Cisco Aironet 3600 Series

Access Point as a Workgroup Bridge Configuration Example

Document ID: 68472

Updated: May 14, 2014

Contributed by Ishaan Sanji, Cisco TAC Engineer.



This document provides a sample configuration that configures an access point (AP) to function as a workgroup bridge (WGB) with use of the GUI and the CLI.



Cisco recommends that you have knowledge of these topics:

  • Configuration of basic parameters on Cisco standalone APs
  • Basic wireless concepts

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Aironet 3600 Series AP that runs Cisco IOS® Software Release 15.2(4)JB4 as a workgroup bridge
  • Cisco Aironet 1260 Series AP that runs Cisco IOS Software Release 15.2(4)JB4 as a root access point

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

A WGB can provide a wireless infrastructure connection for Ethernet-enabled devices. Devices that do not have a wireless client adapter in order to connect to the wireless network can be connected to the WGB through the Ethernet port. The WGB connects up to eight Ethernet-enabled devices to a Wireless LAN (WLAN). The WGB associates to the root AP through the wireless interface. In this way, wired clients obtain access to the wireless network. A WGB can associate to:

  • An AP

  • A bridge (in AP mode)

  • A controller through a lightweight AP

  • An AP in repeater mode (if the repeater is associated with a root AP)

In WGB mode, the unit associates to another AP as a client. The unit provides a network connection for the devices that are connected to its Ethernet port. Some of the typical usage scenarios for a WGB are:

  • A single printer connected to WGB

  • A network extension for multiple devices that are physically separated from the main network

  • In the manufacturing sector where it is not feasible to deploy wires and there is a requirement for less roaming and high reliability

  • On vehicles such as buses and trains in order to provide uplink access

The WGB associates to an AP on the network. An AP in WGB mode can associate only to an Aironet AP or bridge (in AP mode). The AP to which a WGB associates can treat the WGB as an infrastructure device or as a simple client device. By default, APs and bridges treat WGBs as client devices. For increased reliability, you can configure APs and bridges to treat WGBs, not as client devices, but as infrastructure devices, like APs or bridges. When these devices treat a WGB as an infrastructure device, the AP reliably delivers multicast packets, which include Address Resolution Protocol (ARP) packets, to the WGB. In order to configure APs and bridges to treat WGBs as infrastructure devices, perform one of these two options on your root AP:

  • CLI - Issue the infrastructure-client configuration command under the radio interface on the AP.

  • GUI - Navigate to Network > Network Interface > Choose the correct interface > Settings and enable reliable multicast.

If you configure APs and bridges in order to treat a WGB as a client device, you allow more WGBs to associate to the same AP or to associate with the use of a Service Set Identifier (SSID) that is not an infrastructure SSID. The performance cost of reliable multicast delivery - in which the duplication of each multicast packet is sent to each WGB - limits the number of infrastructure devices (which includes WGBs) that can associate to an AP or bridge. In order to increase the number of WGBs that can associate to the AP beyond 20, the AP must reduce the delivery reliability of multicast packets to WGBs. With reduced reliability, the AP cannot confirm whether multicast packets reach the intended WGB. So WGBs at the edge of the AP coverage area can lose IP connectivity.


Network Diagram


This setup uses two APs, with a 1262 AP that acts as a root AP and a 3602 AP configured as a Workgroup bridge. It uses an open SSID called wgb for the WGB to associate to the root AP. Wireless clients are associated to the root AP. Wired clients connect through a switch to the AP that is configured as a WGB.

Configure the Workgroup Bridge

GUI Instructions

  1. In order to create the SSID on the WGB, navigate to Security > SSID Manager.

    Make sure to choose the correct radio interface that is used to associate with the root AP.

  2. Convert the AP into a workgroup bridge from the default mode of the root AP. In order to do this, navigate to Network > Network Interface > Choose the correct radio interface > Settings. Choose the role in the radio network to be the Workgroup Bridge.

CLI Instructions

  1. In order to configure the SSID, enter:

    wgb(config)#dot11 ssid wgb
    wgb(config-ssid)#authentication open

  2. In order to change the station role to the wokrgroup bridge under the the correct radio interface, enter:

    wgb(config)#interface dot11Radio 0
    wgb(config-if)#station-role workgroup-bridge

Configure the Root AP

GUI Instructions

  1. In order to create the SSID on the root AP, navigate to Security > SSID Manager. This procedure is the same as the one used to create the SSID on the workgroup bridge.

  2. In order to configure the AP role as root, navigate to Network > Network Interface > Choose the correct radio interface > Settings. Choose the role in the radio network to be the AP as shown here:

CLI Instructions

  1. In order to configure the SSID, enter:
    root(config)#dot11 ssid wgb
    root(config-ssid)#authentication open

    The guest-mode command configures the SSID to be broadcasted by the root AP.

  2. In order to configure the radio role to be the root and add the SSID under the radio, enter:

    root(config)#interface dot11Radio 0
    root(config-if)#station-role root
    root(config-if)#ssid wgb


In order to look at the clients connected to the root AP, enter the show dot11 associations command. A sample ouput is shown here:

root#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [wgb] :
MAC Address   IP address   address Device     Name Parent          State
4c00.82df.c1ad   ::     WGB         wgb   self            Assoc  <-WGB

68bc.0c5a.df01   ::     WGB-client   -    4c00.82df.c1ad  Assoc  <-Wired
client entry

6c41.6a78.d832   ::     WGB-client   -    4c00.82df.c1ad  Assoc  <-Wired
client entry

In order to verify the parent that the WGB connects to, enter the show dot11 associations command:
wgb#show dot11 associations

802.11 Client Stations on Dot11Radio0:
SSID [wgb] :
MAC Address      IP address      address Device       Name    Parent     State
ccd5.39e3.b260   ::     ap1260-Parent  root         -        Assoc

There can be times when, even though the wired client is shown as associated, you are not be able to pass traffic to it. This could be because the WGB has removed the client entry from its forwarding table. This can happen if the wired client does not send any traffic for the timeout period. You can find the list of active clients with the show bridge command:

wgb#show bridge
Total of 300 station blocks, 292 free
Codes: P - permanent, S - self
Bridge Group 1:
Address         Action    Interface Age RX count TX count
68bc.0c5a.df01 forward    Vi0        0     43       20
6c41.6a78.d832 forward    Vi0        0     29       12


This section provides information you can use to troubleshoot your configuration. Complete these checks if WGB does not associate to the AP.

  • Check if the configurations match between the AP and the WGB. Make sure SSID, Security settings, and Data Rates match between them.

  • Make sure that Radio Frequency (RF) environment between AP and WGB is free from interference. Refer to the RF Impairments section of Troubleshooting Problems Affecting Radio Frequency Communication for more information.

The debug dot11dot11 0 trace print uplink debug command is useful to use on the WGB. This command takes you through the join process of a WGB, from scanning (if there are multiple parents), selection process for the parent, association and dot1x/PSK authentication (if configured) phases. Here is some sample ouput:

*Aug 3 09:33:10.607: 16ED71A7-0 Uplink: Stop
*Aug 3 09:33:11.611: 16FCBED3-0 Interface up
*Aug 3 09:33:11.627: 16FCDDCE-0 Uplink: Wait for driver to stop
*Aug 3 09:33:11.627: 16FCDE3D-0 Uplink: Enabling active scan
*Aug 3 09:33:11.627: 16FCDE42-0 Uplink: Not busy, scan all channels
*Aug 3 09:33:11.627: 16FCDE46-0 Uplink: Scanning
*Aug 3 09:33:11.639: 16FD2D1B-0 Uplink: Rcvd response from ccd5.39e3.b260 channel 7 2615
*Aug 3 09:33:11.919: 17017B61-0 Uplink: no rsnie or ssnie chk
*Aug 3 09:33:11.919: 17017B6B-0 Uplink: ssid wgb auth open
*Aug 3 09:33:11.919: 17017B6F-0 Uplink: try ccd5.39e3.b260, enc 0 key 0, priv 0, eap 0
*Aug 3 09:33:11.919: 17017B76-0 Uplink: Authenticating
*Aug 3 09:33:11.923: 1701835E-0 Uplink: Associating
*Aug 3 09:33:11.939: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP root ccd5.39e3.b260 [None]
Updated: May 14, 2014
Document ID: 68472