Contents

• Using Cisco Workgroup Bridges
• Finding Feature Information
• Prerequisites for Cisco Workgroup Bridges
• Restrictions for Cisco Workgroup Bridges
• Information About Cisco Workgroup Bridges and non-Cisco Workgroup bridges
• Monitoring the Status of Workgroup Bridges
• Debugging WGB Issues (CLI)
• Configuration Examples for Configuring Workgroup Bridges
• WGB Configuration: Example

Using Cisco Workgroup Bridges

---

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Cisco Workgroup Bridges

• The Work-group Bridge (WGB) can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or later releases (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or later releases (on 16-MB access points). These access points include the AP1120, AP1121, AP1130, AP1231, AP1240, AP1310, AP1040, AP1140, and AP1260. Cisco IOS releases prior to 12.4(3g)JA and 12.3(8)JEB are not supported.

  Note	If your access point has two radios, you can configure only one for workgroup bridge mode. This radio is used to connect to the lightweight access point. We recommend that you disable the second radio.

• The switch can accommodate non-Cisco WGBs so that the switch can forward ARP, DHCP, and data traffic to and from the wired clients behind workgroup bridges by enabling the passive client feature. To configure your switch to work with non-Cisco WGBs, you must enable the passive client feature so that all traffic from the wired clients is routed through the WGB to the access point. To enable support for non-Cisco WGBs, enter the following commands:
  • configure terminal—Enter the global configuration mode.
  • wlan wlan_id—Configures the wireless LAN network.
  • wgb non-cisco—Configures non-Cisco WGB support.
• Enable the workgroup bridge mode on the WGB as follows:
  • On the WGB access point GUI, choose Workgroup Bridge for the role in radio network on the Settings > Network Interfaces page.
  • On the WGB access point CLI, enter the station-role workgroup-bridge command.

    Note	See the sample WGB access point configuration in the WGB Configuration Example section.

• These features are supported for use with a WGB:
  • Guest N+1 redundancy
  • Local EAP
  • Open, WEP 40, WEP 128, CKIP, WPA+TKIP, WPA2+AES, LEAP, EAP-FAST, and EAP-TLS authentication modes
• The WGB supports a maximum of 20 wired clients. If you have more than 20 wired clients, use a bridge or another device.
• If a wired client does not send traffic for an extended period of time, the WGB removes the client from its bridge table, even if traffic is continuously being sent to the wired client. As a result, the traffic flow to the wired client fails. To avoid the traffic loss, prevent the wired client from being removed from the bridge table by configuring the aging-out timer on the WGB to a large value using the following Cisco IOS commands on the WGB:

  
  configure terminal
  bridge bridge-group-number aging-time seconds
  exit
  end
  
  

  where bridge-group-number is from 1 to 255, and seconds is from 10 to 1,000,000 seconds. We recommend that you configure the seconds parameter to a value that is greater than the wired client’s idle period.
• When you delete a WGB record from the switch, all of the WGB wired clients’ records are also deleted.
• Wired clients that are connected to a WGB inherit the WGB’s Quality of Service (QoS) and AAA override attributes.
• To enable the WGB to communicate with the lightweight access point, create a WLAN and make sure that Aironet IE is enabled by entering the following commands:
  • configure terminal—Enters the global configuration mode.
  • wlan wlan_id—Configures the wireless LAN network.
  • ccx aironet-iesupport—Configures support for Aironet IE on WLAN.
• You must enable the passive client functionality for all non-Cisco workgroup bridges.

Restrictions for Cisco Workgroup Bridges

• The WGB can associate only to lightweight access points.
• Only WGBs in client mode (which is the default value) are supported. Those WGBs in infrastructure mode are not supported. Perform one of the following to enable client mode on the WGB:
  • On the WGB access point GUI, choose Disabled for the Reliable Multicast to WGB parameter.
  • On the WGB access point CLI, enter the no infrastructure client command.

    Note	VLANs are not supported for use with WGBs.

    Note	See the sample WGB access point configuration in the WGB Configuration Example section.

• These features are not supported for use with a WGB:
  • Cisco Centralized Key Management (CCKM)
  • Idle timeout
  • Web authentication

    Note	If a WGB associates to a web-authentication WLAN, the WGB is added to the exclusion list, and all of the WGB wired clients are deleted.

• Wired clients connected to the WGB are not authenticated for security. Instead, the WGB is authenticated against the access point to which it associates. Therefore, we recommend that you physically secure the wired side of the WGB.
• With Layer 3 roaming, if you plug a wired client into the WGB network after the WGB has roamed to another switch (for example, to a foreign switch), the wired client’s IP address displays only on the anchor switch, not on the foreign switch.
• These features are not supported for wired clients connected to a WGB:
  • MAC filtering
  • Link tests
  • Idle timeout
• Wired clients behind a WGB cannot connect to a DMZ/Anchor switch. To enable wired clients behind a WGB to connect to an anchor switch in a DMZ, you must enable VLANs in the WGB using the config wgb vlan enable command.
• The following restrictions apply to non-Cisco WGB:
  • Only Layer 2 roaming is supported for WGB devices.
  • Layer 3 security (web authentication) is not supported for WGB clients.
  • Visibility of wired hosts behind a WGB on a switch is not supported because the non-Cisco WGB device performs MAC hiding. Cisco WGB supports IAPP.
  • ARP poisoning detection does not work on a WLAN when the flag is enabled.
  • VLAN select is not supported for WGB clients.
  • Some third-party WGBs need to operate in non-DHCP relay mode. If problems occur with the DHCP assignment on devices behind the non-Cisco WGB, use the config dhcp proxy disable and config dhcp proxy disable bootp-broadcast disable commands. The default state is DHCP proxy enabled. The best combination depends on the third-party characteristics and configuration.
• When a WGB wired client leaves a multicast group, the downstream multicast traffic to other WGB wired clients is interrupted briefly.
• If you have clients that use PC virtualization software like VMware, you must enable this feature.

  Note	We have tested multiple third-party devices for compatibility but cannot ensure that all non-Cisco devices work. Support for any interaction or configuration details on the third-party device should be discussed with the device manufacturer.

Information About Cisco Workgroup Bridges and non-Cisco Workgroup bridges

A WGB is a mode that can be configured on an autonomous Cisco IOS access point to provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Ethernet to the WGB access point. A WGB connects a wired network over a single wireless segment by learning the MAC addresses of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The WGB provides wireless access connectivity to wired clients by establishing a single wireless connection to the lightweight access point.

When a Cisco WGB is used, the WGB informs the access points of all the clients that it is associated with. The switch is aware of the clients that are associated with the access point. When non-Cisco WGBs are used, the switch has no information about the IP address of the clients on the wired segment behind the WGB. Without this information, the switch drops the following types of messages:

• ARP REQ from the distribution system for the WGB client.
• ARP RPLY from the WGB client.
• DHCP REQ from the WGB client.
• DHCP RPLY for the WGB client.

Monitoring the Status of Workgroup Bridges

Note	The procedure to perform this task using the switch GUI is not currently available.

SUMMARY STEPS

1.    enable


2.    show wireless wgb summary


3.    show wireless wgb mac-address wgb_mac_address detail

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Switch# enable	Enters privileged EXEC mode.
Step 2	show wireless wgb summary Example: Switch# show wireless wgb summary	Displays the WGBs on your network.
Step 3	show wireless wgb mac-address wgb_mac_address detail Example: Switch# show wireless wgb mac-address 00:0d:ed:dd:25:82 detail	Displays the details of any wired clients that are connected to a particular WGB.

Debugging WGB Issues (CLI)

Note	The procedure to perform this task using the switch GUI is not currently available.

SUMMARY STEPS

1.    enable


2.    debug iapp all


3.    debug iapp error


4.    debug iapp packet


5.    debug mobility handoff [switch switch_number]


6.    debug dhcp


7.    debug dot11 mobile


8.    debug dot11 state

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Switch# enable	Enters privileged EXEC mode.
Step 2	debug iapp all Example: Switch# debug iapp all	Enables debugging for IAPP messages.
Step 3	debug iapp error Example: Switch# debug iapp error	Enables debugging for IAPP error events.
Step 4	debug iapp packet Example: Switch# debug iapp packet	Enables debugging for IAPP packets.
Step 5	debug mobility handoff [switch switch_number] Example: Switch# debug mobility handoff	Enables debugging for any roaming issues.
Step 6	debug dhcp Example: Switch# debug dhcp	Debug an IP assignment issue when DHCP is used.
Step 7	debug dot11 mobile Example: Switch# debug dot11 mobile	Enables dot11/mobile debugging. Debug an IP assignment issue when static IP is used.
Step 8	debug dot11 state Example: Switch# debug dot11 state	Enables dot11/state debugging. Debug an IP assignment issue when static IP is used.

Configuration Examples for Configuring Workgroup Bridges

WGB Configuration: Example

This example shows how to configure a WGB access point using static WEP with a 40-bit WEP key:

Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# dot11 ssid WGB_with_static_WEP
Switch(config-ssid)# authentication open
Switch(config-ssid)# guest-mode
Switch(config-ssid)# exit
Switch(config)# interface  dot11Radio 0
Switch(config)# station-role workgroup-bridge
Switch(config-if)# encry mode wep 40
Switch(config-if)# encry key 1 size 40 0 1234567890
Switch(config-if)# ssid WGB_with_static_WEP
Switch(config-if)# end

Verify that the WGB is associated to an access point by entering this command on the WGB:

show dot11 association

Information similar to the following appears:

Switch# show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [FCVTESTING] :
MAC Address    IP address      Device        Name            Parent         State
000b.8581.6aee 10.11.12.1      WGB-client    map1            -              Assoc
ap#