In this post we will learn about the configuration guide point to point wireless bridging using the Mesh Network solution from WLC.
This is my topology:
Right now I have both AP connected to WLC in local mode.
- An AP in mesh mode needs to be authorized to join a controller. So the first step is therefore to add there mac address.
- Before converting to bridge mode we must add the mac address of the both APAP in Policies list or the MAC filtering list. From Security > AAA > AP Policies, click Add.
- To configure Mesh, we will need to do multiple reboots of our APs. To reduce the number of reboots, configure all of the global Mesh settings first
- Don’t use static IP address especially on MAP.
From Security > AAA > AP Policies, click Add.
Now place both AP into Bridge mode (just another name for Mesh mode).
After selection of Bridge mode we must apply it. Then both AP will reboot.
See the screenshot when both AP came as in Bridge Mode:
Once the AP reboots, a new MESH tab is available under: Wireless > All APs, click on AP1 or AP2.
Here are few boxes which we should remember.
AP Role: Either RAP or MAP
Bridge Type: Indoor
Bridge Group Name (BGN): It’s like a workgroup name, allow the APs to know which AP are part of their group. (Here in my example we will take BGN as rscciew123)
Bridge Data Rates: Rate at which data is shared between the mesh access points. This is fixed for a whole network. Default data rate is 18 Mbps, which you should use for the backhaul. Valid data rates: for 802.11a: 6, 9, 12, 18, 24, 36, 48, and 54
Since AP2 will send its traffic through AP1, AP1 will be the RAP and AP2 will be the MAP. Don’t forget to configure an identical Bridge ID. (Otherwise leave it blank for both APs)
In Mesh tab, configure the rest of the AP settings.
- Select RAP role to AP1 and assign BGN name (rscciew123)
- Select MAP role to AP2 and assign BGN name (rscciew123)
And Apply. The APs will go through reboot again, and will take few minutes to rejoin to WLC.
*** MAPs use Adaptive Wireless Path Protocol (AWPP) to determine the best path through the mesh APs to their WLC. The protocol takes path decisions based on both link-quality and number of Mesh hops.
To prevent AP2 from simply connecting back up to the WLC through its wired port, Either place AP2 into VLAN 100(Not routable) or make the wired port shut for AP2, so that it has no path to the WLC except though its radios.
This is not mandatory- (When the APs come back up, AP1 will do another MAC auth. But AP2 will do a user auth. See the SNMP trap logs for the user name, and then create a local user with that name and make the password identical to the name.)We can see this error in trap log on WLC.
Now my Both AP is up.
Now check the status: Go to Wireless > All APs , far right on AP1 there is blue box ,click on that and select Neighbor Information
We can also check from AP1 and AP2 CLI:
AP001#sh mesh status show MESH Status RootAP in state Maint Uplink Backbone: FastEthernet0, hw FastEthernet0 Configured BGN: rscciew123, Extended mode 0 Children: Accept child rxNeighReq 187 rxNeighRsp 0 txNeighReq 0 txNeighRsp 187 rxNeighRsp 653 txNeighUpd 3333 nextchan 0 nextant 0 downAnt 0 downChan 0 curAnts 0 nextNeigh 1, malformedNeighPackets 0,poorNeighSnr 0 excludedPackets 0,insufficientMemory 0, authenticationFailures 0 Parent Changes 1, Neighbor Timeouts 0 Vector through XXXX.XX96.3404: Vector ease 1 -1, FWD: XXXX.XX96.3404
AP001#sh mesh adjacency child show MESH Adjacency Child ADJ 1 Identity YYYY.YY03.e31c MA: 003a.9914.137f ver 0x20 minver 0x0 on device Dot11Radio:1 txpkts 754 txretries 420 Flags: CHILD BEACON worstDv 255 Ant 0, channel 64, biters 0, ppiters 10, fwd_state 3 Numroutes 0, snr 0, snrUp 10 snrDown 0 linkSnr 0 blistExp 3 bliters 0 adjustedEase 0 unadjustedEase 0 stickyEase 0 txParent 0 rxParent 0 BGN rscciew123 Vector through YYYY.YY03.e31c: Per antenna smoothed snr values: 0 0 0 0 Subordinate neighbors: YYYY.YY03.e31c Hop-Count Extension: ON, Version: 1
AP002#sh mesh status show MESH Status MeshAP in state Maint Uplink Backbone: Virtual-Dot11Radio0, hw Dot11Radio1 Configured BGN: rscciew123, Extended mode 0 Children: Accept child rxNeighReq 0 rxNeighRsp 213 txNeighReq 372 txNeighRsp 0 rxNeighRsp 1094 txNeighUpd 966 nextchan 0 nextant 0 downAnt 0 downChan 0 curAnts 0 nextNeigh 3, malformedNeighPackets 0,poorNeighSnr 44 excludedPackets 0,insufficientMemory 0, authenticationFailures 0 Parent Changes 7, Neighbor Timeouts 0 Vector through XXXX.XX96.3404: Vector ease 1 -1, FWD: XXXX.XX96.3404
AP002#sh mesh adjacency parent show MESH Adjacency Parent ADJ 1 Identity XXXX.XX96.3404 MA: 0022.bd98.3a3f ver 0x20 minver 0x20 on device Dot11Radio:1 txpkts 712 txretries 247 Flags: UPDATED NEIGH PARENT BEACON worstDv 0 Ant 0, channel 64, biters 0, ppiters 10, fwd_state 3 Numroutes 1, snr 0, snrUp 13 snrDown 10 linkSnr 9 blistExp 2 bliters 0 adjustedEase 512 unadjustedEase 512 stickyEase 2048 txParent 349 rxParent 199 Authentication: EAP, Encryption: AES-CCMP, Fwd-state: OPEN/CONTROL BGN rscciew123 Vector through XXXX.XX96.3404: Vector ease 1 -1, FWD: XXXX.XX96.3404 Per antenna smoothed snr values: 9 0 0 0 Hop-Count Extension: ON, Version: 1
*** MAP is in Maint state, which indicates it has found a parent.
(WLAN1) >show ap summary Number of APs.................................... 2 Global AP User Name.............................. admin Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ AP001 2 AIR-LAP1242AG-E-K9 XX.XX.XX:96:34:04 default Location 1 DE 4 AP002 2 AIR-LAP1242AG-E-K9 YY.YY.YY:03:e3:1c default location 1 DE 4 (WLAN1) > (WLAN1) > (WLAN1) >show mesh ap tree ======================================================= || AP Name [Hop Counter, Link SNR, Bridge Group Name] || ======================================================= [Sector 1] ---------- AP001[0,0,rscciew123] |-AP002[1,8,rscciew123] ---------------------------------------------------- Number of Mesh APs............................... 2 Number of RAPs................................... 1 Number of MAPs................................... 1 ---------------------------------------------------- (WLAN1) >
This is all about basic configuration J
We can also force MAP to use specific RAP for the best path: How to configure it.
(WLAN1) > config mesh parent preferred <Cisco AP name> <mac address of preffered parent>
Configuring Global Mesh parameters
Wireless -> MESH
- Optimum distance that should exist between the RAP and the MAP
- Normally this parameter applies to outdoor mesh access points to report Rouges to Controller.
- IDS reports are generated for all traffic on the backhaul
- Backhaul Client Access
- It applies to APs with 2 or more radios.
- When it’s disabled, 11a radio -> backhaul, 802.11b/g -> Client associations.
- When enabled, Slot 1 can do both backhaul and client associations
- When Extended Backhaul client access is enabled, even slot 2 can be used for client associations.
- Mesh DCA Channel
- When we change the channel under RRM then MAP will not detect this and they will continuously use that channel, so if we enable this feature the MAP will detect the channel change on RRM.
- Global Public Safety
- Disabled by default, we can enable this to use 4.9GHz range.(This range used by US Public Safety channels)
- VLAN Transparent
- It determines how VLAN tags are handled from the Ethernet bridged traffic
- The VLAN tagging only works on non-backhaul Ethernet ports.
- When enabled: VLAN tags are not supported and only 1 L2 VLAN ( Mesh AP vlan ) can be bridged when VLAN transparent is enabled
- e the RAP , MAP ethernet ports must be configured as access ports on the switch
- When this feature is disabled, all packets are tagged as non-VLAN transparent or VLAN-opaque . This implements VLAN tagging.
- Security mode
- PSK or EAP authentication can be enabled
- EAP must be selected if external MAC authorization using a RADIUS server is configured
- PSK or Local EAP authentication is performed within the controller if External MAC Filter authorization parameter is disabled.
- External MAC filter authorization
- If the MAC address is not found in the local MAC filter list, then the RADIUS server is checked.
- Protects against rogue APs
- Force External Authentication
- When this is enabled along with External MAC filter authorization the RADIUS server decisions override the local MAC filter list.
- PSK or EAP authentication can be enabled
Mesh Ethernet Bridging:
Ethernet Bridging: By default it’s disabled, traffic from MAP Ethernet is blocked on Backhaul. To allow traffic from MAP Ethernet we have to enable this feature on both RAP and MAP.
***Note: By default Ethernet bridging is not allowed, it’s dropped on RAP Ethernet port, untagged. To allow VLAN tagging we must disable VLAN Transparent option (Wireless > Mesh). Once we disable it VLAN tag will be accepted.
RAP: Check the Ethernet Bridging Box and Apply
Now we will see the Ethernet interface under Mesh Tab, Click on it.
Same we have to do on MAP.
RAP: Native VLAN 80, Trunk VLAN 35
MAP: Native VLAN 100, Trunk VLAN 35
Make sure that port for RAP and MAP configured as Trunk.
That’s all about Ethernet bridging 🙂