This document provides an example for the configuration of Cisco
Autonomous IOS® access points to operate in
Workgroup Bridge (WGB) mode and connect to a Cisco Unified wireless network.
Ensure that you meet these requirements before you attempt this
The information in this document is based on these software and
Cisco 1231G AP that runs Cisco IOS Software Release 12.3
Cisco 4400 WLC that runs version 4.2
Cisco 1130 series Light Weight AP
The WGB can be any Cisco Autonomous Access Point that supports the
Workgroup Bridge mode and runs Cisco IOS Software Release 12.4(3g)JA or later
(on 32-MB access points) or Cisco IOS Software Release 12.3(8)JEB or later (on
16-MB access points). These access points include the AP1120, AP1121, AP1130,
AP1231, AP1240, and AP1310. Cisco IOS software releases prior to Cisco IOS
Software Releases 12.4(3g)JA and 12.3(8)JEB are not supported.
On the wireless LAN controller, you should have software version
184.108.40.206 or later. The Workgroup Bridge mode is not supported on the
controller on any of the earlier versions.
There are various guidelines that must be completed and limitations
that need to be understood before you use workgroup bridges in a lightweight
environment. Refer to
for Using Workgroup Bridges in a Lightweight Environment for more
Refer to the
Technical Tips Conventions for more information on document
You can configure an access point to operate as a workgroup bridge so
that it can provide wireless connectivity to a lightweight access point on
behalf of clients that are connected by Ethernet to the workgroup bridge access
point. When you configure the access point to operate as a workgroup bridge and
connect to a Cisco Unified network, it can provide wireless connectivity to
wired clients that are connected by Ethernet to the workgroup bridge access
point. For example, if you need to provide wireless connectivity for a group of
wired devices, you can connect the devices to a hub or to a switch, connect the
hub or switch to the access point Ethernet port, and configure the access point
as a workgroup bridge.
A workgroup bridge connects to a wired network over a single wireless
segment by learning the MAC address of its wired clients on the Ethernet
interface and reporting them to the lightweight access point using Internet
Access Point Protocol (IAPP) messaging. The workgroup bridge provides wireless
access connectivity to wired clients by establishing a single connection to the
lightweight access point. The lightweight access point treats the workgroup
bridge as a wireless client.
If your access point has two radios, either the 2.4-GHz radio or the
5-GHz radio can function in workgroup bridge mode. When you configure one radio
interface as a workgroup bridge, the other radio interface remains up.
The controller might not be able to see passive clients behind a WGB.
Clients (such as cameras and programmable logic devices) do not initiate a
traffic stream unless they are connected. Complete these steps in order avoid
Add a static MAC filter entry for the passive WGB device and MAC
filter entry for the devices that are behind it.
Use this command in order to enable MAC filtering on the WLAN along
with aaa override:
config macfilter ipaddress
Add a static entry on the WGB IOS-based device: bridge 1
addressxxxx.xxxx.xxxx forward FastEthernet0
Note: In addition, increase the dot11 activity timer.
Add a static ARP entry on the L3 router:
hostname(config)#arp <ip addr> <mac addr>
This feature allows the controller to learn the IP address of a passive
WGB wired client when the WGB sends an IAPP message to the controller that
contains only the MAC address of the WGB wired client. When this message is
received from the WGB, the controller checks the local MAC filter list or, if
the WGB has roamed, the MAC filter list of the anchor controller for the MAC
address of the client. If an entry is found and it contains an IP address for
the client, the controller adds the client to the client table of the
Unlike the existing MAC filtering feature for wireless clients, you are
not required to enable MAC filtering on the WLAN for WGB wired clients. WGB
wired clients that use MAC filtering do not need to obtain an IP address
through DHCP to be added to the client table of the controller.
In this example, the 1231 Autonomous Access Point is configured as a
workgroup bridge and connects to the LWAPP network. Use the SSID
WGB_LWAPP for the connection to the WLAN and use the Open
authentication with WEP for the authentication of the WGB to the LWAPP network.
Note: Open authentication with WEP is NOT a secure method for
authenticating devices. Cisco recommends that you use advanced authentication
methods, such as WPA+TKIP, WPA2+AES, EAP-FAST, and EAP-TLS authentication, in
order to secure the WLAN. WGB supports Open, WEP, CKIP, WPA+TKIP, WPA2+AES,
LEAP, EAP-FAST,Local EAP and EAP-TLS authentication modes. This document uses
Open with WEP only for simplicity.
Note: Use the
Command Lookup Tool
(registered customers only)
in order to obtain more
information on the commands used in this section.
This document uses this network setup:
Note: This document assumes that the WLC is configured for basic operation
and that the LAPs are registered to the WLC. Refer to
AP (LAP) Registration to a Wireless LAN Controller (WLC) for more
information on how a new user can set up the WLC for basic operation with
The workgroup bridge can be configured using either the CLI or the GUI.
Complete these steps in order to configure the workgroup bridge with
Complete these steps in order to configure an SSID that the WGB can
use to connect to the LWAPP network:
Choose Security > SSID Manager from the left
The Global SSID Manager page appears.
Enter the SSID name, VLAN ID, and the RADIO interface. This
example uses WGB_LWAPP as the SSID.
In the Client Authentication Settings area, check the
Open Authentication check box.
Leave all other parameters with their default values.
In order to configure the WEP keys, choose Security >
Encryption Manager from the left navigation pane.
The Encryption Manager page appears.
In the Encryption Modes area, click the WEP
Encryption radio button, and choose Mandatory from
the drop-down list.
In the Encryption Keys area, enter the encryption key for WEP.
Note: The WEP encryption keys can be 40 bits or 128 bits in length.
This example uses the 128-bit WEP encryption key 123456789123456789abc.
Click Apply in order to save the
Complete these steps in order to configure the AP as a
Click Network Interfaces in the left navigation
pane in order to browse to the Network Interfaces Summary
Choose the radio interface that you want to configure as a WGB.
This example uses interface Radio0-802.11G. The action allows
you to browse to the Network Interfaces: Radio Status
Click the Settings tab in order to open the
Settings page for the radio interface.
Click the Enable radio button in order to enable
For Role in Radio Network, click the Workgroup
Bridge radio button. This option enables the radio to operate in
Workgroup Bridge mode.
Leave all the other settings on the page with the default
Click Apply in order to save the
Use these commands in order to configure the AP through the
!--- Enter configuration commands, one on each line. End with CNTL/Z.
AP_WGB(config)#dot11 ssid WGB_LWAPP
AP_WGB(config)#interface dot11Radio 0
AP_WGB(config-if)#encryption vlan 2 mode wep mandatory
AP_WGB(config-if)#encryption vlan 2 key 1 size 128bit 12345678912345678912345678
On the wireless LAN controller, create a WLAN that matches the SSID and
security method that was configured on the workgroup bridge. This is the only
configuration required on the controller for the WGB to associate with it.
Note: Aironet IE also needs to be enabled. It is enabled by default with a
Complete these steps in order to configure a WLAN on the
Click WLANs from the controller GUI in order to
create a WLAN. The WLANs window appears. This window lists the WLANs configured
on the controller.
Click New in order to configure a new WLAN. In
this example, the WLAN is named
In the WLANs > Edit window, define the parameters specific to
Under General Policies, check the Status check
box in order to enable the WLAN.
Under Security Policies, choose Static WEP from
the Layer 2 Security drop-down list, and specify the WEP parameters within the
Static WEP Parameters area.
Change other parameters depending on the design of the network,
and click Apply.
Once the WLC and the WGB AP are configured, the WGB associates to the
LAP as a client. You can view the status of WGBs on your network with the
From the controller GUI, choose Monitor > Clients
in order to open the Clients page. The WGB field on the right side of the page
indicates whether any of the clients on your network are workgroup
Click the MAC address of the desired client in order to view the
details of the WGB. The Clients > Detail page appears.
In order to see the details of any wired clients that are connected to
a particular WGB, go to the Clients page, hover your cursor over the blue
drop-down arrow for the desired WGB, and choose Show Wired
Clients. The WGB Wired Clients page
From the controller CLI, you can use this command in order to view the
list of WGBs connected to the network:
show wgb summary
Here is an example:
(Cisco Controller) >show wgb summary
Number of WGBs................................... 1
MAC Address IP Address AP Name Status WLAN Auth Protocol Clients
----------------- --------------- ----------------- --------- ---- ---- -------- -------
00:12:7f:63:e6:ca 10.77.244.215 ap:51:5a:e0 Assoc 2 Yes 802.11g 2
Enter this command in order to see the details of any wired clients
that are connected to a particular WGB:
show wgb detail wgb_mac_address
Here is an example:
(Cisco Controller) >show wgb detail 00:12:7f:63:e6:ca
Number of wired client(s): 2
MAC Address IP Address AP Name Mobility WLAN Auth
----------------- --------------- ----------------- ---------- ---- ----
00:0b:85:5b:fb:d0 Unknown ap:51:5a:e0 Local 2 No
00:0b:85:51:5a:e0 Unknown ap:51:5a:e0 Local 2 No
A common problem has been observed mainly with the Cisco IOS-Based
workgroup bridge. When a wired client does not send traffic for an extended
period of time, the WGB removes the client from its bridge table, even if the
traffic is continuously being sent to the wired client. As a result, the
traffic flow to the wired client fails. In order to avoid the traffic loss and
removal of the wired client from the bridge table, use this command in order to
configure the aging-out timer on the WGB to a large value:
aging-time <seconds>, where
value between 1 and 255 and
is a value between 10
and 1,000,000 seconds. Cisco recommends that you configure the seconds
parameter to a value greater than the idle period of the wired client.
Note: This can be particularly helpful if you have devices such as a
printer that sits idle for a long period of time.