Document ID: 115752
Updated: Feb 19, 2013
Contributed by Surendra BG, Cisco TAC Engineer.
This document provides a sample configuration for Mesh and Workgroup Bridge (WGB) multiple VLAN support with open authentication (Open Auth) and with Lightweight Extensible Authentication Protocol (LEAP).
Other Documents in this Series
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup, which shows how to achieve multiple VLAN support on the switch behind the WGB with Open Auth. LEAP is added at the end.
The topology is:
DHCP server — Switch — Wireless LAN Controller (WLC) — Root Access Point (RAP) (Mesh) )))) ((((( WGB — Switch
The Dynamic Host Configuration Protocol (DHCP) server is configured for VLAN 50 and 100.
The WLC has the dynamic interfaces created for VLAN 50 and 100.
The WGB has sub-interfaces for required VLANs — 50 and 100.
The switch behind the WGB has required VLANs — 50 and 100.
In the lab setup, VLAN 40 is for WLC management, VLAN 40 on the Mesh RAP, and VLAN 50 on the WGB. The clients behind the WGB switch get the IP address from VLAN 50 and VLAN 100 over the air across the WGB and the Mesh RAP.
Note: The same setup holds good for the Local mode access point (AP) as well.
This document uses these configurations:
On the WLC command-line interface (CLI), enter the config wgb vlan enable command.
On the WGB CLI, enter the workgroup-bridge unified-vlan-client command.
workgroup-bridge unified-vlan-client dot11 ssid WGB_LWAPP vlan 50 authentication open guest-mode infrastructure-ssid end interface Dot11Radio0 no ip address no ip route-cache ssid WGB_LWAPP station-role workgroup-bridge interface Dot11Radio0.50 encapsulation dot1Q 50 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled ! interface Dot11Radio0.100 encapsulation dot1Q 100 no ip route-cache bridge-group 100 interface FastEthernet0.50 encapsulation dot1Q 50 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled ! interface FastEthernet0.100 encapsulation dot1Q 100 no ip route-cache bridge-group 100 interface BVI1 !--- Grab the IP address from VLAN 50 which is across wireless ip address dhcp no ip route-cache
The configuration for the switch is:
Switch#sh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID BGL14-TACLAB-ASW-S8 Fas 0/2 150 R S I WS-C3550- Fas 0/27 SURBG-AP Fas 0/1 130 T I AIR-AP124 Fas 0 Switch# Switch#sh run int fa 0/1 Building configuration... Current configuration : 127 bytes ! interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 50 switchport mode trunk end Switch#sh vlan br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default 12 VLAN0012 active 40 VLAN0040 active 50 VLAN0050 active 100 VLAN0100 active Switch#sh run int vlan 50 Building configuration... Current configuration : 41 bytes ! interface Vlan50 ip address dhcp end Switch#sh run int vlan 100 Building configuration... Current configuration : 42 bytes ! interface Vlan100 ip address dhcp end Switch#sh ip int br | i up Vlan12 unassigned YES DHCP up up Vlan50 172.16.1.7 YES DHCP up up Vlan100 22.214.171.124 YES DHCP up up
In conclusion, the VLAN 50 and 100 interfaces obtain the IP address from the DHCP server, which is behind the switch on the central site across wireless via Mesh RAP and WGB.
On the WLC, the correct VLAN is mapped to the correct interfaces.
The VLAN 100 grabs the IP address and that entry on the WLC.
The VLAN 50 grabs the IP address and that entry on the WLC.
Configure the WLAN for WPA2 - 802.1X local eap profile.
Ensure the authentication priority on the local Extensible Authentication Protocol (EAP) points to the LOCAL user database.
dot11 ssid WGB_LWAPP vlan 50 authentication open eap eap authentication network-eap eap authentication key-management wpa version 2 dot1x credentials wgb dot1x eap profile eapfast infrastructure-ssid no ids mfp client ! !--- Profile configured -- LEAP eap profile eapfast method leap ! ! ! !--- Credentials used by this WGB AP to get auth with WLC (Local net users) dot1x credentials wgb username cisco123 password 7 0822455D0A16544541 interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm ! ssid WGB_LWAPP ! packet retries 128 station-role workgroup-bridge ! interface Dot11Radio0.50 encapsulation dot1Q 50 native no ip route-cache bridge-group 1 ! interface Dot11Radio0.100 encapsulation dot1Q 100 no ip route-cache bridge-group 100 bridge-group 100 spanning-disabled
The client is in the run state with LEAP security.
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.