In this post we will see how to configure a WGB for multiple VLAN in unified wireless environment. This is useful when we want to have wired client behind WGB in different VLAN.
WGB connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The WGB provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the WGB as a wireless client.
Remembering Points:
- The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8) JEB or greater (on 16-MB access points).
- On the wireless LAN controller, we should have software version 4.1.185.0 or later. The WGB mode is not supported on the controller on any of the earlier versions.
- We do not need to configure anything on the controller to enable the WGB to communicate with the lightweight access point. However, to ensure proper communication, we should create a WLAN on the controller that matches the SSID and security method that was configured on the WGB.
- LAP is acting as root AP for WGB.
- We can only configure one radio for WGB mode to connect to LAP.
- By default, access points treat workgroup bridges as client device.
- WGB can support maximum 20 clients.
- These lightweight features are supported for use with a workgroup bridge:
- Guest N+1 redundancy
- Local EAP
- These lightweight features are not supported for use with a workgroup bridge:
- Cisco Centralized Key Management (CCKM)
- Hybrid REAP
- Idle timeout
- Web authentication
- These features are not supported for wired clients connected to a workgroup bridge:
- MAC filtering
- Link tests
- Idle timeout
My topology for this LAB:
Core Switch——-WLC——-LAP~~~~~~~~~~WGB———–Switch——Client
- The Dynamic Host Configuration Protocol (DHCP) is configured for VLAN 80(On Core Switch) and 81(On WLC).
- The WLC has the dynamic interfaces created for VLAN 80 and 81.
- The WGB has sub-interfaces for required VLANs — 80 and 81.
- The switch behind the WGB has required VLANs — 80 and 81.
- WLC is connected with trunk port to Core switch and AP001 (LAP) is connected with access port.
- WLC1 is configured with 2 dynamic interfaces: 80(Test) and 81(Coding)
- Created a SSID”Test” with WPA2/AES – PSK as shown below.
Config. on Core Switch:
First we have to create DHCP pool and SVI interface for the management VLAN so that LAP and WGB can get the IP address. Here I created DHCP Pool “WGB” for VLAN 80 and configured the WLC and AP port with right configuration as shown below.
ip dhcp excluded-address 10.35.80.1 10.35.80.100 ip dhcp excluded-address 10.35.80.120 10.35.80.254 ! ip dhcp pool WGB network 10.35.80.0 255.255.255.0 default-router 10.35.80.254 option 43 ip 10.35.80.1 lease 3 ! vlan 80 name Management ! vlan 81 name coding ! interface FastEthernet1/24 description LAP - AP001 switchport access vlan 80 switchport mode access ! interface FastEthernet0/25 description *** WLC1 *** switchport trunk encapsulation dot1q switchport trunk allowed vlan 80,81 switchport mode trunk ! interface Vlan80 ip address 10.35.80.245 255.255.255.0
Configuration on WLC:
WLAN Configuration:
Step1: As shown in pic, I created a SSID Test with WPA2-PSK security policy and management interface assigned to it.
Step2: DHCP Scope for VLAN 81:
Wired client behind the WGB will get the IP from VLAN 81 so we have to create a DHCP scope for them in WLC.
Step3: Also enable the WGB by WLC CLI:
(WLC1) >config wgb vlan enable
By default its disabled and we must enable it to get WGB VLAN client connectivity.
Config of WGB:
- I am using the WGB to configured for the 2.4-GHz and that is 802.11b radio is 0. (We can only configure one radio for WGB mode to connect to LAP).
- To support multiple VLAN on WGB we have to use VLAN tagging feature which enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB.
WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.
In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC.
In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.
To enable VLAN tagging, we have to use this command:
(WLC1) > workgroup-bridge unified-vlan-client
- If you faced this kind of problem while testing: When wired client got connection to WGB but after sometime it automatically removed because of extended of time(specially the connected switch to WGB was losing IP address). To stop this we have to configure aging time on WGB. By using this command:
(WLC1) > bridge brige-group-number aging-time 65535
So here is the complete config for WGB:
hostname WGB ! dot11 ssid Test vlan 80 authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii 7 105A0C0A114640585851 ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 80 mode ciphers aes-ccm ! ssid Test ! station-role workgroup-bridge --> To define the role of this AP as WGB ! interface Dot11Radio0.80 encapsulation dot1Q 80 native no ip route-cache bridge-group 1 ! interface Dot11Radio0.81 encapsulation dot1Q 81 no ip route-cache bridge-group 81 ! interface Dot11Radio1 no ip address no ip route-cache shutdown ! interface FastEthernet0 no ip address no ip route-cache speed 100 full-duplex ! interface FastEthernet0.80 encapsulation dot1Q 80 native no ip route-cache bridge-group 1 ! interface FastEthernet0.81 encapsulation dot1Q 81 no ip route-cache bridge-group 81 ! interface BVI1 ip address dhcp no ip route-cache ! ip default-gateway 10.35.80.254 ! workgroup-bridge unified-vlan-client --> To support multiple VLAN on WGB
Verification:
On WGB:
WGB#sh bridge Total of 300 station blocks, 293 free Codes: P - permanent, S - self Bridge Group 1: Address Action Interface Age RX count TX count 0022.bd98.3a30 forward Vi0.80 2 3 0 381c.1a89.f4c1 forward Fa0.80 2 12 2 381c.1a89.f481 forward Fa0.80 0 654 0 001e.4a81.4c96 forward Vi0.80 0 386 4 Bridge Group 81: 381c.1a89.f4c2 forward Fa0.81 3 1 0 c434.6b25.80c8 forward Fa0.81 0 2352 0 381c.1a89.f481 forward Fa0.81 0 316 0
WGB#sh dot11 associations 802.11 Client Stations on Dot11Radio0: SSID [Test] : MAC Address IP address Device Name Parent State 0022.bd98.3a32 10.35.80.1 LWAPP-Parent AP001 - Assoc
WGB#sh dot11 associations 0022.bd98.3a32 Address : 0022.bd98.3a32 Name : AP001 IP Address : 10.35.80.1 Interface : Dot11Radio 0 Device : LWAPP-Parent Software Version : NONE CCX Version : 5 Client MFP : On State : Assoc Parent : - SSID : Test VLAN : 80 Hops to Infra : 0 Association Id : 1 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -46 dBm Connected for : 989 seconds Signal to Noise : 43 dB Activity Timeout : 15 seconds Power-save : Off Last Activity : 0 seconds ago Apsd DE AC(s) : NONE Packets Input : 672848 Packets Output : 66093 Bytes Input : 128614720 Bytes Output : 6258031 Duplicates Rcvd : 0 Data Retries : 3361 Decrypt Failed : 0 RTS Retries : 425 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0
ON WLC:
Via GUI:
Client got the IP in VLAN 81 ,which is connected with Switch.
Via CLI:
(WLC1) >show wgb summary WGB Vlan Client Support.......................... Enabled Number of WGBs................................... 1 MAC Address IP Address AP Name Status WLAN Auth Protocol Clients ----------------- --------------- ----------------- --------- ---- ---- ---------------- ------- 58:8d:09:03:e3:1c 10.35.80.110 AP001 Assoc 3 Yes 802.11g 2
(WLC1) >show wgb detail 58:8d:09:03:e3:1c Number of wired client(s): 2 MAC Address IP Address AP Name Mobility WLAN Auth ----------------- --------------- ----------------- ---------- ---- ---- c4:34:6b:25:80:c8 10.35.81.32 AP001 Local 3 Yes 38:1c:1a:89:f4:c1 10.35.80.108 AP001 Local 3 Yes
(WLC1) >show client summary
Number of Clients................................ 3
MAC Address AP Name Status WLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
38:1c:1a:89:f4:c1 AP001 Associated 3 Yes N/A 1 N/A
58:8d:09:03:e3:1c AP001 Associated 3 Yes 802.11g 1 N/A
c4:34:6b:25:80:c8 AP001 Associated 3 Yes N/A 1 N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c --> My WGB Client MAC Address............................... 58:8d:09:03:e3:1c Client Username ................................. N/A AP MAC Address................................... 00:22:bd:98:3a:30 AP Name.......................................... AP001 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge................................. 2 client(s) Wireless LAN Id.................................. 3 BSSID............................................ 00:22:bd:98:3a:32 Connected For ................................... 900 secs Channel.......................................... 1 IP Address....................................... 10.35.80.110 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... 5 Client E2E version............................... No E2E support Diagnostics Capability........................... Not Supported S69 Capability................................... Not Supported QoS Level........................................ Silver 802.1P Priority Tag.............................. disabled WMM Support...................................... Enabled Power Save....................................... OFF Current Rate..................................... 54.0 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0, ............................................. 12.0,18.0,24.0,36.0,48.0, ............................................. 54.0 Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable Policy Type...................................... WPA2 Authentication Key Management.................... PSK Encryption Cipher................................ CCMP (AES) Management Frame Protection...................... Yes EAP Type......................................... Unknown Interface........................................ management VLAN............................................. 80 Quarantine VLAN.................................. 0 Access VLAN...................................... 80
(WLC1) >show client detail 38:1c:1a:89:f4:c1 --> Switch in vlan 80 Client MAC Address............................... 38:1c:1a:89:f4:c1 Client Username ................................. N/A AP MAC Address................................... 00:22:bd:98:3a:30 AP Name.......................................... AP001 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c Wireless LAN Id.................................. 3 BSSID............................................ 00:22:bd:98:3a:32 Connected For ................................... 909 secs Channel.......................................... 1 IP Address....................................... 10.35.80.108 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support QoS Level........................................ Silver 802.1P Priority Tag.............................. disabled WMM Support...................................... Disabled Power Save....................................... OFF Supported Rates.................................. Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable Policy Type...................................... WPA2 Authentication Key Management.................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ management VLAN............................................. 80 Quarantine VLAN.................................. 0 Access VLAN...................................... 0
(WLC1) >show client detail c4:34:6b:25:80:c8 --> Client in VLAN 81 Client MAC Address............................... c4:34:6b:25:80:c8 Client Username ................................. N/A AP MAC Address................................... 00:22:bd:98:3a:30 AP Name.......................................... AP001 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c Wireless LAN Id.................................. 3 BSSID............................................ 00:22:bd:98:3a:32 Connected For ................................... 919 secs Channel.......................................... 1 IP Address....................................... 10.35.81.32 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support QoS Level........................................ Silver 802.1P Priority Tag.............................. disabled WMM Support...................................... Disabled Power Save....................................... OFF Supported Rates.................................. Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable Policy Type...................................... WPA2 Authentication Key Management.................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ coding VLAN............................................. 81 Quarantine VLAN.................................. 0 Access VLAN...................................... 81
***Configuring a specific Client VLAN
If wired devices connected to the WGBs Ethernet port should all be assigned to a specific VLAN then we can configure a VLAN for the connected devices. By using this command on the WGB:
WGB(config)# workgroup-bridge client-vlan vlan-id
All the devices connected to the Workgroup Bridge’s Ethernet port are assigned to that VLAN.
That’s all for today 🙂