This document provides an example for the configuration of Cisco Autonomous IOS® access points to operate in Workgroup Bridge (WGB) mode and connect to a Cisco Unified wireless network.
Ensure that you meet these requirements before you attempt this configuration:
The information in this document is based on these software and hardware versions:
Cisco 1231G AP that runs Cisco IOS Software Release 12.3 (8)JEC
Cisco 4400 WLC that runs version 4.2
Cisco 1130 series Light Weight AP
The WGB can be any Cisco Autonomous Access Point that supports the Workgroup Bridge mode and runs Cisco IOS Software Release 12.4(3g)JA or later (on 32-MB access points) or Cisco IOS Software Release 12.3(8)JEB or later (on 16-MB access points). These access points include the AP1120, AP1121, AP1130, AP1231, AP1240, and AP1310. Cisco IOS software releases prior to Cisco IOS Software Releases 12.4(3g)JA and 12.3(8)JEB are not supported.
On the wireless LAN controller, you should have software version 126.96.36.199 or later. The Workgroup Bridge mode is not supported on the controller on any of the earlier versions.
There are various guidelines that must be completed and limitations that need to be understood before you use workgroup bridges in a lightweight environment. Refer to Guidelines for Using Workgroup Bridges in a Lightweight Environment for more information.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
You can configure an access point to operate as a workgroup bridge so that it can provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Ethernet to the workgroup bridge access point. When you configure the access point to operate as a workgroup bridge and connect to a Cisco Unified network, it can provide wireless connectivity to wired clients that are connected by Ethernet to the workgroup bridge access point. For example, if you need to provide wireless connectivity for a group of wired devices, you can connect the devices to a hub or to a switch, connect the hub or switch to the access point Ethernet port, and configure the access point as a workgroup bridge.
A workgroup bridge connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The workgroup bridge provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the workgroup bridge as a wireless client.
If your access point has two radios, either the 2.4-GHz radio or the 5-GHz radio can function in workgroup bridge mode. When you configure one radio interface as a workgroup bridge, the other radio interface remains up.
The controller might not be able to see passive clients behind a WGB. Clients (such as cameras and programmable logic devices) do not initiate a traffic stream unless they are connected. Complete these steps in order avoid this issue:
Add a static MAC filter entry for the passive WGB device and MAC filter entry for the devices that are behind it.
Use this command in order to enable MAC filtering on the WLAN along with aaa override:
config macfilter ipaddress MAC_address IP_address
Add a static entry on the WGB IOS-based device: bridge 1 addressxxxx.xxxx.xxxx forward FastEthernet0
Note: In addition, increase the dot11 activity timer.
Add a static ARP entry on the L3 router:
hostname(config)#arp <ip addr> <mac addr>
This feature allows the controller to learn the IP address of a passive WGB wired client when the WGB sends an IAPP message to the controller that contains only the MAC address of the WGB wired client. When this message is received from the WGB, the controller checks the local MAC filter list or, if the WGB has roamed, the MAC filter list of the anchor controller for the MAC address of the client. If an entry is found and it contains an IP address for the client, the controller adds the client to the client table of the controller.
Unlike the existing MAC filtering feature for wireless clients, you are not required to enable MAC filtering on the WLAN for WGB wired clients. WGB wired clients that use MAC filtering do not need to obtain an IP address through DHCP to be added to the client table of the controller.
In this example, the 1231 Autonomous Access Point is configured as a workgroup bridge and connects to the LWAPP network. Use the SSID WGB_LWAPP for the connection to the WLAN and use the Open authentication with WEP for the authentication of the WGB to the LWAPP network.
Note: Open authentication with WEP is NOT a secure method for authenticating devices. Cisco recommends that you use advanced authentication methods, such as WPA+TKIP, WPA2+AES, EAP-FAST, and EAP-TLS authentication, in order to secure the WLAN. WGB supports Open, WEP, CKIP, WPA+TKIP, WPA2+AES, LEAP, EAP-FAST,Local EAP and EAP-TLS authentication modes. This document uses Open with WEP only for simplicity.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
This document uses this network setup:
Note: This document assumes that the WLC is configured for basic operation and that the LAPs are registered to the WLC. Refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC) for more information on how a new user can set up the WLC for basic operation with LAPs.
The workgroup bridge can be configured using either the CLI or the GUI.
Complete these steps in order to configure the workgroup bridge with the GUI:
Complete these steps in order to configure an SSID that the WGB can use to connect to the LWAPP network:
Choose Security > SSID Manager from the left navigation pane.
The Global SSID Manager page appears.
Enter the SSID name, VLAN ID, and the RADIO interface. This example uses WGB_LWAPP as the SSID.
In the Client Authentication Settings area, check the Open Authentication check box.
Leave all other parameters with their default values.
In order to configure the WEP keys, choose Security > Encryption Manager from the left navigation pane.
The Encryption Manager page appears.
In the Encryption Modes area, click the WEP Encryption radio button, and choose Mandatory from the drop-down list.
In the Encryption Keys area, enter the encryption key for WEP.
Note: The WEP encryption keys can be 40 bits or 128 bits in length. This example uses the 128-bit WEP encryption key 123456789123456789abc.
Click Apply in order to save the settings.
Complete these steps in order to configure the AP as a WGB:
Click Network Interfaces in the left navigation pane in order to browse to the Network Interfaces Summary page.
Choose the radio interface that you want to configure as a WGB. This example uses interface Radio0-802.11G. The action allows you to browse to the Network Interfaces: Radio Status page.
Click the Settings tab in order to open the Settings page for the radio interface.
Click the Enable radio button in order to enable the radio.
For Role in Radio Network, click the Workgroup Bridge radio button. This option enables the radio to operate in Workgroup Bridge mode.
Leave all the other settings on the page with the default values.
Click Apply in order to save the settings
Use these commands in order to configure the AP through the CLI:
!--- Enter configuration commands, one on each line. End with CNTL/Z.
AP_WGB(config)#dot11 ssid WGB_LWAPP
AP_WGB(config)#interface dot11Radio 0
AP_WGB(config-if)#encryption vlan 2 mode wep mandatory
AP_WGB(config-if)#encryption vlan 2 key 1 size 128bit 12345678912345678912345678
On the wireless LAN controller, create a WLAN that matches the SSID and security method that was configured on the workgroup bridge. This is the only configuration required on the controller for the WGB to associate with it.
Note: Aironet IE also needs to be enabled. It is enabled by default with a new WLAN.
Complete these steps in order to configure a WLAN on the controller:
Click WLANs from the controller GUI in order to create a WLAN. The WLANs window appears. This window lists the WLANs configured on the controller.
Click New in order to configure a new WLAN. In this example, the WLAN is named WGB_LWAPP.
In the WLANs > Edit window, define the parameters specific to the WLAN.
Under General Policies, check the Status check box in order to enable the WLAN.
Under Security Policies, choose Static WEP from the Layer 2 Security drop-down list, and specify the WEP parameters within the Static WEP Parameters area.
Change other parameters depending on the design of the network, and click Apply.
Once the WLC and the WGB AP are configured, the WGB associates to the LAP as a client. You can view the status of WGBs on your network with the controller GUI.
From the controller GUI, choose Monitor > Clients in order to open the Clients page. The WGB field on the right side of the page indicates whether any of the clients on your network are workgroup bridges.
Click the MAC address of the desired client in order to view the details of the WGB. The Clients > Detail page appears.
In order to see the details of any wired clients that are connected to a particular WGB, go to the Clients page, hover your cursor over the blue drop-down arrow for the desired WGB, and choose Show Wired Clients. The WGB Wired Clients page appears.
From the controller CLI, you can use this command in order to view the list of WGBs connected to the network:
show wgb summary
Here is an example:
(Cisco Controller) >show wgb summary
Number of WGBs................................... 1
MAC Address IP Address AP Name Status WLAN Auth Protocol Clients
----------------- --------------- ----------------- --------- ---- ---- -------- -------
00:12:7f:63:e6:ca 10.77.244.215 ap:51:5a:e0 Assoc 2 Yes 802.11g 2
Enter this command in order to see the details of any wired clients that are connected to a particular WGB:
show wgb detail wgb_mac_address
Here is an example:
(Cisco Controller) >show wgb detail 00:12:7f:63:e6:ca
Number of wired client(s): 2
MAC Address IP Address AP Name Mobility WLAN Auth
----------------- --------------- ----------------- ---------- ---- ----
00:0b:85:5b:fb:d0 Unknown ap:51:5a:e0 Local 2 No
00:0b:85:51:5a:e0 Unknown ap:51:5a:e0 Local 2 No
A common problem has been observed mainly with the Cisco IOS-Based workgroup bridge. When a wired client does not send traffic for an extended period of time, the WGB removes the client from its bridge table, even if the traffic is continuously being sent to the wired client. As a result, the traffic flow to the wired client fails. In order to avoid the traffic loss and removal of the wired client from the bridge table, use this command in order to configure the aging-out timer on the WGB to a large value:
bridge <bridge-group-number> aging-time <seconds>, where bridge-group-number is a value between 1 and 255 and seconds is a value between 10 and 1,000,000 seconds. Cisco recommends that you configure the seconds parameter to a value greater than the idle period of the wired client.
Note: This can be particularly helpful if you have devices such as a printer that sits idle for a long period of time.