.254
!
workgroup-bridge unified-vlan-client --> To support multiple VLAN on WGB
Verification:
On WGB:
WGB#sh bridge
Total of 300 station blocks, 293 free
Codes: P - permanent, S - self
Bridge Group 1:
Address Action Interface Age RX count TX count
0022.bd98.3a30 forward Vi0.80 2 3 0
381c.1a89.f4c1 forward Fa0.80 2 12 2
381c.1a89.f481 forward Fa0.80 0 654 0
001e.4a81.4c96 forward Vi0.80 0 386 4
Bridge Group 81:
381c.1a89.f4c2 forward Fa0.81 3 1 0
c434.6b25.80c8 forward Fa0.81 0 2352 0
381c.1a89.f481 forward Fa0.81 0 316 0
WGB#sh dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [Test] :
MAC Address IP address Device Name Parent State
0022.bd98.3a32 10.35.80.1 LWAPP-Parent AP001 - Assoc
WGB#sh dot11 associations 0022.bd98.3a32
Address : 0022.bd98.3a32 Name : AP001
IP Address : 10.35.80.1 Interface : Dot11Radio 0
Device : LWAPP-Parent Software Version : NONE
CCX Version : 5 Client MFP : On
State : Assoc Parent : -
SSID : Test
VLAN : 80
Hops to Infra : 0 Association Id : 1
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -46 dBm Connected for : 989 seconds
Signal to Noise : 43 dB Activity Timeout : 15 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 672848 Packets Output : 66093
Bytes Input : 128614720 Bytes Output : 6258031
Duplicates Rcvd : 0 Data Retries : 3361
Decrypt Failed : 0 RTS Retries : 425
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
ON WLC:
Via GUI:
Client got the IP in VLAN 81 ,which is connected with Switch.
Via CLI:
(WLC1) >show wgb summary
WGB Vlan Client Support.......................... Enabled
Number of WGBs................................... 1
MAC Address IP Address AP Name Status WLAN Auth Protocol Clients
----------------- --------------- ----------------- --------- ---- ---- ---------------- -------
58:8d:09:03:e3:1c 10.35.80.110 AP001 Assoc 3 Yes 802.11g 2
(WLC1) >show wgb detail 58:8d:09:03:e3:1c
Number of wired client(s): 2
MAC Address IP Address AP Name Mobility WLAN Auth
----------------- --------------- ----------------- ---------- ---- ----
c4:34:6b:25:80:c8 10.35.81.32 AP001 Local 3 Yes
38:1c:1a:89:f4:c1 10.35.80.108 AP001 Local 3 Yes
(WLC1) >show client summary
Number of Clients................................ 3
MAC Address AP Name Status WLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
38:1c:1a:89:f4:c1 AP001 Associated 3 Yes N/A 1 N/A
58:8d:09:03:e3:1c AP001 Associated 3 Yes 802.11g 1 N/A
c4:34:6b:25:80:c8 AP001 Associated 3 Yes N/A 1 N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c --> My WGB
Client MAC Address............................... 58:8d:09:03:e3:1c
Client Username ................................. N/A
AP MAC Address................................... 00:22:bd:98:3a:30
AP Name.......................................... AP001
Client State..................................... Associated
Client NAC OOB State............................. Access
Workgroup Bridge................................. 2 client(s)
Wireless LAN Id.................................. 3
BSSID............................................ 00:22:bd:98:3a:32
Connected For ................................... 900 secs
Channel.......................................... 1
IP Address....................................... 10.35.80.110
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... 5
Client E2E version............................... No E2E support
Diagnostics Capability........................... Not Supported
S69 Capability................................... Not Supported
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
WMM Support...................................... Enabled
Power Save....................................... OFF
Current Rate..................................... 54.0
Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
............................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
Policy Type...................................... WPA2
Authentication Key Management.................... PSK
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... Yes
EAP Type......................................... Unknown
Interface........................................ management
VLAN............................................. 80
Quarantine VLAN.................................. 0
Access VLAN...................................... 80
(WLC1) >show client detail 38:1c:1a:89:f4:c1 --> Switch in vlan 80
Client MAC Address............................... 38:1c:1a:89:f4:c1
Client Username ................................. N/A
AP MAC Address................................... 00:22:bd:98:3a:30
AP Name.......................................... AP001
Client State..................................... Associated
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
Wireless LAN Id.................................. 3
BSSID............................................ 00:22:bd:98:3a:32
Connected For ................................... 909 secs
Channel.......................................... 1
IP Address....................................... 10.35.80.108
Association Id................................... 0
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... No CCX support
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
WMM Support...................................... Disabled
Power Save....................................... OFF
Supported Rates..................................
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
Policy Type...................................... WPA2
Authentication Key Management.................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ management
VLAN............................................. 80
Quarantine VLAN.................................. 0
Access VLAN...................................... 0
(WLC1) >show client detail c4:34:6b:25:80:c8 --> Client in VLAN 81
Client MAC Address............................... c4:34:6b:25:80:c8
Client Username ................................. N/A
AP MAC Address................................... 00:22:bd:98:3a:30
AP Name.......................................... AP001
Client State..................................... Associated
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
Wireless LAN Id.................................. 3
BSSID............................................ 00:22:bd:98:3a:32
Connected For ................................... 919 secs
Channel.......................................... 1
IP Address....................................... 10.35.81.32
Association Id................................... 0
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... No CCX support
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
WMM Support...................................... Disabled
Power Save....................................... OFF
Supported Rates..................................
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
Policy Type...................................... WPA2
Authentication Key Management.................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ coding
VLAN............................................. 81
Quarantine VLAN.................................. 0
Access VLAN...................................... 81
***Configuring a specific Client VLAN
If wired devices connected to the WGBs Ethernet port should all be assigned to a specific VLAN then we can configure a VLAN for the connected devices. By using this command on the WGB:
WGB(config)# workgroup-bridge client-vlan vlan-id
All the devices connected to the Workgroup Bridge’s Ethernet port are assigned to that VLAN.
That’s all for today 🙂