Document ID: 115752
Updated: Feb 19, 2013
Contributed by Surendra BG, Cisco TAC Engineer.
Contents
Introduction
This document provides a sample configuration for Mesh and Workgroup Bridge (WGB) multiple VLAN support with open authentication (Open Auth) and with Lightweight Extensible Authentication Protocol (LEAP).
Other Documents in this Series
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup, which shows how to achieve multiple VLAN support on the switch behind the WGB with Open Auth. LEAP is added at the end.
The topology is:
DHCP server — Switch — Wireless LAN Controller (WLC) — Root Access Point (RAP) (Mesh) )))) ((((( WGB — Switch
-
The Dynamic Host Configuration Protocol (DHCP) server is configured for VLAN 50 and 100.
-
The WLC has the dynamic interfaces created for VLAN 50 and 100.
-
The WGB has sub-interfaces for required VLANs — 50 and 100.
-
The switch behind the WGB has required VLANs — 50 and 100.
In the lab setup, VLAN 40 is for WLC management, VLAN 40 on the Mesh RAP, and VLAN 50 on the WGB. The clients behind the WGB switch get the IP address from VLAN 50 and VLAN 100 over the air across the WGB and the Mesh RAP.
Note: The same setup holds good for the Local mode access point (AP) as well.
Configurations
This document uses these configurations:
-
WLC WGB
-
Switch
-
LEAP
WLC WGB
On the WLC command-line interface (CLI), enter the config wgb vlan enable command.
On the WGB CLI, enter the workgroup-bridge unified-vlan-client command.
workgroup-bridge unified-vlan-client dot11 ssid WGB_LWAPP vlan 50 authentication open guest-mode infrastructure-ssid end interface Dot11Radio0 no ip address no ip route-cache ssid WGB_LWAPP station-role workgroup-bridge interface Dot11Radio0.50 encapsulation dot1Q 50 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled ! interface Dot11Radio0.100 encapsulation dot1Q 100 no ip route-cache bridge-group 100 interface FastEthernet0.50 encapsulation dot1Q 50 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled ! interface FastEthernet0.100 encapsulation dot1Q 100 no ip route-cache bridge-group 100 interface BVI1 !--- Grab the IP address from VLAN 50 which is across wireless ip address dhcp no ip route-cache
Switch
The configuration for the switch is:
Switch#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
BGL14-TACLAB-ASW-S8
Fas 0/2 150 R S I WS-C3550- Fas 0/27
SURBG-AP Fas 0/1 130 T I AIR-AP124 Fas 0
Switch#
Switch#sh run int fa 0/1
Building configuration...
Current configuration : 127 bytes
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport mode trunk
end
Switch#sh vlan br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default
12 VLAN0012 active
40 VLAN0040 active
50 VLAN0050 active
100 VLAN0100 active
Switch#sh run int vlan 50
Building configuration...
Current configuration : 41 bytes
!
interface Vlan50
ip address dhcp
end
Switch#sh run int vlan 100
Building configuration...
Current configuration : 42 bytes
!
interface Vlan100
ip address dhcp
end
Switch#sh ip int br | i up
Vlan12 unassigned YES DHCP up up
Vlan50 172.16.1.7 YES DHCP up up
Vlan100 100.0.0.21 YES DHCP up up
In conclusion, the VLAN 50 and 100 interfaces obtain the IP address from the DHCP server, which is behind the switch on the central site across wireless via Mesh RAP and WGB.
On the WLC, the correct VLAN is mapped to the correct interfaces.
The VLAN 100 grabs the IP address and that entry on the WLC.
The VLAN 50 grabs the IP address and that entry on the WLC.
LEAP
Configure the WLAN for WPA2 - 802.1X local eap profile.
Ensure the authentication priority on the local Extensible Authentication Protocol (EAP) points to the LOCAL user database.
WGP AP
dot11 ssid WGB_LWAPP vlan 50 authentication open eap eap authentication network-eap eap authentication key-management wpa version 2 dot1x credentials wgb dot1x eap profile eapfast infrastructure-ssid no ids mfp client ! !--- Profile configured -- LEAP eap profile eapfast method leap ! ! ! !--- Credentials used by this WGB AP to get auth with WLC (Local net users) dot1x credentials wgb username cisco123 password 7 0822455D0A16544541 interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm ! ssid WGB_LWAPP ! packet retries 128 station-role workgroup-bridge ! interface Dot11Radio0.50 encapsulation dot1Q 50 native no ip route-cache bridge-group 1 ! interface Dot11Radio0.100 encapsulation dot1Q 100 no ip route-cache bridge-group 100 bridge-group 100 spanning-disabled
The client is in the run state with LEAP security.
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.