Use the clear wgb client {all |single mac-addr} command to deauthenticate WGB wired client.

Device#clear wgb client {all |single mac-addr} 

Perform these tasks to configure SSID.

The CLI commands for timer configuration are same for both WGB and uWGB modes. Use these commands to configure timer:

• Use the configure wgb association response timeout response-millisecs command to configure the WGB association response timeout.

  Device#configure wgb association response timeout response-millisecs 

  The default value is 100 milliseconds, and the valid range is between 100 and 5000 milliseconds.

• Use the configure wgb authentication response timeout response-millisecs command to configure the WGB authentication response timeout.

  Device#configure wgb authentication response timeout response-millisecs 

  The default value is 100 milliseconds, and the valid range is between 100 and 5000 milliseconds.

• Use the configure wgb eap timeout timeout-secs command to configure the WGB EAP timeout.

  Device#configure wgb eap timeout timeout-secs 

  The default value is 3 seconds, and the valid range is between 2 and 60 seconds.

• Use the configure wgb bridge client timeout timeout-secs command to configure the WGB bridge client response timeout.

  Device#configure wgb bridge client timeout timeout-secs 

  The default timeout value is 300 seconds, and the valid range is between 10 and 1000000 seconds.

SSID configuration consists of the following two parts:

1. Create an SSID profile

2. Configuring Radio Interface for uWGB

• Use the configure ap address ipv4 dhcp command to configure IPv4 address using DHCP.

  Device#configure ap address ipv4 dhcp 

• Use the configure ap address ipv4 static ipv4_addr netmask gateway command to configure the static IPv4 address. By doing so, you can manage the device using a wired interface without an uplink connection.

  Device#configure ap address ipv4 static ipv4_addr netmask gateway

Device#show ip interface brief

Use the configure ap address ipv6 static ipv6_addr prefixlen [gateway] command to configure the static IPv6 address. This configuration allows you to manage the AP through a wired interface without uplink connection.

Device#configure ap address ipv6 static ipv6_addr prefixlen [gateway]

Enable IPv6 auto configuration

Use the configure ap address ipv6 auto-config enable command to enable the IPv6 auto configuration on the AP.

Device#configure ap address ipv6 auto-config enable 

Note

Use the configure ap address ipv6 auto-config disable command to disable the IPv6 auto configuration on the AP. Use the configure ap address ipv6 auto-config enable command to enable IPv6 SLAAC. Note that SLAAC does not apply to CoS of WGB. This command configures IPv6 address with DHCPv6 instead of SLAAC.

Device#configure ap address ipv6 dhcp 

Device#show ipv6 interface brief

When slot 2 radio is configured as scanning only mode, slot 1 (5G) radio will always be picked as uplink. Slot 2 (5G) radio will keep scanning configured SSID based on the channel list. By default, the channel list contains all supported 5G channels (based on reg domain). The scanning list can be configured manually or learned by 802.11v.

When roaming is triggered, the algorithm looks for candidates from scanning table and skips scanning phase if the table is not empty. WGB then makes an assocaition to that candidate AP.

Device#configure dot11Radio 2 mode scan only

Manually configure the channel list

Use the configure wgb mobile station interface dot11Radio 1 scan <channel > add command to manually add the channel to the channel list.

Device#configure wgb mobile station interface dot11Radio 1 scan <channel> [add|delete]

Note	Use the configure wgb mobile station interface dot11Radio 1 scan <channel > delete command to manually delete the channel from the channel list.

Configure scanning table timer

Use the configure wgb scan radio 2 timeout1500 command to adjust the timer. By default, candidate AP entries in scanning table are automatically removed in 1200 ms.

Device#configure wgb scan radio 2 timeout 1500

Note	Scanning AP expire time is from 1 to 5000. From the scanning table, the AP selects the candidate with the best RSSI value. However, sometimes the RSSI values might not be updated and it lead to roaming failures.

Device#show wgb scan
Best AP expire time: 5000 ms

************[ AP List ]***************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:E2:4F     84     136       1531
FC:58:9A:15:DE:4F     37     136       41

***********[ Best AP ]****************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:DE:4F    37     136       41

When you configure the radio 2 in the handoff mode, both radio 1 and radio 2 can serve as uplink connections. While one radio maintains the wireless uplink, and the other scans the channels. You can manually configure the scanning list, or it can be automatically learned using the 802.11v standard.

Device#configure dot11Radio 2 mode scan handoff

Device#show run
...
Radio Id                   : 1
   Admin state             : ENABLED
   Mode                    : WGB
   Spatial Stream          : 1
   Guard Interval          : 800 ns
   Dot11 type              : 11n
   11v BSS-Neighbor        : Disabled
   A-MPDU priority         : 0x3f
   A-MPDU subframe number  : 12
   RTS Protection          : 2347(default)
   Rx-SOP Threshold        : AUTO
   Radio profile           : Default
   Encryption mode         : AES128
Radio Id                   : 2
   Admin state             : ENABLED
   Mode                    : SCAN - Handoff
   Spatial Stream          : 1
   Guard Interval          : 800 ns
   Dot11 type              : 11n
   11v BSS-Neighbor        : Disabled
   A-MPDU priority         : 0x3f
   A-MPDU subframe number  : 12
   RTS Protection          : 2347(default)
   Rx-SOP Threshold        : AUTO
   Radio profile           : Default

Device#show wgb scan
Best AP expire time: 2500 ms

Aux Scanning Radio Results (slot 2)
************[ AP List ]***************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:DE:4E     54     153       57
FC:58:9A:15:E2:4E     71     153       64

***********[ Best AP ]****************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:DE:4E    54     153       57

Aux Serving Radio Results
************[ AP List ]***************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:DE:4E     58     153       57
FC:58:9A:15:E2:4E     75     153       133

***********[ Best AP ]****************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:DE:4E    58     153       57

In this scenario, the end client (172.16.1.36) connected to WGB needs to communicate with the server (192.168.150.56) connected to the gateway. Layer 2 NAT is configured to provide an address for the end client on the outside network (192.168.150.36) and an address for the server on the inside network (172.16.1.56).

The following table shows the configuration tasks for this scenario.

#configure l2nat add inside from host 172.16.1.36 to 192.168.150.36
#configure l2nat add outside from host 192.168.150.56 to 172.16.1.56

#configure l2nat add inside from host 172.16.1.1 to 192.168.150.1
#configure l2nat add inside from host 172.16.1.255 to 192.168.150.255

The following show commands display your configuration.

• The following command displays the Layer 2 NAT configuration details. In the output, I2O means "inside to outside", and O2I means "outside to inside".

  #show l2nat config
  L2NAT Configuration are:
  ===================================
  Status: enabled
  Default Vlan: 0
  The Number of L2nat Rules: 4
  Dir      Inside                    Outside                    Vlan
  O2I      172.16.1.56               192.168.150.56             0
  I2O      172.16.1.36               192.168.150.36             0
  I2O      172.16.1.255              192.168.150.255            0
  I2O      172.16.1.1                192.168.150.1              0
  

• The following command displays the Layer 2 NAT rules.

  #show l2nat rule
  Dir      Inside                    Outside                    Vlan
  O2I      172.16.1.56               192.168.150.56             0
  I2O      172.16.1.36               192.168.150.36             0
  I2O      172.16.1.255              192.168.150.255            0
  I2O      172.16.1.1                192.168.150.1              0
  

• The following command displays Layer 2 NAT running entries.

  #show l2nat entry
  Direction            Original             Substitute             Age    Reversed
  inside-to-outside    172.16.1.36@0        192.168.150. 36@0      -1     false
  inside-to-outside    172.16.1.56@0        192.168.150. 56@0      -1     true
  inside-to-outside    172.16.1.1@0         192.168.150. 1@0       -1     false
  inside-to-outside    172.16.1.255@0       192.168.150. 255@0     -1     false
  outside-to-inside    192.168.150.36@0     172.16.1.36@0          -1     true
  outside-to-inside    192.168.150.56@0     172.16.1.56@0          -1     false
  outside-to-inside    192.168.150.1@0      172.16.1.1@0           -1     true
  outside-to-inside    192.168.150.255@0    172.16.1.255@0         -1     true
  

• The following command displays the WGB wired clients over the bridge.

  • Before Layer 2 NAT is enbled:

    #show wgb bridge
        ***Client ip table entries***
                  mac vap     port vlan_id          seen_ip  confirm_ago  fast_brg
    B8:AE:ED:7E:46:EB   0   wired0       0      172.16.1.36     0.360000      true
    24:16:1B:F8:05:0F   0 wbridge1       0          0.0.0.0  3420.560000      true
    

  • After Layer 2 NAT is enbled:

    #show wgb bridge
        ***Client ip table entries***
                  mac vap     port vlan_id          seen_ip  confirm_ago  fast_brg
    B8:AE:ED:7E:46:EB   0   wired0       0   192.168.150.36     0.440000      true
    24:16:1B:F8:05:0F   0 wbridge1       0          0.0.0.0  3502.220000      true
    

  If there are E2E traffic issues for wired client in NAT, restart the client register process by using the following command:

  #clear wgb client single B8:AE:ED:7E:46:EB

• The following command displays the Layer 2 NAT packet translation statistics.

  #show l2nat stats
  Direction          Original              Substitute            ARP  IP   ICMP UDP  TCP
  inside-to-outside  172.16.1.1@2660       192.168.150.1@2660    1    4    4    0    0
  inside-to-outside  172.16.1.36@2660      192.168.150.36@2660   3    129  32   90   1
  inside-to-outside  172.16.1.56@2660      192.168.150.56@2660   2    114  28   85   1
  inside-to-outside  172.16.1.255@2660     192.168.150.255@2660  0    0    0    0    0
  outside-to-inside  192.168.150.1@2660    172.16.1.1@2660       1    4    4    0    0
  outside-to-inside  192.168.150.36@2660   172.16.1.36@2660      3    39   38   0    1
  outside-to-inside  192.168.150.56@2660   172.16.1.56@2660      2    35   34   0    1
  outside-to-inside  192.168.150.255@2660  172.16.1.255@2660     0    0    0    0    0
  

  To reset statistics number, use the following command:

  #clear l2nat stats

In this scenario, Layer 2 NAT is configured to translate the inside addresses from 172.16.1.0 255.255.255.0 subnet to addresses in the 192.168.150.0 255.255.255.0 subnet. Only the network prefix will be replaced during the translation. The host bits of the IP address remain the same.

The following command is configured for this scenario:

#configure l2nat add inside from network 172.16.1.0 to 192.168.150.0 255.255.255.0

To configure optimized low latency profile for video use case, use the following command:

#configure dot11Radio <radio_slot_id > profile optimized-video {enable | disable }

Use the following command to verify the configuration:

WGB1#show controllers dot11Radio 1
EDCA profile: optimized-video
EDCA in use
=============
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 4 10 11 0 0
AC_BK L 6 10 11 0 0
AC_VI L 3 4 2 94 0
AC_VO L 2 3 1 47 0

Packet parameters in use
=============
wbridge1 A-MPDU Priority 0: Enabled
wbridge1 A-MPDU Priority 1: Enabled
wbridge1 A-MPDU Priority 2: Enabled
wbridge1 A-MPDU Priority 3: Enabled
wbridge1 A-MPDU Priority 4: Disabled
wbridge1 A-MPDU Priority 5: Disabled
wbridge1 A-MPDU Priority 6: Disabled
wbridge1 A-MPDU Priority 7: Disabled
wbridge1 A-MPDU subframe number: 3
wbridge1 Packet retries drop threshold: 16

To configure optimized low latency profile for automation use case, use the following command:

#configure dot11Radio <radio_slot_id > profile optimized-automation {enable | disable }

Use the following command to verify the configuration:

WGB1#show controllers dot11Radio 1
EDCA profile: optimized-automation
EDCA in use
=============
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 7 10 12 0 0
AC_BK L 8 10 12 0 0
AC_VI L 7 7 3 0 0
AC_VO L 3 3 1 0 0

Packet parameters in use
=============
wbridge1 A-MPDU Priority 0: Enabled
wbridge1 A-MPDU Priority 1: Enabled
wbridge1 A-MPDU Priority 2: Enabled
wbridge1 A-MPDU Priority 3: Enabled
wbridge1 A-MPDU Priority 4: Disabled
wbridge1 A-MPDU Priority 5: Disabled
wbridge1 A-MPDU Priority 6: Disabled
wbridge1 A-MPDU Priority 7: Disabled
wbridge1 A-MPDU subframe number: 3
wbridge1 Packet retries drop threshold: 16

To configure customized Wi-Fi Multimedia (WMM) profile, use the following command:

#configure dot11Radio <radio_slot_id > profile customized-wmm {enable | disable }

To configure customized WMM profile parameters, use the following command:

#configure dot11Radio {0 |1 |2 } wmm {be | vi | vo | bk } {cwmin <cwmin_num > | cwmax <cwmax_num > | aifs <aifs_num > | txoplimit <txoplimit_num >}

Parameter descriptions:

• be—best-effort traffic queue (CS0 and CS3)

• bk—background traffic queue (CS1 and CS2)

• vi—video traffic queue (CS4 and CS5)

• vo—voice traffic queue (CS6 and CS7)

• aifs—Arbitration Inter-Frame Spacing, <1-15> in units of slot time

• cwmin—Contention Window min, <0-15> 2^n-1, in units of slot time

• cwmax—Contention Window max, <0-15> 2^n-1, in units of slot time

• txoplimit—Transmission opportunity time, <0-255> integer number, in units of 32us

Use the following command to configure low latency profile on WGB:

AP# configure dot11Radio <radio_slot_id > profile low-latency [ampdu <length >] [sifs-burst {enable | disable }] [rts-cts {enable | disable }] [non-aggr <length >] [aggr <length >]

Use the following command to display iot-low-latency profile EDCA detailed parameters:

#show controllers dot11Radio 1 | beg EDCA
EDCA config
L: Local C:Cell A:Adaptive EDCA params
  AC   Type  CwMin  CwMax Aifs Txop ACM
AC_BE     L      4      6   11    0   0
AC_BK     L      6     10   11    0   0
AC_VI     L      3      4    1    0   0
AC_VO     L      0      2    0    0   1
AC_BE     C      4     10   11    0   0
AC_BK     C      6     10   11    0   0
AC_VI     C      3      4    2   94   0
AC_VO     C      2      3    1   47   1

Aggregation is the process of grouping packet data frames together, rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU).

The A-MPDU parameters define the size of an aggregated packet and define the proper spacing between aggregated packets so that the receive side WLAN station can decode the packet properly.

To configure profiled based A-MPDU under 2.4G, 5G and 6G radio, use the following commands:

WLC(config)# ap dot11 {5ghz | 24ghz | 6ghz } rf-profile <profile-name >

WLC(config-rf-profile)# [no ] dot11n a-mpdu tx block-ack window-size <1-255 >

Global configuration is a special profile which can also be configured bu using the following command:

WLC(config)#[no ] ap dot11 {5ghz | 24ghz | 6ghz } dot11n a-mpdu tx block-ack window-size <1-255 >

To bind different RF profiles with the radio RF tag, use the following command:

WLC(config)# wireless tag rf <rf-tag-name >

WLC (config-wireless-rf-tag)# 5ghz-rf-policy <rf-profile-name >

Note	RF profile level configured a-mpdu tx block-ack window-size value takes preference over globally configured value.

To display configured a-mpdu length value, use the following command:

# show controllers dot11Radio <radio_slot_id >

AP# show controllers dot11Radio 1
Radio Aggregation Config:
=========================

TX A-MPDU Priority: 0x3f
TX A-MSDU Priority: 0x3f
TX A-MPDU Window:   0x7f

The Management Information Base (MIB) is a database of the objects that can be managed on a device. The managed objects, or variables, can be set or read to provide information on the network devices and interfaces and are organized hierarchically. The MIB consists of collections of managed objects identified by object identifiers. MIBs are accessed using a network management protocol such as SNMP.

The MIB module provides network management information on IEEE 802.11 wireless device association management and data packet forwarding configuration and statistics.

An Object Identifier (OID) uniquely identifies a MIB object on a managed network device. The OID identifies the MIB object’s location in the MIB hierarchy, and provides a means of accessing the MIB object in a network of managed devices

Given below is a list of objects that are supported by the SNMP Management and Information Base (MIB): CISCO-DOT11-ASSOCIATION-MIB.

Use the following show command to verify the SNMP configuration.

• Show output of SNMP version v3:

  Device# show snmp
  SNMP: enabled
  Version: v3
  Community ID: test
  Username: username
  Password: password
  Authentication method: SHA
  Encryption: AES
  Encryption Passphrase: passphrase
  Engine ID: 0x8000000903c0f87fe5f314
  

• Show output of SNMP version v2c:

  Device# show snmp
  SNMP: enabled
  Version: v2c
  Community ID: test
  Username: username
  Password: password
  Authentication method: SHA
  Encryption: AES
  Encryption Passphrase: passphrase
  Engine ID: 0x8000000903c0f87fe5f314
  

WGB allows you to create custom rules to map incoming packets from an Ethernet port to specific priority queues on the wireless side. WGB offers the functionality to map upstream data traffic based on either IEEE 802.1p (dot1p) or Differentiated Services Code Point (DSCP).

You can configure the rules based on Ethernet type (for example, Profinet), transport layer port numbers or port range, and DSCP. It ensures forwarding packets to the different access control queues on the wireless network, facilitating efficient QoS enforcement.

As incoming packets arrive at the Ethernet port, it directs them to a specific access control queue on the wireless side using a customized rule-based mapping.

The customized rule dictates the classification and assignment of packets to different access control queues based on predetermined criteria such as source/destination IP addresses, port numbers, or protocol types. Once defined, the rules identify critical services or traffic within the incoming packets. Matching these critical services using the defined rules enables mapping them to higher priority queues within the network infrastructure.

Using rule-based traffic classification and mapping on the WGB, you can effectively manage and prioritize network traffic to meet the specific demands of critical applications and services. This approach enables you to enforce QoS policies effectively within your network to maintain optimal network performance, minimizes latency for critical services, and enhances overall user experience.

Classification is the process of distinguishing one traffic from another by examining the fields in the packet. The device enables classification only when QoS is enabled.

During classification, the device performs a lookup and assigns a QoS label to the packet. The QoS label indicates all QoS actions to perform on the packet and identifies the queue from which the packet is sent.

Layer 2 ethernet frames use the Ethertype field to carry classification information. The ethertype field, typically 2 bytes in size, normally indicates the type of data encapsulated in the frames

Layer 3 IP packets carry the classification information in the type of service (ToS) field that has 8 bits. The ToS field carries either an IP precedence value or a Differentiated Services Code Point (DSCP) value. IP precedence values range 0–7. DSCP values range 0–63.

Layer 4 TCP segments or UDP datagrams carry the classification information in the source or destination port field. These port fields specify the port numbers associated with the sender and receiver of the data, enabling networking devices to classify traffic based on predetermined criteria.

The system assigns traffic to a specific service class based on ether type, DSCP, or UDP/TCP port (or port range), treating packets within the service class consistently. The WGB help to classify different packets from the two wired ports and map them to the different driver queues according to the user config.

The data plane statistics provide counts of how many times each rule hit by network traffic. These counters are essential for network administrators to analyse the effectiveness of their rules and policies, and optimize network performance.

The control plane is a part of a network architecture responsible for managing and configuring how data is forwarded though the network.

When QoS is disabled, access points follows the legacy mapping behavior and perform the following:

1. Retrieve the Tag Control Information (TCI) priority from the VLAN element for the specified ethertype 0x8100.

2. For ethertype 0x8892 (profinet) QoS mapping, assigns the TCI priority as 6.

3. For ethertype 0x0800 (IP) and 0x86DD (IPv6), the DSCP priority is set according to the default dscp2dot1p mapping table.

   ======= dscp mapping =======
   Default dscp2dot1p Table Value:
   [0]->0 [1]->0 [2]->0 [3]->0 [4]->0 [5]->0 [6]->0 [7]->0
   [8]->1 [9]->1 [10]->1 [11]->1 [12]->1 [13]->1 [14]->1 [15]->1
   [16]->2 [17]->2 [18]->2 [19]->2 [20]->2 [21]->2 [22]->2 [23]->2
   [24]->3 [25]->3 [26]->3 [27]->3 [28]->3 [29]->3 [30]->3 [31]->3
   [32]->4 [33]->4 [34]->4 [35]->4 [36]->4 [37]->4 [38]->4 [39]->4
   [40]->5 [41]->5 [42]->5 [43]->5 [44]->5 [45]->5 [46]->5 [47]->5
   [48]->6 [49]->6 [50]->6 [51]->6 [52]->6 [53]->6 [54]->6 [55]->6
   [56]->7 [57]->7 [58]->7 [59]->7 [60]->7 [61]->7 [62]->7 [63]->7
   

When QoS is enabled, access points perform the following:

1. The priority for an ethertype QoS mapping 0x8892 (profinet) is based on the configuration setting.

2. For ethertype 0x0800 (IP) and 0x86DD (IPv6), the priority is based on mapping rules that consider port or DSCP.

   • Check the UDP/TCP port (or port range) rule.

   • Check the DSCP rule.

3. Assigns the user priority value 0 to non-IPv4/IPv6 packets.

4. If there is no rule configuration, the QoS profile follows the legacy mapping behavior.

Note	if 802.1p priority exists, it overrides any customised rule.