Guest

Cisco Network Modules

Mesh and WGB Multiple VLAN Support Configuration Example

Document ID: 115752

Updated: Feb 19, 2013

Contributed by Surendra BG, Cisco TAC Engineer.

   Print

Introduction

This document provides a sample configuration for Mesh and Workgroup Bridge (WGB) multiple VLAN support with open authentication (Open Auth) and with Lightweight Extensible Authentication Protocol (LEAP).

Other Documents in this Series

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup, which shows how to achieve multiple VLAN support on the switch behind the WGB with Open Auth. LEAP is added at the end.

The topology is:

DHCP server — Switch — Wireless LAN Controller (WLC) — Root Access Point (RAP) (Mesh) )))) ((((( WGB — Switch

mesh-wgb-01.gif

  • The Dynamic Host Configuration Protocol (DHCP) server is configured for VLAN 50 and 100.

  • The WLC has the dynamic interfaces created for VLAN 50 and 100.

  • The WGB has sub-interfaces for required VLANs — 50 and 100.

  • The switch behind the WGB has required VLANs — 50 and 100.

In the lab setup, VLAN 40 is for WLC management, VLAN 40 on the Mesh RAP, and VLAN 50 on the WGB. The clients behind the WGB switch get the IP address from VLAN 50 and VLAN 100 over the air across the WGB and the Mesh RAP.

Note: The same setup holds good for the Local mode access point (AP) as well.

Configurations

This document uses these configurations:

  • WLC WGB

  • Switch

  • LEAP

WLC WGB

On the WLC command-line interface (CLI), enter the config wgb vlan enable command.

mesh-wgb-02.gif

On the WGB CLI, enter the workgroup-bridge unified-vlan-client command.

workgroup-bridge unified-vlan-client
dot11 ssid WGB_LWAPP
   vlan 50
   authentication open
   guest-mode
   infrastructure-ssid
end

interface Dot11Radio0
 no ip address
 no ip route-cache
 ssid WGB_LWAPP
 station-role workgroup-bridge
 
interface Dot11Radio0.50
 encapsulation dot1Q 50 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 
interface FastEthernet0.50
 encapsulation dot1Q 50 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100

interface BVI1

!--- Grab the IP address from VLAN 50 which is across wireless
 
 ip address dhcp  
 no ip route-cache

Switch

The configuration for the switch is:

Switch#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
 
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
BGL14-TACLAB-ASW-S8
                 Fas 0/2           150          R S I     WS-C3550- Fas 0/27
SURBG-AP         Fas 0/1           130           T I      AIR-AP124 Fas 0
Switch#
Switch#sh run int fa 0/1
Building configuration...

Current configuration : 127 bytes
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 50
 switchport mode trunk
end

Switch#sh vlan br
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                         
12   VLAN0012                         active
40   VLAN0040                         active
50   VLAN0050                         active
100  VLAN0100                         active
Switch#sh run int vlan 50
Building configuration...
Current configuration : 41 bytes
!
interface Vlan50
 ip address dhcp
end

Switch#sh run int vlan 100
Building configuration...
 
Current configuration : 42 bytes
!
interface Vlan100
 ip address dhcp
end

Switch#sh ip int br | i up
Vlan12                 unassigned      YES DHCP    up                    up
Vlan50                 172.16.1.7      YES DHCP    up                    up
Vlan100                100.0.0.21      YES DHCP    up                    up

In conclusion, the VLAN 50 and 100 interfaces obtain the IP address from the DHCP server, which is behind the switch on the central site across wireless via Mesh RAP and WGB.

On the WLC, the correct VLAN is mapped to the correct interfaces.

The VLAN 100 grabs the IP address and that entry on the WLC.

mesh-wgb-03.gif

The VLAN 50 grabs the IP address and that entry on the WLC.

mesh-wgb-04.gif

LEAP

Configure the WLAN for WPA2 - 802.1X local eap profile.

mesh-wgb-05.gif

mesh-wgb-06.gif

mesh-wgb-07.gif

Ensure the authentication priority on the local Extensible Authentication Protocol (EAP) points to the LOCAL user database.

mesh-wgb-08.gif

WGP AP

dot11 ssid WGB_LWAPP
   vlan 50
   authentication open eap eap
   authentication network-eap eap
   authentication key-management wpa version 2
   dot1x credentials wgb
   dot1x eap profile eapfast
   infrastructure-ssid
   no ids mfp client
!

!--- Profile configured -- LEAP

eap profile eapfast                
 method leap
!
!
!

!--- Credentials used by this WGB AP to get auth with WLC (Local net users)

dot1x credentials wgb         
 username cisco123
 password 7 0822455D0A16544541
 

interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 50 mode ciphers aes-ccm
 !
 ssid WGB_LWAPP
 !
 packet retries 128
 station-role workgroup-bridge
!
interface Dot11Radio0.50
 encapsulation dot1Q 50 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 spanning-disabled

The client is in the run state with LEAP security.

mesh-wgb-09.gif

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Feb 19, 2013
Document ID: 115752