The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
A Workgroup Bridge (WGB) is a feature in wireless networking that allows a wired device or a group of wired devices to connect to a wireless network.
Both Workgroup Bridge (WGB) and Universal Workgroup Bridge (uWGB) modes are part of WGB and that enable seamless connectivity between wired and wireless networks.
From Unified Industrial Wireless (UIW) Release 17.13.1, both of these modes are supported on the Cisco Catalyst IW9165E Rugged Access Point (AP) and wireless client.
Understand the limitations and restrictions of both WGB and uWGB modes to ensure optimal performance and avoid potential network issues.
The WGB can associate only with Cisco lightweight APs.
Speed and duplex settings are automatically negotiated based on the locally connected endpoint's capabilities. These settings cannot be manually configured on the AP’s wired 0 and wired 1 interfaces.
When the WGB roams to a foreign controller, a wired client can connect to the WGB network. In this case, the anchor controller shows the wired client’s IP address, but the foreign controller does not.
Deauthenticating a WGB record from a controller clears all entries of wired clients connected to that WGB.
Wired clients connected to a WGB do not support:
MAC filtering,
link tests,
idle timeout, and
web authentication.
A WGB cannot associate with a WLAN configured with adaptive 802.11r.
IPv6 and IPv4 support
The WGB supports IPv6 traffic exclusively for wired clients, even though IPv4 is enabled.
IPv6 management for the WGB does not function properly, even if the WGB successfully associates with an uplink. IPv6 pings and SSH to the WGB management IPv6 address do not work.
 Note |
Re-enable IPv6 on the WGB, even if it is already enabled and an IPv6 address has been assigned. |
Channel bandwidth issue
If the infrastructure AP operates on a non-dynamic frequency selection (non-DFS) channel and changes its channel bandwidth, the WGB continues to use the original channel bandwidth.
Note |
Confirm that the WGB connects to the AP using the correct channel bandwidth. |
TFTP and SFTP are not supported in uWGB mode. Perform software upgrades in WGB mode only. For more information, see uWGB Image Upgrade.
uWGB mode supports wired clients connected to the wired0 interface. However, it doesn't support wired clients connected to the wired1 interface.
You should configure an arbitrary non-routable IP address for uWGB. Using a static or dynamic IP address in the same range as the end device can result in unexpected behavior.
From UIW Release 17.13.1, an AP in uWGB mode is managed using SSH. Image upgrade can be performed when no wired clients are connected to the AP.
When a wired client is detected, the AP in uWGB mode remains in the same uWGB mode. You cannot upgrade the image of the AP.
When a wired client is not detected, the AP in uWGB mode switches to WGB mode. You can manage as well as upgrade the image of the AP.
Reset your login credentials in day 0 to ensure the security of your network device. Follow these guidelines to configure new login credentials after the first login.
|
Rule type |
Details |
|---|---|
|
Username length |
must be between 1 and 32 characters |
|
Password length |
must be between 8 and 120 characters |
|
Password must include |
|
|
Password can include |
|
|
Password must exclude |
|
|
Password cannot |
|
|
Password must contain |
A new password that must have at least four characters different from the current password. |
Default credentials example:
Username: Cisco
Password: Cisco
Enable Password: Cisco
User credentials example:
Current Password:Cisco
Current Enable Password:Cisco
New User Name:demouser
New Password:DemoP@ssw0rd
Confirm New Password:DemoP@ssw0rd
New Enable Password:DemoE^aP@ssw0rd
Confirm New Enable Password:DemoE^aP@ssw0rd
Note |
In the provided example, passwords are displayed in plain text for clarity. In real-world scenarios, passwords are masked with asterisks (*). |
For a WGB to join a wireless network, configure these settings on the WLAN and the related policy profile on the controller.
Follow these steps to configure the Cisco Client Extensions option and set the support for the Aironet IE in the WLAN:
Use the wlan profile-name command to enter the WLAN configuration submode.
Device#wlan profile-nameHere, profile-name refers to the name of the configured WLAN.
Use the ccx aironet-iesupport command to configure the Cisco Client Extensions option and set the Aironet IE support on the WLAN.
Device#ccx aironet-iesupportNote |
This configuration is mandatory for the WGB to associate with the AP. |
Device#wireless profile policy profile-policy Use the vlan vlan-id command to assign the profile policy to the VLAN.
Device#vlan vlan-id Use the wgb vlan command to configure WGB VLAN client support.
Device#wgb vlan To upgrade the uWGB software image by converting it to WGB mode, performing the upgrade, and reverting it back to uWGB mode. The process requires using TFTP or SFTP protocols for the software download.
|
Step 1 |
Connect a TFTP or SFTP server to the wired 0 port of the uWGB. |
||
|
Step 2 |
Use the configure Dot11Radio slot_id disable command to disable the radio interface. |
||
|
Step 3 |
Convert uWGB to WGB mode. Use the configure Dot11Radio slot_id mode wgb ssid-profile ssid_profile_name command to reboot the device with the downloaded configuration.
|
||
|
Step 4 |
When the device reboots, assign a static IP address to the WGB. Use the configure ap address ipv4 static IPv4_address netmask Gateway_IPv4_address command to assign a static IP address to the WGB. |
||
|
Step 5 |
Use the pingserver_IP command to view the ICMP ping results to the server. Example: |
||
|
Step 6 |
Use the archive download/reload <tftp | sftp | http >://server_ip /file_path command to upgrade the uWGB software. |
||
|
Step 7 |
Use the configure Dot11Radio slot_id mode uwgb wired_client_mac_addr ssid-profile ssid_profile_name command to revert the device back to uWGB mode. |
Perform these tasks for WGB configuration:
Configure the radio in WGB mode, and associate the SSID profile with the radio.
Turn on the radio.
WGB uplink supports various security methods, which includes:
Open (unsecured)
Pre-shared key (PSK), and
Dot1x (LEAP, PEAP, FAST-EAP, and TLS).
Note |
Ensure that the below configuration order is followed when EAP-TLS security is desired on the WGB:
|
Note |
If you make any modifications to the dot1x credential profile, trustpoint profile, or EAP profile, the changes do not take effect immediately. You must manually re-attach the EAP profile to the SSID profile for the changes to apply. configure ssid-profile <ssid_prof_name> ssid authentication eap profile <eap_prof_name> key-management <key_type> command to re-attach the EAP profile to the SSID profile. |
Dot1x FAST-EAP configuration example
configure dot1x credential demo-cred username demouser1 password Dem0Pass!@
configure eap-profile demo-eap-profile dot1x-credential demo-cred
configure eap-profile demo-eap-profile method fast
configure ssid-profile demo-FAST ssid demo-fast authentication eap profile demo-eap-profile key-management wpa2
configure dot11radio 1 mode wgb ssid-profile demo-FAST
configure dot11radio 1 enable
These sections provide detailed information on the WGB configuration procedure.
Device#configure dot1x credential profile-name username name password pwdUse the show wgb eap dot1x credential profile command to view the status of WGB EAP Dot1x profile.
Device#show wgb eap dot1x credential profile Use the clear wgb client {all | single mac-addr} command to deauthenticate WGB wired client.
Device#clear wgb client all Perform these steps to configure an EAP profile:
Attach the Dot1x credential profile to the EAP profile.
Attach the EAP profile to the SSID profile.
Attach the SSID profile to the radio.
|
Step 1 |
Use the configure eap-profile profile-name method { fast | leap | peap | tls} command to configure the EAP profile.
|
||
|
Step 2 |
Use the configure eap-profile profile-name trustpoint { default | name trustpoint-name} command to attach the CA trustpoint for TLS. By default, the WGB uses the internal MIC certificate for authentication. |
||
|
Step 3 |
Use the configure eap-profile profile-name dot1x-credential profile-name command to attach the dot1x-credential profile. |
||
|
Step 4 |
[Optional] Use the configure eap-profile profile-name delete command to delete an EAP profile. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment terminal command to create a trustpoint in WGB. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate.
Example: |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and certificate signing request (CSR). Create the digitally signed certificate using the CSR output in the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate. |
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment url ca-server-url command to enroll a trustpoint in the WGB using the server URL. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint. This command fetches the CA certificate from CA server automatically. |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to enroll the trustpoint. Request the digitally signed certificate from the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage command to enable auto-enroll.
|
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the details of the certificate for a specific trustpoint. |
||
|
Step 10 |
Use the show crypto pki timers command to view the public key infrastructure (PKI) timer information. show crypto pki timers |
|
Step 1 |
Specify the enrollment method. Use the configure crypto pki trustpoint ca-server-name enrollment tftp tftp-addr/file-name command to retrieve the CA and client certificate for a trustpoint. |
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. This retrieves and authenticates the CA certificate from the specified TFTP server. If the file specification is included, the WGB adds the extension .ca to the specified filename. |
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and Certificate Signing Request (CSR). This generates certificate request and sends the request to the TFTP server. The filename to be written is appended with the .req extension. |
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. The console terminal uses TFTP to import a certificate and the WGB tries to get the approved certificate from the TFTP. The filename to be written is appended with the .crt extension. |
|
Step 7 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
|
Step 8 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
This task enables you to import a PKCS12 full certificate bundle for EAP-TLS authentication and private key configuration. This ensures secure communication and device authentication in WGB mode.
|
Step 1 |
Use configure crypto pki trustpoint trustpoint_name import pkcs12 tftp tftp://IP_ADDRESS/path_to_certificate password certificate_password command to import PKCS12 full certificate bundle for EAP-TLS authentication and private key. |
|
Step 2 |
(Optional) Use the show crypto pki trustpoint command to verify the downloaded PKCS12 certificate. |
Perform this task to ensure that the PKCS12 certificate is successfully downloaded and properly enrolled for WGB mode.
|
Use the Example: |
Perform these tasks to configure SSID.
Choose one of these authentication protocols to configure the SSID profile:
PSK WPA2 authentication
PSK Dot11r authentication, and
PSK Dot11w authentication.
Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open command to configure an SSID profile using open authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open Choose one of these authentication protocols to configure an SSID profile using PSK authentication:
configure an SSID profile using PSK WPA2 authentication
configure an SSID profile using PSK Dot11r authentication, and
configure an SSID profile using PSK Dot11w authentication .
Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2 command to configure an SSID profile using PSK WPA2 authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r command to configure an SSID profile using PSK Dot11r authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w command to configure an SSID profile using PSK Dot11w authentication
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}} command to configure an SSID profile using Dot1x authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}}Here is an example that shows the configuration of an SSID profile using Dot1x EAP-PEAP authentication:
Device#configure dot1x credential c1 username wgbusr password cisco123456
Device#configure eap-profile p1 dot1x-credential c1
Device#configure eap-profile p1 method peap
Device#configure ssid-profile iot-peap ssid iot-peap authentication eap profile p1 key-management wpa2
IW9165E does not have 2.4 GHz radio. You can configure only dot11radio 1 as uplink and operate in WGB mode.
Device#configure dot11radio 1 mode wgb ssid-profile ssid-profile-nameUse the configure dot11radio slot_id enable command to enable a radio interface.
Device#configure dot11radio 1 enableNote |
Use the configure dot11radio slot_id disable command to disable a radio interface. |
The CLI commands for timer configuration are same for both WGB and uWGB modes. Use these commands to configure timer:
Use the configure wgb association response timeout response-millisecs command to configure the WGB association response timeout.
Device#configure wgb association response timeout response-millisecs The default value is 100 milliseconds, and the valid range is between 100 and 5000 milliseconds.
Use the configure wgb authentication response timeout response-millisecs command to configure the WGB authentication response timeout.
Device#configure wgb authentication response timeout response-millisecs The default value is 100 milliseconds, and the valid range is between 100 and 5000 milliseconds.
Use the configure wgb eap timeout timeout-secs command to configure the WGB EAP timeout.
Device#configure wgb eap timeout timeout-secs The default value is 3 seconds, and the valid range is between 2 and 60 seconds.
Use the configure wgb bridge client timeout timeout-secs command to configure the WGB bridge client response timeout.
Device#configure wgb bridge client timeout timeout-secs The default timeout value is 300 seconds, and the valid range is between 10 and 1000000 seconds.
The universal WGB is able to interoperate with non-Cisco access points using uplink radio MAC address, thus the universal workgroup bridge role supports only one wired client.
Most WGB configurations apply to uWGB. The only difference is that you configure wired client’s MAC address with the following command:
configure dot11 <slot_id > mode uwgb <uwgb_wired_client_mac_address > ssid-profile <ssid-profile >
The following is an example of Dot1x FAST-EAP configuration:
configure dot1x credential demo-cred username demouser1 password Dem0Pass!@
configure eap-profile demo-eap-profile dot1x-credential demo-cred
configure eap-profile demo-eap-profile method fast
configure ssid-profile demo-FAST ssid demo-fast authentication eap profile demo-eap-profile key-management wpa2
configure dot11radio 1 mode uwgb fc58.220a.0704 ssid-profile demo-FAST
configure dot11radio 1 enable
The following sections provide detailed information about uWGB configuration:
Device#configure dot1x credential profile-name username name password pwdUse the show wgb eap dot1x credential profile command to view the status of WGB EAP Dot1x profile.
Device#show wgb eap dot1x credential profile Perform these steps to configure an EAP profile:
Attach the Dot1x credential profile to the EAP profile.
Attach the EAP profile to the SSID profile.
Attach the SSID profile to the radio.
|
Step 1 |
Use the configure eap-profile profile-name method { fast | leap | peap | tls} command to configure the EAP profile.
|
||
|
Step 2 |
Use the configure eap-profile profile-name trustpoint { default | name trustpoint-name} command to attach the CA trustpoint for TLS. By default, the WGB uses the internal MIC certificate for authentication. |
||
|
Step 3 |
Use the configure eap-profile profile-name dot1x-credential profile-name command to attach the dot1x-credential profile. |
||
|
Step 4 |
[Optional] Use the configure eap-profile profile-name delete command to delete an EAP profile. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment terminal command to create a trustpoint in WGB. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate.
Example: |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and certificate signing request (CSR). Create the digitally signed certificate using the CSR output in the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate. |
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment url ca-server-url command to enroll a trustpoint in the WGB using the server URL. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint. This command fetches the CA certificate from CA server automatically. |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to enroll the trustpoint. Request the digitally signed certificate from the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage command to enable auto-enroll.
|
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the details of the certificate for a specific trustpoint. |
||
|
Step 10 |
Use the show crypto pki timers command to view the public key infrastructure (PKI) timer information. show crypto pki timers |
|
Step 1 |
Specify the enrollment method. Use the configure crypto pki trustpoint ca-server-name enrollment tftp tftp-addr/file-name command to retrieve the CA and client certificate for a trustpoint. |
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. This retrieves and authenticates the CA certificate from the specified TFTP server. If the file specification is included, the WGB adds the extension .ca to the specified filename. |
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and Certificate Signing Request (CSR). This generates certificate request and sends the request to the TFTP server. The filename to be written is appended with the .req extension. |
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. The console terminal uses TFTP to import a certificate and the WGB tries to get the approved certificate from the TFTP. The filename to be written is appended with the .crt extension. |
|
Step 7 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
|
Step 8 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
SSID configuration consists of the following two parts:
Choose one of these authentication protocols to configure the SSID profile:
PSK WPA2 authentication
PSK Dot11r authentication, and
PSK Dot11w authentication.
Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open command to configure an SSID profile using open authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open Choose one of these authentication protocols to configure an SSID profile using PSK authentication:
configure an SSID profile using PSK WPA2 authentication
configure an SSID profile using PSK Dot11r authentication, and
configure an SSID profile using PSK Dot11w authentication .
Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2 command to configure an SSID profile using PSK WPA2 authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r command to configure an SSID profile using PSK Dot11r authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w command to configure an SSID profile using PSK Dot11w authentication
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}} command to configure an SSID profile using Dot1x authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}}Here is an example that shows the configuration of an SSID profile using Dot1x EAP-PEAP authentication:
Device#configure dot1x credential c1 username wgbusr password cisco123456
Device#configure eap-profile p1 dot1x-credential c1
Device#configure eap-profile p1 method peap
Device#configure ssid-profile iot-peap ssid iot-peap authentication eap profile p1 key-management wpa2
IW9165E does not have 2.4 GHz radio. Only slot 1 (dot11radio 1) can be configured as uplink.
Map a radio interface to a WGB SSID profile by entering this command:
# configure dot11radio 1 mode uwgb client-mac-address ssid-profile ssid-profile-name
Configure a radio interface by entering this command:
# configure dot11radio 1 { enable | disable }
Example
# configure dot11radio 1 disableUse the configure ap address ipv4 dhcp command to configure IPv4 address using DHCP.
Device#configure ap address ipv4 dhcp Device#configure ap address ipv4 static ipv4_addr netmask gatewayUse show ip interface brief command to view the current IP address configuration.
Device#show ip interface briefUse the configure ap address ipv6 static ipv6_addr prefixlen [gateway] command to configure the static IPv6 address. This configuration allows you to manage the AP through a wired interface without uplink connection.
Device#configure ap address ipv6 static ipv6_addr prefixlen [gateway]Use the configure ap address ipv6 auto-config enable command to enable the IPv6 auto configuration on the AP.
Device#configure ap address ipv6 auto-config enable Note |
|
Device#configure ap address ipv6 dhcp Use the show ipv6 interface brief command to verify current IP address configuration.
Device#show ipv6 interface briefSyslogs are a category of protocols that send event data logs to a centralized location for storage and analysis. These are widely used for monitoring and troubleshooting network devices by capturing event messages. The term Syslog may also refer to the protocol itself or the system that implements it.
Protocol Type: Syslog is a standardized protocol commonly used for logging system events.
Transport Protocol: Currently, Syslog supports only UDP mode for data transmission.
Debug Log Collection: When the debug command is enabled on a WGB, it collects debug logs and sends them to the Syslog server.
Log Categorization: Logs sent to the Syslog server from WGB are categorized under the "kernel facility" and logged at the "warning level."
Use the configure dot11radio <radio_slot_id > mode uwgb <WIRED_CLIENT_MAC > ssid-profile <SSID_PROFILE_NAME > command to convert from WGB to uWGB mode.
Device#configure dot11radio <radio_slot_id> mode uwgb <WIRED_CLIENT_MAC> ssid-profile <SSID_PROFILE_NAME>Use the configure dot11radio <radio_slot_id > mode wgb ssid-profile <SSID_PROFILE_NAME > command to convert from uWGB to WGB mode. This conversion involves rebooting of the AP.
Device#configure dot11radio 1 mode wgb ssid-profile <SSID_PROFILE_NAME>
This command will reboot with downloaded configs.
Are you sure you want continue? [confirm]There are two LEDs located at the front of AP panel:
System status LED
RSSI status LED
|
1 |
System status LED
|
2 |
RSSI status LED
|
When configuring WGB mode for moving deployments, you can manually configure the transmission rate limit using the high throughput (HT) modulation and coding scheme (MCS).
Example of WGB configuration with transmission rate of 802.11n HT m4. m5. rate:
Config dot11radio [1 |2 ] 802.11ax disable
Config dot11radio [1 |2 ] 802.11ac disable
Config dot11radio [1 |2 ] speed ht-mcs m4. m5.
Note |
You can configure legacy rate using WGB. Config dot11radio [1 |2 ] speed legacy-rate basic-6.0 9.0 12.0 18.0 24.0 Both 802.11 management and control frames use legacy rates. The WGB's legacy rates should match or overlap with the AP's legacy rates; otherwise, the WGB association fails. |
Use the debug wgb dot11 rate command to check WGB Tx MCS rate. Here is an example that shows the output of this command.
The debug wgb dot11 rate command displays debugging information related to data rates negotiated. It helps troubleshoot connectivity, performance, or roaming issues by showing how the WGB selects and uses data rates when communicating with the access point.
Device# debug wgb dot11 rate
[*03/13/2023 18:00:08.7814] MAC Tx-Pkts Rx-Pkts Tx-Rate(Mbps) Rx-Rate(Mbps) RSSI SNR Tx-Retries
[*03/13/2023 18:00:08.7814] FC:58:9A:17:C2:51 0 0 HE-20,2SS,MCS6,GI0.8 (154) HE-20,3SS,MCS4,GI0.8 (154) -30 62 0
[*03/13/2023 18:00:09.7818] FC:58:9A:17:C2:51 0 0 HE-20,2SS,MCS6,GI0.8 (154) HE-20,3SS,MCS4,GI0.8 (154) -30 62 0
In this example, FC:58:9A:17:C2:51 is the parent AP radio MAC.
The show interfaces dot11Radio slot-idstatistics command displays detailed statistics for a wireless radio interface. It provides information such as transmitted and received packets, errors, retries, signal quality, and other performance metrics. This is useful for monitoring the health of the radio interface, identifying connectivity issues, and troubleshooting wireless performance.
Device# show interfaces dot11Radio 1 statistics
Dot11Radio Statistics:
DOT11 Statistics (Cumulative Total/Last 5 Seconds):
RECEIVER TRANSMITTER
Host Rx K Bytes: 965570/0 Host Tx K Bytes: 1611903/0
Unicasts Rx: 379274/0 Unicasts Tx: 2688665/0
Broadcasts Rx: 3166311/0 Broadcasts Tx: 0/0
Beacons Rx: 722130099/1631 Beacons Tx: 367240960/784
Probes Rx: 588627347/2224 Probes Tx: 78934926/80
Multicasts Rx: 3231513/0 Multicasts Tx: 53355/0
Mgmt Packets Rx: 764747086/1769 Mgmt Packets Tx: 446292853/864
Ctrl Frames Rx: 7316214/5 Ctrl Frames Tx: 0/0
RTS received: 0/0 RTS transmitted: 0/0
Duplicate frames: 0/0 CTS not received: 0/0
MIC errors: 0/0 WEP errors: 2279546/0
FCS errors: 0/0 Retries: 896973/0
Key Index errors: 0/0 Tx Failures: 8871/0
Tx Drops: 0/0
Rate Statistics for Radio::
[Legacy]:
6 Mbps:
Rx Packets: 159053/0 Tx Packets: 88650/0
Tx Retries: 2382/0
9 Mbps:
Rx Packets: 43/0 Tx Packets: 23/0
Tx Retries: 71/0
12 Mbps:
Rx Packets: 1/0 Tx Packets: 119/0
Tx Retries: 185/0
18 Mbps:
Rx Packets: 0/0 Tx Packets: 5/0
Tx Retries: 134/0
24 Mbps:
Rx Packets: 235/0 Tx Packets: 20993/0
Tx Retries: 5048/0
36 Mbps:
Rx Packets: 0/0 Tx Packets: 781/0
Tx Retries: 227/0
54 Mbps:
Rx Packets: 133/0 Tx Packets: 9347/0
Tx Retries: 1792/0
[SU]:
M0:
Rx Packets: 7/0 Tx Packets: 0/0
Tx Retries: 6/0
M1:
Rx Packets: 1615/0 Tx Packets: 35035/0
Tx Retries: 3751/0
M2:
Rx Packets: 15277/0 Tx Packets: 133738/0
Tx Retries: 22654/0
M3:
Rx Packets: 10232/0 Tx Packets: 1580/0
Tx Retries: 21271/0
M4:
Rx Packets: 218143/0 Tx Packets: 190408/0
Tx Retries: 36444/0
M5:
Rx Packets: 399283/0 Tx Packets: 542491/0
Tx Retries: 164048/0
M6:
Rx Packets: 3136519/0 Tx Packets: 821537/0
Tx Retries: 329003/0
M7:
Rx Packets: 1171128/0 Tx Packets: 303414/0
Tx Retries: 154014/0
Beacons missed: 0-30s 31-60s 61-90s 90s+
2 0 0 0
The show wgb dot11 uplink latency command displays latency statistics for the Workgroup Bridge (WGB) uplink connection to the access point (AP). It helps measure the time taken for frames to traverse from the WGB to the AP, providing insight into wireless link performance and potential delay issues.
AP# show wgb dot11 uplink latency
Latency Group Total Packets Total Latency Excellent(0-8) Very Good(8-16) Good (16-32 ms) Medium (32-64ms) Poor (64-256 ms) Very Poor (256+ ms)
AC_BK 0 0 0 0 0 0 0 0
AC_BE 1840 4243793 1809 10 14 7 0 0
AC_VI 0 0 0 0 0 0 0 0
AC_VO 24 54134 24 0 0 0 0 0
The show wgb dot11 uplink command displays information about the Workgroup Bridge (WGB) uplink to the access point (AP). It provides details such as the associated SSID, BSSID, channel, signal strength, data rates, authentication type, and overall status of the uplink connection. This is useful for verifying connectivity and monitoring the WGB’s wireless link to the AP.
AP# show wgb dot11 uplink
HE Rates: 1SS:M0-11 2SS:M0-11
Additional info for client 8C:84:42:92:FF:CF
RSSI: -24
PS : Legacy (Awake)
Tx Rate: 278730 Kbps
Rx Rate: 410220 Kbps
VHT_TXMAP: 65530
CCX Ver: 5
Rx Key-Index Errs: 0
mac intf TxData TxUC TxBytes TxFail TxDcrd TxCumRetries MultiRetries MaxRetriesFail RxData RxBytes RxErr TxRt(Mbps) RxRt(Mbps) LER PER stats_ago
8C:84:42:92:FF:CF wbridge1 1341 1341 184032 0 0 543 96 0 317 33523 0 HE-40,2SS,MCS6,GI0.8 (309) HE-40,2SS,MCS9,GI0.8 (458) 27272 0 1.370000
Per TID packet statistics for client 8C:84:42:92:FF:CF
Priority Rx Pkts Tx Pkts Rx(last 5 s) Tx (last 5 s)
0 35 1314 0 8
1 0 0 0 0
2 0 0 0 0
3 0 0 0 0
4 0 0 0 0
5 0 0 0 0
6 182 24 1 0
7 3 3 0 0
Rate Statistics:
Rate-Index Rx-Pkts Tx-Pkts Tx-Retries
0 99 3 0
4 1 1 9
5 21 39 35
6 31 185 64
7 26 124 68
8 28 293 82
9 77 401 151
10 32 140 97
11 2 156 37
For WGB field deployment, event logging will collect useful information (such as WGB state change and packets rx/tx) to analyze and provide log history to present context of problem, especially in roaming cases.
You can configure WGB trace filter for all management packet types, including probe, auth, assoc, eap, dhcp, icmp, and arp. To enable or disable WGB trace, use the following command:
#config wgb event trace {enable |disable }
Four kinds of event types are supported:
Basic event: covers most WGB basic level info message
Detail event: covers basic event and additional debug level message
Trace event: recording wgb trace event if enabled
All event: bundle trace event and detail event
The log format is [timestamp] module:level <event log string>.
When abnormal situations happen, the eventlog messages can be dumped manually to memory by using the following show command which also displays WGB logging:
#show wgb event [basic |detail |trace |all ]
The following example shows the output of show wgb event all:
APC0F8.7FE5.F3C0#show wgb event all
[*08/16/2023 08:18:25.167578] UP_EVT:4 R1 IFC:58:9A:17:B3:E7] parent_rssi: -42 threshold: -70
[*08/16/2023 08:18:25.329223] UP_EVT:4 R1 State CONNECTED to SCAN_START
[*08/16/2023 08:18:25.329539] UP_EVT:4 R1 State SCAN_START to STOPPED
[*08/16/2023 08:18:25.330002] UP_DRV:1 R1 WGB UPLINK mode stopped
[*08/16/2023 08:18:25.629405] UP_DRV:1 R1 Delete client FC:58:9A:17:B3:E7
[*08/16/2023 08:18:25.736718] UP_CFG:8 R1 configured for standard: 7
[*08/16/2023 08:18:25.989936] UP_CFG:4 R1 band 1 current power level: 1
[*08/16/2023 08:18:25.996692] UP_CFG:4 R1 band 1 set tx power level: 1
[*08/16/2023 08:18:26.003904] UP_DRV:1 R1 WGB uplink mode started
[*08/16/2023 08:18:26.872086] UP_EVT:4 Reset aux scan
[*08/16/2023 08:18:26.872096] UP_EVT:4 Pause aux scan on slot 2
[*08/16/2023 08:18:26.872100] SC_MST:4 R2 reset uplink scan state to idle
[*08/16/2023 08:18:26.872104] UP_EVT:4 Aux bring down vap - scan
[*08/16/2023 08:18:26.872123] UP_EVT:4 Aux bring up vap - serv
[*08/16/2023 08:18:26.872514] UP_EVT:4 R1 State STOPPED to SCAN_START
[*08/16/2023 08:18:26.8727091 SC_MST:4 R1 Uplink Scan Started.
[*08/16/2023 08:18:26.884054] UP_EVT:8 R1 CH event 149Note |
It might take a long time to display the show wgb event command output in console. Using ctrl+c to interrupt the printing will not affect log dump to memory. |
The following clear command erases WGB events in memory:
#clear wgb event [basic |detail |trace |all ]
To save all event logs to WGB flash, use the following command:
#copy event-logging flash
The package file consists of four separate log files for different log levels.
You can also save event log to a remote server by using the following command:
#copy event-logging upload < tftp| sftp| scp>://A.B.C.D[/ dir][/ filename.tar.gz]
The following example saves event log to a TFTP server:
APC0F8.7FE5.F3C0#copy event-logging upload tftp://192.168.100.100/tftpuser/evtlog-2023-05-31_11:45:49.tar.gz
Starting upload of WGB config tftp://192.168.100.100/tftpuser/evtlog-2023-05-31_11:45:49.tar.gz ...
It may take a few seconds. If longer, please cancel command, check network and try again.
######################################################################## 100.0%
Config upload completed.
The 802.11v is a wireless network management standard that
enables network-assisted roaming to optimize client connectivity,
helps balance client load by providing guidance to client devices, and
improves wireless performance through enhanced management frames and procedures.
802.11v is part of the IEEE 802.11 family of Wi-Fi standards. It includes features such as network-assisted roaming, which allows network infrastructure (such as wireless controllers) to direct clients to better access points (APs), reducing congestion and improving overall network efficiency.
When 802.11v support is enabled on a Workgroup Bridge (WGB), it enhances roaming by enabling the WGB to proactively select optimal APs based on updated neighborhood information:
The WGB can actively initiate roaming to suitable APs from dynamically updated lists.
Periodic checks ensure that the WGB maintains the most accurate AP neighbor data, enabling optimal decisions during roaming.
The Basic Service Set (BSS) Transition Request frame includes channel information of neighboring APs. Limiting scanning to these specified channels significantly reduces roaming latency in environments that use multiple channels.
The Wireless LAN Controller (WLC) can disassociate a client based on factors such as AP load, Received Signal Strength Indicator (RSSI), and data rate. Key points include:
The WLC can notify 802.11v-enabled clients of an impending disassociation through the BSS transition management request frame.
If the client fails to re-associate with another AP within a configurable time, the disassociation is enforced.
Administrators can enable the disassociation-imminent configuration on the WLC, which activates the optional field within the BSS transition management request frame.
For detailed information of 802.11v configuration on the WLC, see Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.
You can configure aux-scan mode as either scanning-only or handoff mode on WGB radio 2 (5 GHz) to improve roaming performance.
When slot 2 radio is configured as scanning only mode, slot 1 (5G) radio will always be picked as uplink. Slot 2 (5G) radio will keep scanning configured SSID based on the channel list. By default, the channel list contains all supported 5G channels (based on reg domain). The scanning list can be configured manually or learned by 802.11v.
When roaming is triggered, the algorithm looks for candidates from scanning table and skips scanning phase if the table is not empty. WGB then makes an assocaition to that candidate AP.
Device#configure dot11Radio 2 mode scan onlyUse the configure wgb mobile station interface dot11Radio 1 scan <channel > add command to manually add the channel to the channel list.
Device#configure wgb mobile station interface dot11Radio 1 scan <channel> [add|delete]Note |
Use the configure wgb mobile station interface dot11Radio 1 scan <channel > delete command to manually delete the channel from the channel list. |
Use the configure wgb scan radio 2 timeout1500 command to adjust the timer. By default, candidate AP entries in scanning table are automatically removed in 1200 ms.
Device#configure wgb scan radio 2 timeout 1500Note |
|
Use show wgb scan command to verify the scanning table.
Device#show wgb scan
Best AP expire time: 5000 ms
************[ AP List ]***************
BSSID RSSI CHANNEL Time
FC:58:9A:15:E2:4F 84 136 1531
FC:58:9A:15:DE:4F 37 136 41
***********[ Best AP ]****************
BSSID RSSI CHANNEL Time
FC:58:9A:15:DE:4F 37 136 41
An Aux-Scan handoff mode is a wireless radio configuration that
allows both radios (radio 1 and radio 2) to serve as uplink connections,
supports dynamic switching of roles and traffic between radios after each roaming event, and
enables efficient roaming by using a scanning radio to associate with the best available access point.
The Aux-Scan scanning list can be manually configured or learned automatically using the 802.11v standard. This handoff mode improves roaming performance by quickly associating with the best available access point.
The radio 2 shares the same MAC address with the radio 1 and supports scanning, association, and data serving. Both radios can operate in either a serving or scanning role. After each roaming event, the roles and traffic automatically switch between radio 1 and radio 2.
When roaming is triggered, the system algorithm checks the scanning database for the best AP to establish a connection. WGB always uses the radio in the scanning role to complete the roaming association with the new AP. This configuration reduces roaming interruptions to between 20 and 50 milliseconds.
This table shows an example of aux-scan handoff radio mode configuration on IW9165E:
|
Slot 0 (2.4 G) |
Slot 1 (5G) |
Slot 2 (5G only) |
Slot 3 (scanning radio) |
|---|---|---|---|
|
N/A |
WGB |
Scan handoff |
N/A |
This table shows how long roaming interruptions last for different methods when using three different modes:
|
Roaming interruption time |
Normal channel setting |
Aux-Scan only |
Aux-Scan Handoff |
|---|---|---|---|
|
Scanning |
(40+20)*3=180 ms |
0-40 ms |
0 ms |
|
Association |
30-80 ms |
30-80 ms |
20-50 ms |
|
Total |
~210 ms |
70-120 ms |
20-50 ms |
One-to-one (1:1) Layer 2 NAT allows you to assign a unique public IP address to an existing private IP address (end device). This enables the end device to communicate with a public network.
Layer 2 NAT maintains two translation tables:
private-to-public subnet translations
public-to-private subnet translations
In industrial deployments, such as Human Machine Interfaces (HMIs) or robots, the same firmware is often programmed on every machine. This results in duplicate IP addresses across multiple devices. Layer 2 NAT resolves this issue by enabling devices with duplicate private IP addresses to communicate with public networks.
In this scenario, the end client (172.16.1.36) connected to WGB needs to communicate with the server (192.168.150.56) connected to the gateway. Layer 2 NAT provides an address for the end client on the outside network (192.168.150.36) and an address for the server on the inside network (172.16.1.56).
This example displays Layer 2 NAT configuration details. In the output, I2O means 'inside to outside' and O2I means 'outside to inside.
Device# show l2nat config
L2NAT Configuration are:
===================================
Status: enabled
Default Vlan: 0
The Number of L2nat Rules: 4
Dir Inside Outside Vlan
O2I 172.16.1.56 192.168.150.56 0
I2O 172.16.1.36 192.168.150.36 0
I2O 172.16.1.255 192.168.150.255 0
I2O 172.16.1.1 192.168.150.1 0
This example displays the Layer 2 NAT rules.
Device# show l2nat rule
Dir Inside Outside Vlan
O2I 172.16.1.56 192.168.150.56 0
I2O 172.16.1.36 192.168.150.36 0
I2O 172.16.1.255 192.168.150.255 0
I2O 172.16.1.1 192.168.150.1 0
This example displays the current Layer 2 NAT entries.
Device# show l2nat entry
Direction Original Substitute Age Reversed
inside-to-outside 172.16.1.36@0 192.168.150. 36@0 -1 false
inside-to-outside 172.16.1.56@0 192.168.150. 56@0 -1 true
inside-to-outside 172.16.1.1@0 192.168.150. 1@0 -1 false
inside-to-outside 172.16.1.255@0 192.168.150. 255@0 -1 false
outside-to-inside 192.168.150.36@0 172.16.1.36@0 -1 true
outside-to-inside 192.168.150.56@0 172.16.1.56@0 -1 false
outside-to-inside 192.168.150.1@0 172.16.1.1@0 -1 true
outside-to-inside 192.168.150.255@0 172.16.1.255@0 -1 true
This example displays the WGB wired clients over the bridge.
Before Layer 2 NAT is enabled:
Device# show wgb bridge
***Client ip table entries***
mac vap port vlan_id seen_ip confirm_ago fast_brg
B8:AE:ED:7E:46:EB 0 wired0 0 172.16.1.36 0.360000 true
24:16:1B:F8:05:0F 0 wbridge1 0 0.0.0.0 3420.560000 true
After Layer 2 NAT is enabled:
Device# show wgb bridge
***Client ip table entries***
mac vap port vlan_id seen_ip confirm_ago fast_brg
B8:AE:ED:7E:46:EB 0 wired0 0 192.168.150.36 0.440000 true
24:16:1B:F8:05:0F 0 wbridge1 0 0.0.0.0 3502.220000 true
Note |
If the wired client in NAT experiences E2E traffic issues, you can restart the client registration process by using the clear wgb client single command: |
This example displays the Layer 2 NAT packet translation statistics.
Device# show l2nat stats
Direction Original Substitute ARP IP ICMP UDP TCP
inside-to-outside 172.16.1.1@2660 192.168.150.1@2660 1 4 4 0 0
inside-to-outside 172.16.1.36@2660 192.168.150.36@2660 3 129 32 90 1
inside-to-outside 172.16.1.56@2660 192.168.150.56@2660 2 114 28 85 1
inside-to-outside 172.16.1.255@2660 192.168.150.255@2660 0 0 0 0 0
outside-to-inside 192.168.150.1@2660 172.16.1.1@2660 1 4 4 0 0
outside-to-inside 192.168.150.36@2660 172.16.1.36@2660 3 39 38 0 1
outside-to-inside 192.168.150.56@2660 172.16.1.56@2660 2 35 34 0 1
outside-to-inside 192.168.150.255@2660 172.16.1.255@2660 0 0 0 0 0
Note |
To reset the statistics, you can use the clear l2nat stats command. |
In this scenario, Layer 2 NAT translates inside addresses in the 172.16.1.0/24 subnet to addresses in the 192.168.150.0/24 subnet, replacing only the network prefix during translation. The host bits remain the same.
The command used for this scenario is here:
Device# configure l2nat add inside from network 172.16.1.0 to 192.168.150.0 255.255.255.0In a typical Workgroup Bridge (WGB) deployment, a single wired client connects directly to the WGB Ethernet port. Consequently, the wired client traffic must reside on the same VLAN as the WGB management VLAN. If you require the wired client traffic to be on a different VLAN than the WGB management VLAN, configure the native VLAN on the Ethernet port.
Important |
Configuring native VLAN ID per Ethernet port is not supported. Both Ethernet ports share the same native VLAN configuration. |
 Caution |
When WGB broadcast tagging is enabled and a single wired passive client connects directly to the WGB Ethernet port, an issue
may arise where the infrastructure downstream (DS) side client fails to ping the WGB behind the passive client. To resolve
this, configure the following commands: |
To verify your configuration, use the show wgb ethport config or show running-config command.
Low latency profiles are configurations that optimize IEEE 802.11 networks to meet the low latency and Quality of Service (QoS) requirements essential for IoT applications. IEEE 802.11 networks play a vital role in enabling IoT applications by providing mechanisms that reduce latency and ensure QoS. The following features are key to achieving these goals:
Enhanced Distributed Channel Access (EDCA): EDCA parameters prioritize wireless channel access for latency-sensitive traffic, such as voice and video streams, ensuring consistent QoS performance.
Aggregated MAC Protocol Data Unit (AMPDU): This mechanism combines multiple data frames into a single transmission, reducing overhead and improving efficiency.
Packet Retry (Aggregated or Non-Aggregated): The retry mechanism ensures successful data delivery, either by retransmitting aggregated packets or individual packets, depending on network conditions.
These features collectively support the deployment of IoT devices and applications that demand low latency and high QoS in wireless environments.
To configure optimized low latency profile for video use case, use the following command:
#configure dot11Radio <radio_slot_id > profile optimized-video {enable | disable }
Use the following command to verify the configuration:
WGB1#show controllers dot11Radio 1
EDCA profile: optimized-video
EDCA in use
=============
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 4 10 11 0 0
AC_BK L 6 10 11 0 0
AC_VI L 3 4 2 94 0
AC_VO L 2 3 1 47 0
Packet parameters in use
=============
wbridge1 A-MPDU Priority 0: Enabled
wbridge1 A-MPDU Priority 1: Enabled
wbridge1 A-MPDU Priority 2: Enabled
wbridge1 A-MPDU Priority 3: Enabled
wbridge1 A-MPDU Priority 4: Disabled
wbridge1 A-MPDU Priority 5: Disabled
wbridge1 A-MPDU Priority 6: Disabled
wbridge1 A-MPDU Priority 7: Disabled
wbridge1 A-MPDU subframe number: 3
wbridge1 Packet retries drop threshold: 16To configure optimized low latency profile for automation use case, use the following command:
#configure dot11Radio <radio_slot_id > profile optimized-automation {enable | disable }
Use the following command to verify the configuration:
WGB1#show controllers dot11Radio 1
EDCA profile: optimized-automation
EDCA in use
=============
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 7 10 12 0 0
AC_BK L 8 10 12 0 0
AC_VI L 7 7 3 0 0
AC_VO L 3 3 1 0 0
Packet parameters in use
=============
wbridge1 A-MPDU Priority 0: Enabled
wbridge1 A-MPDU Priority 1: Enabled
wbridge1 A-MPDU Priority 2: Enabled
wbridge1 A-MPDU Priority 3: Enabled
wbridge1 A-MPDU Priority 4: Disabled
wbridge1 A-MPDU Priority 5: Disabled
wbridge1 A-MPDU Priority 6: Disabled
wbridge1 A-MPDU Priority 7: Disabled
wbridge1 A-MPDU subframe number: 3
wbridge1 Packet retries drop threshold: 16To configure customized Wi-Fi Multimedia (WMM) profile, use the following command:
#configure dot11Radio <radio_slot_id > profile customized-wmm {enable | disable }
To configure customized WMM profile parameters, use the following command:
#configure dot11Radio {0 |1 |2 } wmm {be | vi | vo | bk } {cwmin <cwmin_num > | cwmax <cwmax_num > | aifs <aifs_num > | txoplimit <txoplimit_num >}
Parameter descriptions:
be—best-effort traffic queue (CS0 and CS3)
bk—background traffic queue (CS1 and CS2)
vi—video traffic queue (CS4 and CS5)
vo—voice traffic queue (CS6 and CS7)
aifs—Arbitration Inter-Frame Spacing, <1-15> in units of slot time
cwmin—Contention Window min, <0-15> 2^n-1, in units of slot time
cwmax—Contention Window max, <0-15> 2^n-1, in units of slot time
txoplimit—Transmission opportunity time, <0-255> integer number, in units of 32us
Use the following command to configure low latency profile on WGB:
AP# configure dot11Radio <radio_slot_id > profile low-latency [ampdu <length >] [sifs-burst {enable | disable }] [rts-cts {enable | disable }] [non-aggr <length >] [aggr <length >]
Use the following command to display iot-low-latency profile EDCA detailed parameters:
#show controllers dot11Radio 1 | beg EDCA
EDCA config
L: Local C:Cell A:Adaptive EDCA params
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 4 6 11 0 0
AC_BK L 6 10 11 0 0
AC_VI L 3 4 1 0 0
AC_VO L 0 2 0 0 1
AC_BE C 4 10 11 0 0
AC_BK C 6 10 11 0 0
AC_VI C 3 4 2 94 0
AC_VO C 2 3 1 47 1
|
Step 1 |
Choose Configuration > Radio Configurations > Parameters. Using this page, you can configure global parameters for 6 GHz, 5 GHz, and 2.4 GHz radios.
|
||
|
Step 2 |
In the EDCA Parameters section, choose an EDCA profile from the EDCA Profile drop-down list. Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic. 
|
||
|
Step 3 |
Click Apply. |
|
Step 1 |
Enters global configuration mode. configure terminal Example: |
|
Step 2 |
Disables the radio network. ap dot11 {5ghz | 24ghz | 6ghz } shutdown Example: |
|
Step 3 |
Enables iot-low-latency EDCA profile for the 5 GHz, 2.4 GHz, or 6 GHz network. ap dot11 {5ghz | 24ghz | 6ghz } edca-parameters iot-low-latency Example: |
|
Step 4 |
Enables the radio network. no ap dot11 {5ghz | 24ghz | 6ghz } shutdown Example: |
|
Step 5 |
Returns to privileged EXEC mode. end Example: |
|
Step 6 |
Displays the current configuration. show ap dot11 {5ghz | 24ghz | 6ghz } network Example: |
Aggregation is the process of grouping packet data frames together, rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU).
The A-MPDU parameters define the size of an aggregated packet and define the proper spacing between aggregated packets so that the receive side WLAN station can decode the packet properly.
To configure profiled based A-MPDU under 2.4G, 5G and 6G radio, use the following commands:
WLC(config)# ap dot11 {5ghz | 24ghz | 6ghz } rf-profile <profile-name >
WLC(config-rf-profile)# [no ] dot11n a-mpdu tx block-ack window-size <1-255 >
Global configuration is a special profile which can also be configured bu using the following command:
WLC(config)#[no ] ap dot11 {5ghz | 24ghz | 6ghz } dot11n a-mpdu tx block-ack window-size <1-255 >
To bind different RF profiles with the radio RF tag, use the following command:
WLC(config)# wireless tag rf <rf-tag-name >
WLC (config-wireless-rf-tag)# 5ghz-rf-policy <rf-profile-name >
Note |
RF profile level configured a-mpdu tx block-ack window-size value takes preference over globally configured value. |
To display configured a-mpdu length value, use the following command:
# show controllers dot11Radio <radio_slot_id >
AP# show controllers dot11Radio 1
Radio Aggregation Config:
=========================
TX A-MPDU Priority: 0x3f
TX A-MSDU Priority: 0x3f
TX A-MPDU Window: 0x7fYou can upload the current configuration of an existing WGB to a server and then you can download it for newly deployed WGBs.
Use the copy configuration upload <sftp:|tftp:> ip-address [directory] [file-name] command to upload the working configuration of an existing WGB to a server.
Device#copy configuration upload <sftp:|tftp:> ip-address [directory] [file-name]Use the copy configuration download <sftp:|tftp:> ip-address [directory] [file-name] command to download a sample configuration to all WGBs in the deployment.
Device#copy configuration download <sftp:|tftp:> ip-address [directory] [file-name]Note |
When you execute the copy configuration download command, the AP starts to reboot. The new configuration takes effect only after the reboot. |
Use the show run command to check whether the AP is in WGB mode or uWGB mode.
WGB:
Device#show run
AP Name : APFC58.9A15.C808
AP Mode : WorkGroupBridge
CDP State : Enabled
Watchdog monitoring : Enabled
SSH State : Disabled
AP Username : admin
Session Timeout : 300
Radio and WLAN-Profile mapping:-
====================================
Radio ID Radio Mode SSID-Profile SSID
Authentication
--------------------------------------------------------------------------------
--------------------------
1 WGB myssid demo
OPEN
Radio configurations:-
===============================
Radio Id : NA
Admin state : NA
Mode : NA
Radio Id : 1
Admin state : DISABLED
Mode : WGB
Dot11 type : 11ax
Radio Id : NA
Admin state : NA
Mode : NA
uWGB:
Device#show run
AP Name : APFC58.9A15.C808
AP Mode : WorkGroupBridge
CDP State : Enabled
Watchdog monitoring : Enabled
SSH State : Disabled
AP Username : admin
Session Timeout : 300
Radio and WLAN-Profile mapping:-
====================================
Radio ID Radio Mode SSID-Profile SSID
Authentication
--------------------------------------------------------------------------------
--------------------------
1 UWGB myssid demo
OPEN
Radio configurations:-
===============================
Radio Id : NA
Admin state : NA
Mode : NA
Radio Id : 1
Admin state : DISABLED
Mode : UWGB
Uclient mac : 0009.0001.0001
Current state : WGB
UClient timeout : 0 Sec
Dot11 type : 11ax
Radio Id : NA
Admin state : NA
Mode : NA
Use the show wgb dot11 associations command to view the WGB and uWGB configuration.
WGB:
Device#show wgb dot11 associations
Uplink Radio ID : 1
Uplink Radio MAC : 00:99:9A:15:B4:91
SSID Name : roam-m44-open
Parent AP Name : APFC58.9A15.C964
Parent AP MAC : 00:99:9A:15:DE:4C
Uplink State : CONNECTED
Auth Type : OPEN
Dot11 type : 11ax
Channel : 100
Bandwidth : 20 MHz
Current Datarate (Tx/Rx) : 86/86 Mbps
Max Datarate : 143 Mbps
RSSI : 53
IP : 192.168.1.101/24
Default Gateway : 192.168.1.1
IPV6 : ::/128
Assoc timeout : 100 Msec
Auth timeout : 100 Msec
Dhcp timeout : 60 SecuWGB:
Device#show wgb dot11 associations
Uplink Radio ID : 1
Uplink Radio MAC : 00:09:00:01:00:01
SSID Name : roam-m44-open
Parent AP MAC : FC:58:9A:15:DE:4C
Uplink State : CONNECTED
Auth Type : OPEN
Uclient mac : 00:09:00:01:00:01
Current state : UWGB
Uclient timeout : 60 Sec
Dot11 type : 11ax
Channel : 36
Bandwidth : 20 MHz
Current Datarate (Tx/Rx) : 77/0 Mbps
Max Datarate : 143 Mbps
RSSI : 60
IP : 0.0.0.0
IPV6 : ::/128
Assoc timeout : 100 Msec
Auth timeout : 100 Msec
Dhcp timeout : 60 SecThe Simple Network Management Protocol (SNMP) on WGB is a functional element that
facilitates monitoring and management of the WGB device through the SNMP protocol,
includes roles for information exchange (manager, agent, MIB), and
supports network health assessment and parameter configuration.
The SNMP framework on WGB includes:
SNMP Manager: Controls and monitors the activities of network devices using SNMP, typically implemented as a network management system (NMS).
SNMP Agent: The software component within the managed device that maintains and reports device data.
SNMP MIB: A collection of managed objects (variables) which can be queried or set by the SNMP manager.
This illustration shows the SNMP process. When an SNMP manager requests data, the agent receives the request and relays it to the subagent, which responds. The agent then sends an SNMP response packet to the manager.
Cisco IOS software supports the following versions of SNMP:
SNMPv2c—The community-string-based administrative framework for SNMPv2. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 classic), and uses the community-based security model of SNMPv1.
SNMPv3—Version 3 of SNMP. SNMPv3 uses the following security features to provide secure access to devices:
Message integrity—Ensuring that a packet has not been tampered with in transit.
Authentication—Determining that the message is from a valid source.
Encryption—Scrambling the contents of a packet to prevent it from being learned by an unauthorized source.
The Management Information Base (MIB) is a database containing objects that can be managed on a device. These managed objects, also called variables, can be set or read to provide information about network devices and interfaces. The objects are organized in a hierarchical structure and are grouped in collections identified by object identifiers. Access to MIBs is provided through network management protocols such as SNMP.
The MIB module provides network management information on IEEE 802.11 wireless device association management and data packet forwarding configuration and statistics.
An Object Identifier (OID) uniquely identifies a MIB object on a managed network device. The OID shows the object's location in the MIB hierarchy and provides a way to access the MIB object in a network of managed devices.
This procedure describes how to configure Simple Network Management Protocol (SNMP) on the WGB. You can enable SNMPv2c or SNMPv3 depending on your network requirements. The steps include setting community strings or usernames, defining authentication and encryption methods, and enabling SNMP functionality on the device.
Configure all SNMP parameters before enabling the SNMP feature using the CLI command: configure snmp enabled.
All SNMP configurations will be automatically removed when the SNMP feature is disabled.
|
Step 1 |
Use the configure snmp v2c community-id length length command to enter the SNMP v2c community ID (SNMP v2c only). |
|
Step 2 |
Use the configure snmp version {v2c | v3 } command to specify the SNMP protocol version. |
|
Step 3 |
Use the configure snmp auth-method {md5 | sha } command to specify the SNMP v3 authentication protocol (SNMP v3 only). |
|
Step 4 |
Use the configure snmp v3 username length length command to enter the SNMP v3 username (SNMP v3 only). |
|
Step 5 |
Use the configure snmp v3 password length length command to enter the SNMP v3 user password (SNMP v3 only). The valid range for length is 8 to 64 characters. |
|
Step 6 |
Use the configure snmp encryption {des | aes | none } command to specify the SNMP v3 encryption protocol (SNMP v3 only). Encryption values are des or aes . Use none if a v3 encryption protocol is not needed. |
|
Step 7 |
Use the configure snmp secret length length command to enter the SNMP v3 encryption passphrase (SNMP v3 only). The valid range for length is 8 to 64 characters. |
|
Step 8 |
Use the configure snmp enabled command to enable SNMP functionality on the WGB. To configure SNMP v2c, repeat Step 1, Step 2 and Step 8. To configure SNMP v3, repeat Step 2 through Step 8. |
|
Step 9 |
(Optional) Use the configure snmp disabled command to disable SNMP configuration. |
Use the show snmp command to verify the SNMP configuration.
SNMP version v3
Device# show snmp
SNMP: enabled
Version: v3
Community ID: test
Username: username
Password: password
Authentication method: SHA
Encryption: AES
Encryption Passphrase: passphrase
Engine ID: 0x8000000903c0f87fe5f314
SNMP version v2c
Device# show snmp
SNMP: enabled
Version: v2c
Community ID: test
Username: username
Password: password
Authentication method: SHA
Encryption: AES
Encryption Passphrase: passphrase
Engine ID: 0x8000000903c0f87fe5f314
Quality of Service (QoS) ACL classification and marking identify network traffic using access control list (ACL) rules and assign a traffic class or priority value.
Classification uses ACLs to match traffic flows based on parameters such as source or destination IP address, protocol type, port numbers, or other header fields. This step identifies the type of traffic being forwarded, such as voice, video, or data.
Marking occurs after classification. Packets are tagged with specific QoS values, such as DSCP, IP precedence, or CoS, which indicate their priority level. These markings guide QoS policies such as queuing, policing, or shaping across the network..
Starting with Cisco Unified Industrial Wireless Software Release 17.14.1, you can classify packets from two wired ports and assign them to different access control driver queues based on your configuration.
In addition to TCP and UDP, the WGB supports ethertype-based and DSCP-based classification. The WGB classifies packets and assigns them to access control queues according to the field environment to meet jitter and latency requirements.
A rule-based traffic classification is a network management technique that:
uses custom rules to classify incoming Ethernet packets by criteria such as 802.1p, DSCP, and protocol type,
assigns classified packets to priority queues on the wireless side for QoS enforcement, and
ensures critical services receive higher priority, reducing latency and optimizing network performance.
You can configure mapping rules using the following parameters:
Ethernet type (for example, Profinet)
Transport layer port numbers or port ranges
DSCP values
Source and destination IP addresses
Protocol types
As incoming packets arrive at the Ethernet port, WGB applies the defined rules to:
Identify critical services or traffic flows
Classify packets based on predefined criteria
Assign packets to the appropriate access control queues on the wireless network
By using customized rule-based classification and mapping, you can:
Enforce QoS policies effectively
Prioritize critical applications and services
Reduce latency for time-sensitive traffic
Improve overall network performance and user experience
Traffic classification is the process of distinguishing one type of network traffic from another by examining packet fields. It is enabled only when QoS is active. During classification, the device performs a lookup and assigns a QoS label to the packet. The QoS label defines the QoS actions to be applied and identifies the output queue for forwarding.
Classification relies on fields across packet layers
Packets are grouped into service classes based on Ethertype, DSCP, or TCP/UDP ports, and consistently treated within those classes.
The data plane records rule hits for analysis, while the control plane configures data forwarding.
Layer 2 Ethernet frames use the Ethertype field (2 bytes) to carry classification information. This field normally indicates the type of data encapsulated in the frames.
Layer 3 IP packets carry classification information in the Type of Service (ToS) field (8 bits). It has:
IP precedence values that range from 0–7, and
DSCP values that range from 0–63.
Layer 4 TCP segments or UDP datagrams use the source or destination port fields for classification. These port numbers allow devices to classify traffic based on applications or services.
The system assigns traffic to a specific service class based on Ethertype, DSCP, or UDP/TCP port (or port range). Packets within a service class are treated consistently. WGBs classify packets from wired ports and map them to different driver queues according to user configuration.
Data plane statistics provide counters showing how many times each rule is matched by traffic. These counters help administrators analyze rule effectiveness and optimize performance.
The control plane is responsible for managing and configuring how data is forwarded through the network.
The following flowchart illustrates how packets from a WGB Ethernet port are classified and mapped to QoS rules based on existing profiles, Ethertype, port identifiers, and DSCP values.
This procedure allows you to define the different classification rules for configuring WGB QoS mapping.
|
Step 1 |
Use the config wgb qos-mapping profile-name enable command to enable the specified QoS mapping profile. |
||||
|
Step 2 |
Use the config wgb qos-mapping profile-name add ethtype hex hex-number priority priority command to add a mapping rule based on Ethernet type.
You can delete the rules based on ethernet type using the config wgb qos-mapping profile-name delete ethtype hex hex-number
|
||||
|
Step 3 |
Use the config wgb qos-mapping profile-name add [srcport number | dstport number | range start-number ending-number ] priority priority command to add a mapping rule based on port ID or range.
You can delete rules based on port-id/range using the config wgb qos-mapping profile-name delete [srcport number | range start-number ending-number [dstport number | range start-number ending-number ]]
|
||||
|
Step 4 |
Use the config wgb qos-mapping profile-name add dscp number priority priority command to add a mapping rule based on DSCP value.
|
||||
|
Step 5 |
Use the config wgb qos-mapping profile-name disable command to disable the specified QoS mapping profile. When disabled, the profile is cleared from the datapath but retained in the WGB configuration file. If the profile does not exist, a warning is issued and no new profile is created. |
||||
|
Step 6 |
(Optional) Use the config wgb qos-mapping profile-name delete command to delete the specified QoS mapping profile. When deleted, the profile is removed from both the datapath and the WGB configuration. |
To verify the QoS mapping configuration on the Control Plane, run the show wgb qos-mapping .
Device# show wgb qos-mapping
Number of QoS Mapping Profiles: 2
====================================
Profile name : qos1
Profile status : active
Number of Rules: 8
Rules:
L4 srcport : 31000-31100, dstport : 6666-7777, priority : 7
L4 srcport : 23000, dstport : N/A, priority : 3
L4 srcport : N/A, dstport : 20000-20100, priority : 5
L4 srcport : N/A, dstport : 2222, priority : 2
L4 srcport : 12300-12500, dstport : N/A, priority : 6
IPv4/IPv6 dscp: 43, priority : 1
Ethernet type : 0x8892, priority : 0
L4 srcport : 8888, dstport : 9999, priority : 4
Profile name : qos2
Profile status : inactive
Number of Rules: 8
Rules:
L4 srcport : 31000-31100, dstport : 6666-7777, priority : 2
L4 srcport : 23000, dstport : N/A, priority : 6
L4 srcport : N/A, dstport : 20000-20100, priority : 4
L4 srcport : N/A, dstport : 2222, priority : 7
L4 srcport : 12300-12500, dstport : N/A, priority : 3
IPv4/IPv6 dscp: 43, priority : 0
Ethernet type : 0x8892, priority : 1
L4 srcport : 8888, dstport : 9999, priority : 5
To verify the WGB QoS mapping configuration on the Data Plane, run the show datapath qos-mapping rule .
Device# show datapath qos-mapping rule
Status: active
QoS Mapping entries
======= dscp mapping =======
Default dscp2dot1p Table Value:
[0]->0 [1]->0 [2]->0 [3]->0 [4]->0 [5]->0 [6]->0 [7]->0
[8]->1 [9]->1 [10]->1 [11]->1 [12]->1 [13]->1 [14]->1 [15]->1
[16]->2 [17]->2 [18]->2 [19]->2 [20]->2 [21]->2 [22]->2 [23]->2
[24]->3 [25]->3 [26]->3 [27]->3 [28]->3 [29]->3 [30]->3 [31]->3
[32]->4 [33]->4 [34]->4 [35]->4 [36]->4 [37]->4 [38]->4 [39]->4
[40]->5 [41]->5 [42]->5 [43]->5 [44]->5 [45]->5 [46]->5 [47]->5
[48]->6 [49]->6 [50]->6 [51]->6 [52]->6 [53]->6 [54]->6 [55]->6
[56]->7 [57]->7 [58]->7 [59]->7 [60]->7 [61]->7 [62]->7 [63]->7
active dscp2dot1p Table Value:
[0]->0 [1]->0 [2]->0 [3]->0 [4]->0 [5]->0 [6]->0 [7]->0
[8]->1 [9]->1 [10]->1 [11]->1 [12]->1 [13]->1 [14]->1 [15]->1
[16]->7 [17]->2 [18]->2 [19]->2 [20]->2 [21]->2 [22]->2 [23]->2
[24]->3 [25]->3 [26]->3 [27]->3 [28]->3 [29]->3 [30]->3 [31]->3
[32]->4 [33]->4 [34]->4 [35]->4 [36]->4 [37]->4 [38]->4 [39]->4
[40]->5 [41]->5 [42]->5 [43]->5 [44]->5 [45]->5 [46]->5 [47]->5
[48]->6 [49]->6 [50]->6 [51]->6 [52]->6 [53]->6 [54]->6 [55]->6
[56]->7 [57]->7 [58]->7 [59]->7 [60]->7 [61]->7 [62]->7 [63]->7
To verify the WGB QoS mapping statistics on Data Plane, run the show datapath qos-mapping statistics command.
Device# show datapath qos-mapping statistics
======= pkt stats per dscp-mapping rule =======
dscp up pkt_cnt
16 7 0To clear the WGB QoS mapping statistics on Data Plane, run the clear datapath qos-mapping statistics command.
Note |
The command clears packet count statistics per rule on data-plane. |
Feedback