Ethernet Bridging with Wireless Mesh Networks
A common issue that arises when customers convert from an Autonomous Access Point (aIOS AP) wireless solution to the Cisco Wireless LAN Controllers (WLCs) and Lightweight APs (LAPs) is that standard wireless bridging functionality is lost. Since the LAPs are controlled centrally at the WLC, you can no longer configure radio roles like root bridge and non-root bridge. Although you can configure an aIOS AP as a Workgroup Bridge (WGB) that associates as a client to the WLC based Wireless LAN (WLAN) to service wired clients behind it, you cannot pass multiple VLAN traffic through this link. The answer to this dilemma is using a wireless mesh deployment.
Although the wireless mesh feature allows you to provide a secure wireless solution for outdoor environments such as a college campus or an entire city, it also allows you to bridge remote wired networks together. Initially mesh was only supported on the 1500 and 1520 series LAPs. In later code releases, Cisco introduced Enterprise Mesh, which allows you to use 1130 and 1240 series APs to create an indoor mesh environment. An important caveat to remember is that the 1130 and 1240 series APs were only designed for indoor mesh deployments and you should not use those APs for outdoor mesh/bridging.
The mesh network consists of Root APs (RAPs) and Mesh APs (MAPs). The RAP is the wired connection to the WLC for the MAPs which use their 802.11a radios as a backhaul to communicate with the WLC through the RAP. You can use point-to-point mesh bridging, point-to-multipoint bridging, or a full mesh network with bridging enabled.
With either outdoor or indoor mesh deployments, you can configure Ethernet Bridging to bridge separate wired networks together. Ethernet Bridging allows you to connect remote wired networks to each other using the Ethernet port of the mesh LAPs. For bridging to work, every MAP and RAP in the path must have Ethernet Bridging enabled.
Prior to code Release 5.2, Ethernet Bridging only allowed the extension of the Layer 2 network in which the mesh LAPs resided. So if the LAPs had IP addresses in VLAN 5, for example, you could only extend VLAN 5 to the remote wired network. The 5.2 release and later allows you to bridge multiple VLANs. Like the earlier feature, every LAP in the mesh path back to, and including the RAP, must support bridging the same VLANs as the MAP with the wired connection. If you do not allow the correct VLANs on all the MAPs in the mesh, then in the event of a failure within the mesh network that results in a different path back to the RAP being created, it is possible to break the bridging feature if a MAP in the new path does not support a particular VLAN. In Figure 1, if MAP1 were to go down and MAP3 changed its parent to MAP2, VLAN2 would no longer be bridged correctly because MAP2 does not support bridging VLAN 2.
Figure 1 VLAN tagging Support Example within a Mesh Network
Configuring Ethernet Bridging
You enable Ethernet Bridging on your mesh LAPs using the Mesh tab on the LAP configuration page. After you have enabled Ethernet Bridging support on your MAPs, you need to configure the VLAN tagging settings. Figure 2 shows the Ethernet configuration of an indoor RAP, and Figure 3 shows the same configuration on the indoor MAP.
Figure 2 RAP VLAN Tagging Configuration
Figure 3 MAP VLAN Tagging Configuration
In this case, the RAP Ethernet port is configured as a trunk port with VLAN 20 set to Native and allowing VLAN 12. You can add more VLANs by entering the VLAN into the Trunk VLAN ID box and clicking Add. With the Ethernet port set to Trunk, the LAP accepts both tagged and untagged packets. Any tagged packets for a VLAN that is not in the allowed list are dropped. Because the MAP is only bridging VLAN 12 in this case, the Ethernet port mode is Access. The MAP tags the incoming untagged packet and forwards it to the RAP. Any tagged packets at the MAP are dropped.
Mesh LAPs use VLAN transparency to perform Ethernet Bridging when extending their Layer 2 network. To allow multiple VLAN bridging/tagging, you must disable VLAN transparency under the Wireless>Mesh>Ethernet Bridging section on the WLC GUI. When VLAN transparency is enabled, VLAN processing does not occur. This setting assumes that all traffic is destined to and from the same VLAN with no 802.1 tagging. After you have disabled VLAN transparency, reboot the MAPs for that setting to take effect.
It is important to understand the traffic flow when using Ethernet Bridging. Figure 4 shows the traffic flow for both wired and wireless clients within the mesh network with Ethernet Bridging enabled.
Figure 4 Ethernet Bridging Traffic Flow
As you can see, with Ethernet Bridging enabled, the traffic flow for wireless clients is unchanged. The wireless client packets are sent using LWAPP/CAPWAP data, which is sent through the encrypted backhaul to the WLC. The WLC then bridges that traffic to the wired network. The bridged wired client traffic, however, is bridged directly into the backhaul toward the RAP. The RAP then bridges the traffic directly onto the wired network. The wired bridged traffic is not sent back to the WLC.
Several guidelines exist in addition to disabling VLAN transparency that allow the correct VLANs on the LAPs when you use the Ethernet Bridging and VLAN tagging feature:
Ethernet Bridging Troubleshooting
Before the 5.2 code release, troubleshooting Ethernet Bridging with mesh LAPs was almost impossible. You had to rely on packet captures and Ethernet interface statistics. Cisco added several show and debug commands with the 5.2 release to help troubleshoot and view VLAN tagging information.
From the controller, you can verify your VLAN tagging configuration using the following commands:
show ap config ethernet AP_name
The show ap config ethernet command shows you the mode of the Ethernet port, the native VLAN, and any allowed VLANs, as demonstrated in Example 1.
Example 1: show ap config ethernet Command Output
(Cisco Controller) >show ap config ethernet 1131
The show mesh config command shows the status of VLAN transparency mode, as demonstrated in Example 2.
Example 2: show mesh config Command Output
(Cisco Controller) >show mesh config
One configuration that confuses most users is the Mesh Range setting. In the controller GUI, this setting is called the RAP to MAP distance. Most think that this is the distance from the RAP to the first MAP, but that is incorrect; this value merely adjusts a timer to tell the LAPs how long they should wait to receive an ACK from a child LAP. The higher the value (in feet), the longer the sending LAP waits for a response. The general rule of thumb is that the Mesh Distance should be set to the farthest distance between any two LAPs in the network.
You can use the remote LAP debugs from the WLC CLI or enable telnet on the LAPs and run the following mesh ap debug commands:
Here are the mesh ap show commands:
Example 3 demonstrates output from the show mesh forwarding table command.
Example 3: show mesh forwarding table Debug
(Cisco Controller) >debug ap command “show mesh forwarding table” 1242
From this output you can see that this AP has two bridge groups: one for VLAN 1 and the other for VLAN 12. There is a wired client in VLAN 12 with the MAC address of 000f.b049.5898.
The output from show mesh forwarding vlan mode tells you whether VLAN transparency is enabled or disabled on the AP, as demonstrated in Example 4.
Example 4: show mesh forwarding vlan mode Debug
(Cisco Controller) >debug ap command “show mesh forwarding vlan mode” 1242
To see transmit and receive stats for the bridged VLANs, use show mesh ethernet vlan statistics, as demonstrated in Example 5.
Example 5: show mesh forwarding table Debug (continued)
(Cisco Controller) >debug ap command “show mesh ethernet vlan statistics” 1242
This output is helpful in determining whether traffic passing over the bridge links.
To troubleshoot bridge group membership, use show mesh forwarding interfaces, as demonstrated in Example 6.
Example 6: show mesh forwarding interfaces Debug
(Cisco Controller) >debug ap command “show mesh forwarding interfaces” 1242
Here you can see that Ethernet Bridging is enabled for bridge group 1 and 2. The FastEthernet port 0 is in bridge group 2. With the preceding output of show mesh forwarding vlan, you know that bridge group 2 is forwarding VLAN 12.
The switch trunk port should not allow any VLAN other than the VLANs used in the mesh sector connected through it. Because of a bug, CSCsr87215, the packets from other non-configured VLANs are accepted in the native-VLAN through the RAP backhaul Ethernet interface. You can easily avoid this by carefully configuring the switch port.
As is the case with any network bridging deployment, you need take care that you do not create any routing or bridging loops within your network.
This article offered some insight into the Ethernet Bridging feature with mesh wireless networks, how to configure it, and how to troubleshoot it. Ethernet Bridging has evolved dramatically with the 5.2 release of code and is no longer limited to simply extending the Layer 2 network in which the mesh LAPs reside.
About the Author: