The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
A Workgroup Bridge (WGB) is a feature in wireless networking that allows a wired device or a group of wired devices to connect to a wireless network. Both Workgroup Bridge (WGB) and Universal Workgroup Bridge (uWGB) modes are part of WGB and that enable seamless connectivity between wired and wireless networks. From Unified Industrial Wireless (UIW) Release 17.13.1, both of these modes are supported on the Cisco Catalyst IW9165E Rugged Access Point (AP) and wireless client.
Understand the limitations and restrictions of both WGB and uWGB modes to ensure optimal performance and avoid potential network issues.
The WGB can associate only with Cisco lightweight APs.
Speed and duplex settings are automatically negotiated based on the locally connected endpoint's capabilities. These settings cannot be manually configured on the AP’s wired 0 and wired 1 interfaces.
Spanning Tree Protocol (STP) and Per-VLAN Spanning Tree (PVST) packets must be used to detect and prevent loops in wired and wireless networks. The WGB transparently bridges STP packets between two wired segments. However, incorrect or inconsistent STP configuration can cause issues such as:
Blocking of the WGB's wireless link to the AP or WGB by connected switches.
Loss of connection between the WGB and the AP or between the AP and its controller.
Wired clients being unable to obtain IP addresses due to blocked switch ports. To avoid these issues, disable STP on switches directly connected to the wireless network if you need to stop STP bridging by the WGB.
When the WGB roams to a foreign controller, a wired client can connect to the WGB network. In this case, the anchor controller shows the wired client’s IP address, but the foreign controller does not.
Deauthenticating a WGB record from a controller clears all entries of wired clients connected to that WGB.
Wired clients connected to a WGB do not support:
MAC filtering,
link tests,
idle timeout, and
web authentication.
A WGB cannot associate with a WLAN configured with adaptive 802.11r.
IPv6 and IPv4 support
The WGB supports IPv6 traffic exclusively for wired clients, even though IPv4 is enabled.
IPv6 management for the WGB does not function properly, even if the WGB successfully associates with an uplink. IPv6 pings and SSH to the WGB management IPv6 address do not work.
 Note |
Re-enable IPv6 on the WGB, even if it is already enabled and an IPv6 address has been assigned. |
Channel bandwidth issue
If the infrastructure AP operates on a non-dynamic frequency selection (non-DFS) channel and changes its channel bandwidth, the WGB continues to use the original channel bandwidth.
Note |
Confirm that the WGB connects to the AP using the correct channel bandwidth. |
TFTP and SFTP are not supported in uWGB mode. Perform software upgrades in WGB mode only. For more information, see uWGB Image Upgrade.
uWGB mode supports wired clients connected to the wired0 interface. However, it doesn't support wired clients connected to the wired1 interface.
You should configure an arbitrary non-routable IP address for uWGB. Using a static or dynamic IP address in the same range as the end device can result in unexpected behavior.
From UIW Release 17.13.1, an AP in uWGB mode is managed using SSH. Image upgrade can be performed when no wired clients are connected to the AP.
When a wired client is detected, the AP in uWGB mode remains in the same uWGB mode. You cannot upgrade the image of the AP.
When a wired client is not detected, the AP in uWGB mode switches to WGB mode. You can manage as well as upgrade the image of the AP.
Reset your login credentials in day 0 to ensure the security of your network device. Follow these guidelines to configure new login credentials after the first login.
|
Rule type |
Details |
|---|---|
|
Username length |
must be between 1 and 32 characters |
|
Password length |
must be between 8 and 120 characters |
|
Password must include |
|
|
Password can include |
|
|
Password must exclude |
|
|
Password cannot |
|
|
Password must contain |
A new password that must have at least four characters different from the current password. |
Default example credentials:
username: Cisco
password: Cisco
enable password: Cisco
Credentials example:
username: demouser
password: DemoP@ssw0rd
enable password: DemoE^aP@ssw0rd
User Access Verification
Username: Cisco
Password: Cisco
% First Login: Please Reset Credentials
Current Password:Cisco
Current Enable Password:Cisco
New User Name:demouser
New Password:DemoP@ssw0rd
Confirm New Password:DemoP@ssw0rd
New Enable Password:DemoE^aP@ssw0rd
Confirm New Enable Password:DemoE^aP@ssw0rd
% Credentials changed, please re-login
[*04/18/2023 23:53:44.8926] chpasswd: password for user changed
[*04/18/2023 23:53:44.9074]
[*04/18/2023 23:53:44.9074] Management user configuration saved successfully
[*04/18/2023 23:53:44.9074]
User Access Verification
Username: demouser
Password: DemoP@ssw0rd
APFC58.9A15.C808>enable
Password:DemoE^aP@ssw0rd
APFC58.9A15.C808#Note |
In the provided example, passwords are displayed in plain text for clarity. In real-world scenarios, passwords are masked with asterisks (*). |
For a WGB to join a wireless network, configure these settings on the WLAN and the related policy profile on the controller.
Follow these steps to configure the Cisco Client Extensions option and set the support for the Aironet IE in the WLAN:
Use the wlan profile-name command to enter the WLAN configuration submode.
Device#wlan profile-nameHere, profile-name refers to the name of the configured WLAN.
Use the ccx aironet-iesupport command to configure the Cisco Client Extensions option and set the Aironet IE support on the WLAN.
Device#ccx aironet-iesupportNote |
This configuration is mandatory for the WGB to associate with the AP. |
Device#wireless profile policy profile-policy Use the vlan vlan-id command to assign the profile policy to the VLAN.
Device#vlan vlan-id Use the wgb vlan command to configure WGB VLAN client support.
Device#wgb vlan To upgrade the uWGB software image by converting it to WGB mode, performing the upgrade, and reverting it back to uWGB mode. The process requires using TFTP or SFTP protocols for the software download.
|
Step 1 |
Connect a TFTP or SFTP server to the wired 0 port of the uWGB. |
||
|
Step 2 |
Use the configure Dot11Radio slot_id disable command to disable the radio interface. |
||
|
Step 3 |
Convert uWGB to WGB mode. Use the configure Dot11Radio slot_id mode wgb ssid-profile ssid_profile_name command to reboot the device with the downloaded configuration.
|
||
|
Step 4 |
When the device reboots, assign a static IP address to the WGB. Use the configure ap address ipv4 static IPv4_address netmask Gateway_IPv4_address command to assign a static IP address to the WGB. |
||
|
Step 5 |
Use the pingserver_IP command to view the ICMP ping results to the server. Example: |
||
|
Step 6 |
Use the archive download/reload <tftp | sftp | http >://server_ip /file_path command to upgrade the uWGB software. |
||
|
Step 7 |
Use the configure Dot11Radio slot_id mode uwgb wired_client_mac_addr ssid-profile ssid_profile_name command to revert the device back to uWGB mode. |
Perform these tasks for WGB configuration:
Configure the radio in WGB mode, and associate the SSID profile with the radio.
Turn on the radio.
WGB uplink supports various security methods, which includes:
Open (unsecured)
Pre-shared key (PSK), and
Dot1x (LEAP, PEAP, FAST-EAP, and TLS).
Note |
Ensure that the below configuration order is followed when EAP-TLS security is desired on the WGB:
|
Note |
If you make any modifications to the dot1x credential profile, trustpoint profile, or EAP profile, the changes do not take effect immediately. You must manually re-attach the EAP profile to the SSID profile for the changes to apply. configure ssid-profile <ssid_prof_name> ssid authentication eap profile <eap_prof_name> key-management <key_type> command to re-attach the EAP profile to the SSID profile. |
Dot1x FAST-EAP configuration example
configure dot1x credential demo-cred username demouser1 password Dem0Pass!@
configure eap-profile demo-eap-profile dot1x-credential demo-cred
configure eap-profile demo-eap-profile method fast
configure ssid-profile demo-FAST ssid demo-fast authentication eap profile demo-eap-profile key-management wpa2
configure dot11radio 1 mode wgb ssid-profile demo-FAST
configure dot11radio 1 enable
These sections provide detailed information on the WGB configuration procedure.
Device#configure dot1x credential profile-name username name password pwdUse the show wgb eap dot1x credential profile command to view the status of WGB EAP Dot1x profile.
Device#show wgb eap dot1x credential profile Use the clear wgb client {all |single mac-addr} command to deauthenticate WGB wired client.
Device#clear wgb client {all |single mac-addr} Perform these steps to configure an EAP profile:
Attach the Dot1x credential profile to the EAP profile.
Attach the EAP profile to the SSID profile.
Attach the SSID profile to the radio.
|
Step 1 |
Use the configure eap-profile profile-name method { fast | leap | peap | tls} command to configure the EAP profile.
|
||
|
Step 2 |
Use the configure eap-profile profile-name trustpoint { default | name trustpoint-name} command to attach the CA trustpoint for TLS. By default, the WGB uses the internal MIC certificate for authentication. |
||
|
Step 3 |
Use the configure eap-profile profile-name dot1x-credential profile-name command to attach the dot1x-credential profile. |
||
|
Step 4 |
[Optional] Use the configure eap-profile profile-name delete command to delete an EAP profile. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment terminal command to create a trustpoint in WGB. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate.
Example: |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and certificate signing request (CSR). Create the digitally signed certificate using the CSR output in the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate. |
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment url ca-server-url command to enroll a trustpoint in the WGB using the server URL. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint. This command fetches the CA certificate from CA server automatically. |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to enroll the trustpoint. Request the digitally signed certificate from the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage command to enable auto-enroll.
|
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the details of the certificate for a specific trustpoint. |
||
|
Step 10 |
Use the show crypto pki timers command to view the public key infrastructure (PKI) timer information. show crypto pki timers |
|
Step 1 |
Specify the enrollment method. Use the configure crypto pki trustpoint ca-server-name enrollment tftp tftp-addr/file-name command to retrieve the CA and client certificate for a trustpoint. |
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. This retrieves and authenticates the CA certificate from the specified TFTP server. If the file specification is included, the WGB adds the extension .ca to the specified filename. |
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and Certificate Signing Request (CSR). This generates certificate request and sends the request to the TFTP server. The filename to be written is appended with the .req extension. |
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. The console terminal uses TFTP to import a certificate and the WGB tries to get the approved certificate from the TFTP. The filename to be written is appended with the .crt extension. |
|
Step 7 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
|
Step 8 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
This task enables you to import a PKCS12 full certificate bundle for EAP-TLS authentication and private key configuration. This ensures secure communication and device authentication in WGB mode.
|
Import the PKCS12 certificate bundle. Use |
Perform this task to ensure that the PKCS12 certificate is successfully downloaded and properly enrolled for WGB mode.
|
Use the Example: |
Perform these tasks to configure SSID.
Choose one of these authentication protocols to configure the SSID profile:
PSK WPA2 authentication
PSK Dot11r authentication, and
PSK Dot11w authentication.
Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open command to configure an SSID profile using open authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open Choose one of these authentication protocols to configure an SSID profile using PSK authentication:
configure an SSID profile using PSK WPA2 authentication
configure an SSID profile using PSK Dot11r authentication, and
configure an SSID profile using PSK Dot11w authentication .
Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2 command to configure an SSID profile using PSK WPA2 authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r command to configure an SSID profile using PSK Dot11r authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w command to configure an SSID profile using PSK Dot11w authentication
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}} command to configure an SSID profile using Dot1x authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}}Here is an example that shows the configuration of an SSID profile using Dot1x EAP-PEAP authentication:
Device#configure dot1x credential c1 username wgbusr password cisco123456
Device#configure eap-profile p1 dot1x-credential c1
Device#configure eap-profile p1 method peap
Device#configure ssid-profile iot-peap ssid iot-peap authentication eap profile p1 key-management wpa2
IW9165E does not have 2.4 GHz radio. You can configure only dot11radio 1 as uplink and operate in WGB mode.
Device#configure dot11radio 1 mode wgb ssid-profile ssid-profile-nameUse the configure dot11radio slot_id enable command to enable a radio interface.
Device#configure dot11radio 1 enableNote |
Use the configure dot11radio slot_id disable command to disable a radio interface. |
The CLI commands for timer configuration are same for both WGB and uWGB modes. Use these commands to configure timer:
Use the configure wgb association response timeout response-millisecs command to configure the WGB association response timeout.
Device#configure wgb association response timeout response-millisecs The default value is 100 milliseconds, and the valid range is between 100 and 5000 milliseconds.
Use the configure wgb authentication response timeout response-millisecs command to configure the WGB authentication response timeout.
Device#configure wgb authentication response timeout response-millisecs The default value is 100 milliseconds, and the valid range is between 100 and 5000 milliseconds.
Use the configure wgb eap timeout timeout-secs command to configure the WGB EAP timeout.
Device#configure wgb eap timeout timeout-secs The default value is 3 seconds, and the valid range is between 2 and 60 seconds.
Use the configure wgb bridge client timeout timeout-secs command to configure the WGB bridge client response timeout.
Device#configure wgb bridge client timeout timeout-secs The default timeout value is 300 seconds, and the valid range is between 10 and 1000000 seconds.
The universal WGB is able to interoperate with non-Cisco access points using uplink radio MAC address, thus the universal workgroup bridge role supports only one wired client.
Most WGB configurations apply to uWGB. The only difference is that you configure wired client’s MAC address with the following command:
configure dot11 <slot_id > mode uwgb <uwgb_wired_client_mac_address > ssid-profile <ssid-profile >
The following is an example of Dot1x FAST-EAP configuration:
configure dot1x credential demo-cred username demouser1 password Dem0Pass!@
configure eap-profile demo-eap-profile dot1x-credential demo-cred
configure eap-profile demo-eap-profile method fast
configure ssid-profile demo-FAST ssid demo-fast authentication eap profile demo-eap-profile key-management wpa2
configure dot11radio 1 mode uwgb fc58.220a.0704 ssid-profile demo-FAST
configure dot11radio 1 enable
The following sections provide detailed information about uWGB configuration:
Device#configure dot1x credential profile-name username name password pwdUse the show wgb eap dot1x credential profile command to view the status of WGB EAP Dot1x profile.
Device#show wgb eap dot1x credential profile Perform these steps to configure an EAP profile:
Attach the Dot1x credential profile to the EAP profile.
Attach the EAP profile to the SSID profile.
Attach the SSID profile to the radio.
|
Step 1 |
Use the configure eap-profile profile-name method { fast | leap | peap | tls} command to configure the EAP profile.
|
||
|
Step 2 |
Use the configure eap-profile profile-name trustpoint { default | name trustpoint-name} command to attach the CA trustpoint for TLS. By default, the WGB uses the internal MIC certificate for authentication. |
||
|
Step 3 |
Use the configure eap-profile profile-name dot1x-credential profile-name command to attach the dot1x-credential profile. |
||
|
Step 4 |
[Optional] Use the configure eap-profile profile-name delete command to delete an EAP profile. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment terminal command to create a trustpoint in WGB. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate.
Example: |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and certificate signing request (CSR). Create the digitally signed certificate using the CSR output in the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. Enter the base 64 encoded CA certificate. Enter quit to finish the certificate. |
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
|
Step 1 |
Use the configure crypto pki trustpoint ca-server-name enrollment url ca-server-url command to enroll a trustpoint in the WGB using the server URL. |
||
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint. This command fetches the CA certificate from CA server automatically. |
||
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
||
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
||
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to enroll the trustpoint. Request the digitally signed certificate from the CA server. |
||
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage command to enable auto-enroll.
|
||
|
Step 7 |
[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. |
||
|
Step 8 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
||
|
Step 9 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the details of the certificate for a specific trustpoint. |
||
|
Step 10 |
Use the show crypto pki timers command to view the public key infrastructure (PKI) timer information. show crypto pki timers |
|
Step 1 |
Specify the enrollment method. Use the configure crypto pki trustpoint ca-server-name enrollment tftp tftp-addr/file-name command to retrieve the CA and client certificate for a trustpoint. |
|
Step 2 |
Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. This retrieves and authenticates the CA certificate from the specified TFTP server. If the file specification is included, the WGB adds the extension .ca to the specified filename. |
|
Step 3 |
Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. |
|
Step 4 |
Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. |
|
Step 5 |
Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and Certificate Signing Request (CSR). This generates certificate request and sends the request to the TFTP server. The filename to be written is appended with the .req extension. |
|
Step 6 |
Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. The console terminal uses TFTP to import a certificate and the WGB tries to get the approved certificate from the TFTP. The filename to be written is appended with the .crt extension. |
|
Step 7 |
Use the show crypto pki trustpoint command to view the trustpoint summary. |
|
Step 8 |
Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. |
SSID configuration consists of the following two parts:
Choose one of these authentication protocols to configure the SSID profile:
PSK WPA2 authentication
PSK Dot11r authentication, and
PSK Dot11w authentication.
Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open command to configure an SSID profile using open authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open Choose one of these authentication protocols to configure an SSID profile using PSK authentication:
configure an SSID profile using PSK WPA2 authentication
configure an SSID profile using PSK Dot11r authentication, and
configure an SSID profile using PSK Dot11w authentication .
Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2 command to configure an SSID profile using PSK WPA2 authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r command to configure an SSID profile using PSK Dot11r authentication.
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w command to configure an SSID profile using PSK Dot11w authentication
Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}} command to configure an SSID profile using Dot1x authentication.
Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}}Here is an example that shows the configuration of an SSID profile using Dot1x EAP-PEAP authentication:
Device#configure dot1x credential c1 username wgbusr password cisco123456
Device#configure eap-profile p1 dot1x-credential c1
Device#configure eap-profile p1 method peap
Device#configure ssid-profile iot-peap ssid iot-peap authentication eap profile p1 key-management wpa2
IW9165E does not have 2.4 GHz radio. Only slot 1 (dot11radio 1) can be configured as uplink.
Map a radio interface to a WGB SSID profile by entering this command:
# configure dot11radio 1 mode uwgb client-mac-address ssid-profile ssid-profile-name
Configure a radio interface by entering this command:
# configure dot11radio 1 { enable | disable }
Example
# configure dot11radio 1 disableUse the configure ap address ipv4 dhcp command to configure IPv4 address using DHCP.
Device#configure ap address ipv4 dhcp Device#configure ap address ipv4 static ipv4_addr netmask gatewayUse show ip interface brief command to view the current IP address configuration.
Device#show ip interface briefUse the configure ap address ipv6 static ipv6_addr prefixlen [gateway] command to configure the static IPv6 address. This configuration allows you to manage the AP through a wired interface without uplink connection.
Device#configure ap address ipv6 static ipv6_addr prefixlen [gateway]Use the configure ap address ipv6 auto-config enable command to enable the IPv6 auto configuration on the AP.
Device#configure ap address ipv6 auto-config enable Note |
|
Device#configure ap address ipv6 dhcp Use the show ipv6 interface brief command to verify current IP address configuration.
Device#show ipv6 interface briefSyslogs are a category of protocols that send event data logs to a centralized location for storage and analysis. These are widely used for monitoring and troubleshooting network devices by capturing event messages. The term Syslog may also refer to the protocol itself or the system that implements it.
Protocol Type: Syslog is a standardized protocol commonly used for logging system events.
Transport Protocol: Currently, Syslog supports only UDP mode for data transmission.
Debug Log Collection: When the debug command is enabled on a WGB, it collects debug logs and sends them to the Syslog server.
Log Categorization: Logs sent to the Syslog server from WGB are categorized under the "kernel facility" and logged at the "warning level."
Use the configure dot11radio <radio_slot_id > mode uwgb <WIRED_CLIENT_MAC > ssid-profile <SSID_PROFILE_NAME > command to convert from WGB to uWGB mode.
Device#configure dot11radio <radio_slot_id> mode uwgb <WIRED_CLIENT_MAC> ssid-profile <SSID_PROFILE_NAME>Use the configure dot11radio <radio_slot_id > mode wgb ssid-profile <SSID_PROFILE_NAME > command to convert from uWGB to WGB mode. This conversion involves rebooting of the AP.
Device#configure dot11radio 1 mode wgb ssid-profile <SSID_PROFILE_NAME>
This command will reboot with downloaded configs.
Are you sure you want continue? [confirm]There are two LEDs located at the front of AP panel:
System status LED
RSSI status LED
|
1 |
System status LED
|
2 |
RSSI status LED
|
When configuring WGB mode for moving deployments, you can manually configure the transmission rate limit using the high throughput (HT) modulation and coding scheme (MCS).
Example of WGB configuration with transmission rate of 802.11n HT m4. m5. rate:
Config dot11radio [1 |2 ] 802.11ax disable
Config dot11radio [1 |2 ] 802.11ac disable
Config dot11radio [1 |2 ] speed ht-mcs m4. m5.
Note |
You can configure legacy rate using WGB. Config dot11radio [1 |2 ] speed legacy-rate basic-6.0 9.0 12.0 18.0 24.0 Both 802.11 management and control frames use legacy rates. The WGB's legacy rates should match or overlap with the AP's legacy rates; otherwise, the WGB association fails. |
Use the debug wgb dot11 rate command to check WGB Tx MCS rate. Here is an example that shows the output of this command.
To help troubleshooting radio connection issues, use the following commands:
#debug wgb dot11 rate
#debug wgb dot11 rate
[*03/13/2023 18:00:08.7814] MAC Tx-Pkts Rx-Pkts Tx-Rate(Mbps) Rx-Rate(Mbps) RSSI SNR Tx-Retries
[*03/13/2023 18:00:08.7814] FC:58:9A:17:C2:51 0 0 HE-20,2SS,MCS6,GI0.8 (154) HE-20,3SS,MCS4,GI0.8 (154) -30 62 0
[*03/13/2023 18:00:09.7818] FC:58:9A:17:C2:51 0 0 HE-20,2SS,MCS6,GI0.8 (154) HE-20,3SS,MCS4,GI0.8 (154) -30 62 0
In this example, FC:58:9A:17:C2:51 is the parent AP radio MAC.
#show interfaces dot11Radio <slot-id > statistics
#show interfaces dot11Radio 1 statistics
Dot11Radio Statistics:
DOT11 Statistics (Cumulative Total/Last 5 Seconds):
RECEIVER TRANSMITTER
Host Rx K Bytes: 965570/0 Host Tx K Bytes: 1611903/0
Unicasts Rx: 379274/0 Unicasts Tx: 2688665/0
Broadcasts Rx: 3166311/0 Broadcasts Tx: 0/0
Beacons Rx: 722130099/1631 Beacons Tx: 367240960/784
Probes Rx: 588627347/2224 Probes Tx: 78934926/80
Multicasts Rx: 3231513/0 Multicasts Tx: 53355/0
Mgmt Packets Rx: 764747086/1769 Mgmt Packets Tx: 446292853/864
Ctrl Frames Rx: 7316214/5 Ctrl Frames Tx: 0/0
RTS received: 0/0 RTS transmitted: 0/0
Duplicate frames: 0/0 CTS not received: 0/0
MIC errors: 0/0 WEP errors: 2279546/0
FCS errors: 0/0 Retries: 896973/0
Key Index errors: 0/0 Tx Failures: 8871/0
Tx Drops: 0/0
Rate Statistics for Radio::
[Legacy]:
6 Mbps:
Rx Packets: 159053/0 Tx Packets: 88650/0
Tx Retries: 2382/0
9 Mbps:
Rx Packets: 43/0 Tx Packets: 23/0
Tx Retries: 71/0
12 Mbps:
Rx Packets: 1/0 Tx Packets: 119/0
Tx Retries: 185/0
18 Mbps:
Rx Packets: 0/0 Tx Packets: 5/0
Tx Retries: 134/0
24 Mbps:
Rx Packets: 235/0 Tx Packets: 20993/0
Tx Retries: 5048/0
36 Mbps:
Rx Packets: 0/0 Tx Packets: 781/0
Tx Retries: 227/0
54 Mbps:
Rx Packets: 133/0 Tx Packets: 9347/0
Tx Retries: 1792/0
[SU]:
M0:
Rx Packets: 7/0 Tx Packets: 0/0
Tx Retries: 6/0
M1:
Rx Packets: 1615/0 Tx Packets: 35035/0
Tx Retries: 3751/0
M2:
Rx Packets: 15277/0 Tx Packets: 133738/0
Tx Retries: 22654/0
M3:
Rx Packets: 10232/0 Tx Packets: 1580/0
Tx Retries: 21271/0
M4:
Rx Packets: 218143/0 Tx Packets: 190408/0
Tx Retries: 36444/0
M5:
Rx Packets: 399283/0 Tx Packets: 542491/0
Tx Retries: 164048/0
M6:
Rx Packets: 3136519/0 Tx Packets: 821537/0
Tx Retries: 329003/0
M7:
Rx Packets: 1171128/0 Tx Packets: 303414/0
Tx Retries: 154014/0
Beacons missed: 0-30s 31-60s 61-90s 90s+
2 0 0 0
#show wgb dot11 uplink latency
AP4C42.1E51.A050#show wgb dot11 uplink latency
Latency Group Total Packets Total Latency Excellent(0-8) Very Good(8-16) Good (16-32 ms) Medium (32-64ms) Poor (64-256 ms) Very Poor (256+ ms)
AC_BK 0 0 0 0 0 0 0 0
AC_BE 1840 4243793 1809 10 14 7 0 0
AC_VI 0 0 0 0 0 0 0 0
AC_VO 24 54134 24 0 0 0 0 0
#show wgb dot11 uplink
AP4C42.1E51.A050#show wgb dot11 uplink
HE Rates: 1SS:M0-11 2SS:M0-11
Additional info for client 8C:84:42:92:FF:CF
RSSI: -24
PS : Legacy (Awake)
Tx Rate: 278730 Kbps
Rx Rate: 410220 Kbps
VHT_TXMAP: 65530
CCX Ver: 5
Rx Key-Index Errs: 0
mac intf TxData TxUC TxBytes TxFail TxDcrd TxCumRetries MultiRetries MaxRetriesFail RxData RxBytes RxErr TxRt(Mbps) RxRt(Mbps) LER PER stats_ago
8C:84:42:92:FF:CF wbridge1 1341 1341 184032 0 0 543 96 0 317 33523 0 HE-40,2SS,MCS6,GI0.8 (309) HE-40,2SS,MCS9,GI0.8 (458) 27272 0 1.370000
Per TID packet statistics for client 8C:84:42:92:FF:CF
Priority Rx Pkts Tx Pkts Rx(last 5 s) Tx (last 5 s)
0 35 1314 0 8
1 0 0 0 0
2 0 0 0 0
3 0 0 0 0
4 0 0 0 0
5 0 0 0 0
6 182 24 1 0
7 3 3 0 0
Rate Statistics:
Rate-Index Rx-Pkts Tx-Pkts Tx-Retries
0 99 3 0
4 1 1 9
5 21 39 35
6 31 185 64
7 26 124 68
8 28 293 82
9 77 401 151
10 32 140 97
11 2 156 37
For WGB field deployment, event logging will collect useful information (such as WGB state change and packets rx/tx) to analyze and provide log history to present context of problem, especially in roaming cases.
You can configure WGB trace filter for all management packet types, including probe, auth, assoc, eap, dhcp, icmp, and arp. To enable or disable WGB trace, use the following command:
#config wgb event trace {enable |disable }
Four kinds of event types are supported:
Basic event: covers most WGB basic level info message
Detail event: covers basic event and additional debug level message
Trace event: recording wgb trace event if enabled
All event: bundle trace event and detail event
The log format is [timestamp] module:level <event log string>.
When abnormal situations happen, the eventlog messages can be dumped manually to memory by using the following show command which also displays WGB logging:
#show wgb event [basic |detail |trace |all ]
The following example shows the output of show wgb event all:
APC0F8.7FE5.F3C0#show wgb event all
[*08/16/2023 08:18:25.167578] UP_EVT:4 R1 IFC:58:9A:17:B3:E7] parent_rssi: -42 threshold: -70
[*08/16/2023 08:18:25.329223] UP_EVT:4 R1 State CONNECTED to SCAN_START
[*08/16/2023 08:18:25.329539] UP_EVT:4 R1 State SCAN_START to STOPPED
[*08/16/2023 08:18:25.330002] UP_DRV:1 R1 WGB UPLINK mode stopped
[*08/16/2023 08:18:25.629405] UP_DRV:1 R1 Delete client FC:58:9A:17:B3:E7
[*08/16/2023 08:18:25.736718] UP_CFG:8 R1 configured for standard: 7
[*08/16/2023 08:18:25.989936] UP_CFG:4 R1 band 1 current power level: 1
[*08/16/2023 08:18:25.996692] UP_CFG:4 R1 band 1 set tx power level: 1
[*08/16/2023 08:18:26.003904] UP_DRV:1 R1 WGB uplink mode started
[*08/16/2023 08:18:26.872086] UP_EVT:4 Reset aux scan
[*08/16/2023 08:18:26.872096] UP_EVT:4 Pause aux scan on slot 2
[*08/16/2023 08:18:26.872100] SC_MST:4 R2 reset uplink scan state to idle
[*08/16/2023 08:18:26.872104] UP_EVT:4 Aux bring down vap - scan
[*08/16/2023 08:18:26.872123] UP_EVT:4 Aux bring up vap - serv
[*08/16/2023 08:18:26.872514] UP_EVT:4 R1 State STOPPED to SCAN_START
[*08/16/2023 08:18:26.8727091 SC_MST:4 R1 Uplink Scan Started.
[*08/16/2023 08:18:26.884054] UP_EVT:8 R1 CH event 149Note |
It might take a long time to display the show wgb event command output in console. Using ctrl+c to interrupt the printing will not affect log dump to memory. |
The following clear command erases WGB events in memory:
#clear wgb event [basic |detail |trace |all ]
To save all event logs to WGB flash, use the following command:
#copy event-logging flash
The package file consists of four separate log files for different log levels.
You can also save event log to a remote server by using the following command:
#copy event-logging upload < tftp| sftp| scp>://A.B.C.D[/ dir][/ filename.tar.gz]
The following example saves event log to a TFTP server:
APC0F8.7FE5.F3C0#copy event-logging upload tftp://192.168.100.100/tftpuser/evtlog-2023-05-31_11:45:49.tar.gz
Starting upload of WGB config tftp://192.168.100.100/tftpuser/evtlog-2023-05-31_11:45:49.tar.gz ...
It may take a few seconds. If longer, please cancel command, check network and try again.
######################################################################## 100.0%
Config upload completed.
802.11v is the wireless network management standard of the IEEE 802.11 family. It includes enhancements such as network-assisted roaming, which optimizes client connectivity by balancing load and guiding poorly connected clients to more suitable APs.
When 802.11v support is added to a Workgroup Bridge (WGB), it enhances the roaming process by enabling the WGB to predict and address potential disconnections before they occur. Specifically:
The WGB actively initiates a roam to a suitable AP from a dynamically updated list of neighboring APs.
Periodical checks to ensure the WGB maintains the most up-to-date neighbor AP list, promoting optimal associations during roaming events.
The Basic Service Set (BSS) Transition Request frame includes channel information of neighboring APs. By limiting scanning to these specified channels, the frame significantly reduces roaming latency in environments operating on multiple channels.
The Wireless LAN Controller (WLC) can disassociate a client based on factors such as AP load, Received Signal Strength Indicator (RSSI), and data rate. Key points include:
The WLC can notify 802.11v-enabled clients of an impending disassociation through the BSS transition management request frame.
If the client fails to re-associate with another AP within a configurable time, the disassociation is enforced.
Administrators can enable the disassociation-imminent configuration on the WLC, which activates the optional field within the BSS transition management request frame.
For detailed information of 802.11v configuration on the WLC, see Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.
Use these commands to configure 802.11v support on WGB:
You can configure aux-scan mode as either scanning-only or handoff mode on WGB radio 2 (5 GHz) to improve roaming performance.
When slot 2 radio is configured as scanning only mode, slot 1 (5G) radio will always be picked as uplink. Slot 2 (5G) radio will keep scanning configured SSID based on the channel list. By default, the channel list contains all supported 5G channels (based on reg domain). The scanning list can be configured manually or learned by 802.11v.
When roaming is triggered, the algorithm looks for candidates from scanning table and skips scanning phase if the table is not empty. WGB then makes an assocaition to that candidate AP.
Device#configure dot11Radio 2 mode scan onlyUse the configure wgb mobile station interface dot11Radio 1 scan <channel > add command to manually add the channel to the channel list.
Device#configure wgb mobile station interface dot11Radio 1 scan <channel> [add|delete]Note |
Use the configure wgb mobile station interface dot11Radio 1 scan <channel > delete command to manually delete the channel from the channel list. |
Use the configure wgb scan radio 2 timeout1500 command to adjust the timer. By default, candidate AP entries in scanning table are automatically removed in 1200 ms.
Device#configure wgb scan radio 2 timeout 1500Note |
|
Use show wgb scan command to verify the scanning table.
Device#show wgb scan
Best AP expire time: 5000 ms
************[ AP List ]***************
BSSID RSSI CHANNEL Time
FC:58:9A:15:E2:4F 84 136 1531
FC:58:9A:15:DE:4F 37 136 41
***********[ Best AP ]****************
BSSID RSSI CHANNEL Time
FC:58:9A:15:DE:4F 37 136 41
When you configure the radio 2 in the handoff mode, both radio 1 and radio 2 can serve as uplink connections. While one radio maintains the wireless uplink, and the other scans the channels. You can manually configure the scanning list, or it can be automatically learned using the 802.11v standard.
The radio 2 shares the same MAC address with the radio 1 and supports scanning, association, and data serving. Both radios can work either as serving or scanning role. After each roaming event, the roles and traffic automatically switch between radio 1 and radio 2.
When roaming is triggered, the system algorithm checks the scanning database for the best AP to establish a connection. WGB always uses the radio in the scanning role to complete the roaming association with the new AP. This configuration helps in improving the roaming interruption from 20 to 50 milliseconds.
Here is an example of aux-scan handoff radio mode configuration on IW9165E:
|
Slot 0 (2.4 G) |
Slot 1 (5G) |
Slot 2 (5G only) |
Slot 3 (scanning radio) |
|---|---|---|---|
|
N/A |
WGB |
Scan handoff |
N/A |
Here's a table that shows how long roaming interruptions last for different methods when using three different modes:
|
Roaming interruption time |
Normal channel setting |
Aux-Scan only |
Aux-Scan Handoff |
|---|---|---|---|
|
Scanning |
(40+20)*3=180 ms |
0-40 ms |
0 ms |
|
Association |
30-80 ms |
30-80 ms |
20-50 ms |
|
Total |
~210 ms |
70-120 ms |
20-50 ms |
One-to-one (1:1) Layer 2 NAT is a service that allows the assignment of a unique public IP address to an existing private IP address (end device), so that the end device can communicate with public network. Layer 2 NAT has two translation tables where private-to-public and public-to-private subnet translations can be defined.
In the industrial scenario where the same firmware is programmed to every HMI (customer machine, such as a Robot), firmware duplication across machines means IP address is reused across HMIs. This feature solves the problem of multiple end devices with the same duplicated IP addresses in the industrial network communicating with the public network.
The following table provides the commands to configure Layer 2 NAT:
|
Command |
Description |
|---|---|
|
#configure l2nat {enable |disable } |
Enables or disables L2 NAT. |
|
#configure l2nat default-vlan <vlan_id > |
Specifies the default vlan where all NAT rules will be applied. If vlan_id is not specified, all NAT rules will be applied to vlan 0. |
|
#configure l2nat {add |delete } inside from host <original_ip_addr > to <translated_ip_addr > |
Adds or deletes a NAT rule which translates a private IP address to a public IP address.
|
|
#configure l2nat {add |delete } outside from host <original_ip_addr > to <translated_ip_addr > |
Adds or deletes a NAT rule which translates a public IP address to a private IP address.
|
|
#configure l2nat {add |delete } inside from network <original_nw_prefix > to <translated_nw_prefix > <subnet_mask > |
Adds or deletes a NAT rule which translates a private IP address subnet to a public IP address subnet.
|
|
#configure l2nat {add |delete } outside from network <original_nw_prefix > to <translated_nw_prefix > <subnet_mask > |
Adds or deletes a NAT rule which translates a public IP address subnet to a private IP address subnet.
|
The following table provides the show and debug commands to verify and troubleshoot your Layer 2 NAT configuration:
|
Command |
Description |
||
|---|---|---|---|
|
#show l2nat entry |
Displays the Layer 2 NAT running entries. |
||
|
#show l2nat config |
Displays the Layer 2 NAT configuration details. |
||
|
#show l2nat stats |
Displays the Layer 2 NAT packet translation statistics. |
||
|
#show l2nat rules |
Displays the Layer 2 NAT rules from the configuration. |
||
|
#clear l2nat statistics |
Clears packet translation statistics. |
||
|
#clear l2nat rule |
Clears Layer 2 NAT rules. |
||
|
#clear l2nat config |
Clears Layer 2 NAT configuration. |
||
|
#debug l2nat |
Enables debugging of packet translation process. |
||
|
#debug l2nat all |
Prints out the NAT entry match result when a packet arrives.
|
||
|
#undebug l2nat |
Disables debugging of packet translation process. |
In this scenario, the end client (172.16.1.36) connected to WGB needs to communicate with the server (192.168.150.56) connected to the gateway. Layer 2 NAT is configured to provide an address for the end client on the outside network (192.168.150.36) and an address for the server on the inside network (172.16.1.56).
The following table shows the configuration tasks for this scenario.
|
Command |
Purpose |
|---|---|
|
Adds NAT rules to make inside client and outside server communicate with each other. |
|
Adds NAT for gateway and broadcast address. |
The following show commands display your configuration.
The following command displays the Layer 2 NAT configuration details. In the output, I2O means "inside to outside", and O2I means "outside to inside".
#show l2nat config
L2NAT Configuration are:
===================================
Status: enabled
Default Vlan: 0
The Number of L2nat Rules: 4
Dir Inside Outside Vlan
O2I 172.16.1.56 192.168.150.56 0
I2O 172.16.1.36 192.168.150.36 0
I2O 172.16.1.255 192.168.150.255 0
I2O 172.16.1.1 192.168.150.1 0
The following command displays the Layer 2 NAT rules.
#show l2nat rule
Dir Inside Outside Vlan
O2I 172.16.1.56 192.168.150.56 0
I2O 172.16.1.36 192.168.150.36 0
I2O 172.16.1.255 192.168.150.255 0
I2O 172.16.1.1 192.168.150.1 0
The following command displays Layer 2 NAT running entries.
#show l2nat entry
Direction Original Substitute Age Reversed
inside-to-outside 172.16.1.36@0 192.168.150. 36@0 -1 false
inside-to-outside 172.16.1.56@0 192.168.150. 56@0 -1 true
inside-to-outside 172.16.1.1@0 192.168.150. 1@0 -1 false
inside-to-outside 172.16.1.255@0 192.168.150. 255@0 -1 false
outside-to-inside 192.168.150.36@0 172.16.1.36@0 -1 true
outside-to-inside 192.168.150.56@0 172.16.1.56@0 -1 false
outside-to-inside 192.168.150.1@0 172.16.1.1@0 -1 true
outside-to-inside 192.168.150.255@0 172.16.1.255@0 -1 true
The following command displays the WGB wired clients over the bridge.
Before Layer 2 NAT is enbled:
#show wgb bridge
***Client ip table entries***
mac vap port vlan_id seen_ip confirm_ago fast_brg
B8:AE:ED:7E:46:EB 0 wired0 0 172.16.1.36 0.360000 true
24:16:1B:F8:05:0F 0 wbridge1 0 0.0.0.0 3420.560000 true
After Layer 2 NAT is enbled:
#show wgb bridge
***Client ip table entries***
mac vap port vlan_id seen_ip confirm_ago fast_brg
B8:AE:ED:7E:46:EB 0 wired0 0 192.168.150.36 0.440000 true
24:16:1B:F8:05:0F 0 wbridge1 0 0.0.0.0 3502.220000 true
If there are E2E traffic issues for wired client in NAT, restart the client register process by using the following command:
#clear wgb client single B8:AE:ED:7E:46:EBThe following command displays the Layer 2 NAT packet translation statistics.
#show l2nat stats
Direction Original Substitute ARP IP ICMP UDP TCP
inside-to-outside 172.16.1.1@2660 192.168.150.1@2660 1 4 4 0 0
inside-to-outside 172.16.1.36@2660 192.168.150.36@2660 3 129 32 90 1
inside-to-outside 172.16.1.56@2660 192.168.150.56@2660 2 114 28 85 1
inside-to-outside 172.16.1.255@2660 192.168.150.255@2660 0 0 0 0 0
outside-to-inside 192.168.150.1@2660 172.16.1.1@2660 1 4 4 0 0
outside-to-inside 192.168.150.36@2660 172.16.1.36@2660 3 39 38 0 1
outside-to-inside 192.168.150.56@2660 172.16.1.56@2660 2 35 34 0 1
outside-to-inside 192.168.150.255@2660 172.16.1.255@2660 0 0 0 0 0
To reset statistics number, use the following command:
#clear l2nat statsIn this scenario, Layer 2 NAT is configured to translate the inside addresses from 172.16.1.0 255.255.255.0 subnet to addresses in the 192.168.150.0 255.255.255.0 subnet. Only the network prefix will be replaced during the translation. The host bits of the IP address remain the same.
The following command is configured for this scenario:
#configure l2nat add inside from network 172.16.1.0 to 192.168.150.0 255.255.255.0A typical deployment of WGB is that a single wired client connects directly to the WGB Ethernet port. As a result, wired client traffic must be on the same VLAN as the WGB (or WLC/AP/WGB) management VLAN. If you need the wired client traffic to be on a different VLAN other than the WGB management VLAN, you should configure native VLAN on the Ethernet port.
Note |
Configuring native VLAN ID per Ethernet port is not supported. Both Ethernet ports share the same native VLAN configuration. |
Note |
When WGB broadcast tagging is enabled and a single wired passive client connects directly to the WGB Ethernet port, it may hit the issue that infrastructure DS side client fails to ping this WGB behind the passive client. The workaround is to configure the following additional commands: configure wgb ethport native-vlan enable and configure wgb ethport native-vlan id X, where X is the same VLAN as the WGB (or WLC/AP/WGB) management VLAN. |
The following table provides the commands to configure native VLAN:
|
Command |
Description |
|---|---|
|
#config wgb ethport native-vlan {enable |disable } Example: |
Enables or disables native VLAN configuration. |
|
#config wgb ethport native-vlan id <vlan-id > Example: |
Specifies native VLAN ID. |
To verify your configuration, use the show wgb ethport config or show running-config command.
Low latency profiles are configurations that optimize IEEE 802.11 networks to meet the low latency and Quality of Service (QoS) requirements essential for IoT applications. IEEE 802.11 networks play a vital role in enabling IoT applications by providing mechanisms that reduce latency and ensure QoS. The following features are key to achieving these goals:
Enhanced Distributed Channel Access (EDCA): EDCA parameters prioritize wireless channel access for latency-sensitive traffic, such as voice and video streams, ensuring consistent QoS performance.
Aggregated MAC Protocol Data Unit (AMPDU): This mechanism combines multiple data frames into a single transmission, reducing overhead and improving efficiency.
Packet Retry (Aggregated or Non-Aggregated): The retry mechanism ensures successful data delivery, either by retransmitting aggregated packets or individual packets, depending on network conditions.
These features collectively support the deployment of IoT devices and applications that demand low latency and high QoS in wireless environments.
To configure optimized low latency profile for video use case, use the following command:
#configure dot11Radio <radio_slot_id > profile optimized-video {enable | disable }
Use the following command to verify the configuration:
WGB1#show controllers dot11Radio 1
EDCA profile: optimized-video
EDCA in use
=============
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 4 10 11 0 0
AC_BK L 6 10 11 0 0
AC_VI L 3 4 2 94 0
AC_VO L 2 3 1 47 0
Packet parameters in use
=============
wbridge1 A-MPDU Priority 0: Enabled
wbridge1 A-MPDU Priority 1: Enabled
wbridge1 A-MPDU Priority 2: Enabled
wbridge1 A-MPDU Priority 3: Enabled
wbridge1 A-MPDU Priority 4: Disabled
wbridge1 A-MPDU Priority 5: Disabled
wbridge1 A-MPDU Priority 6: Disabled
wbridge1 A-MPDU Priority 7: Disabled
wbridge1 A-MPDU subframe number: 3
wbridge1 Packet retries drop threshold: 16To configure optimized low latency profile for automation use case, use the following command:
#configure dot11Radio <radio_slot_id > profile optimized-automation {enable | disable }
Use the following command to verify the configuration:
WGB1#show controllers dot11Radio 1
EDCA profile: optimized-automation
EDCA in use
=============
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 7 10 12 0 0
AC_BK L 8 10 12 0 0
AC_VI L 7 7 3 0 0
AC_VO L 3 3 1 0 0
Packet parameters in use
=============
wbridge1 A-MPDU Priority 0: Enabled
wbridge1 A-MPDU Priority 1: Enabled
wbridge1 A-MPDU Priority 2: Enabled
wbridge1 A-MPDU Priority 3: Enabled
wbridge1 A-MPDU Priority 4: Disabled
wbridge1 A-MPDU Priority 5: Disabled
wbridge1 A-MPDU Priority 6: Disabled
wbridge1 A-MPDU Priority 7: Disabled
wbridge1 A-MPDU subframe number: 3
wbridge1 Packet retries drop threshold: 16To configure customized Wi-Fi Multimedia (WMM) profile, use the following command:
#configure dot11Radio <radio_slot_id > profile customized-wmm {enable | disable }
To configure customized WMM profile parameters, use the following command:
#configure dot11Radio {0 |1 |2 } wmm {be | vi | vo | bk } {cwmin <cwmin_num > | cwmax <cwmax_num > | aifs <aifs_num > | txoplimit <txoplimit_num >}
Parameter descriptions:
be—best-effort traffic queue (CS0 and CS3)
bk—background traffic queue (CS1 and CS2)
vi—video traffic queue (CS4 and CS5)
vo—voice traffic queue (CS6 and CS7)
aifs—Arbitration Inter-Frame Spacing, <1-15> in units of slot time
cwmin—Contention Window min, <0-15> 2^n-1, in units of slot time
cwmax—Contention Window max, <0-15> 2^n-1, in units of slot time
txoplimit—Transmission opportunity time, <0-255> integer number, in units of 32us
Use the following command to configure low latency profile on WGB:
AP# configure dot11Radio <radio_slot_id > profile low-latency [ampdu <length >] [sifs-burst {enable | disable }] [rts-cts {enable | disable }] [non-aggr <length >] [aggr <length >]
Use the following command to display iot-low-latency profile EDCA detailed parameters:
#show controllers dot11Radio 1 | beg EDCA
EDCA config
L: Local C:Cell A:Adaptive EDCA params
AC Type CwMin CwMax Aifs Txop ACM
AC_BE L 4 6 11 0 0
AC_BK L 6 10 11 0 0
AC_VI L 3 4 1 0 0
AC_VO L 0 2 0 0 1
AC_BE C 4 10 11 0 0
AC_BK C 6 10 11 0 0
AC_VI C 3 4 2 94 0
AC_VO C 2 3 1 47 1
|
Step 1 |
Choose Configuration > Radio Configurations > Parameters. Using this page, you can configure global parameters for 6 GHz, 5 GHz, and 2.4 GHz radios.
|
||
|
Step 2 |
In the EDCA Parameters section, choose an EDCA profile from the EDCA Profile drop-down list. Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic. 
|
||
|
Step 3 |
Click Apply. |
|
Step 1 |
Enters global configuration mode. configure terminal Example: |
|
Step 2 |
Disables the radio network. ap dot11 {5ghz | 24ghz | 6ghz } shutdown Example: |
|
Step 3 |
Enables iot-low-latency EDCA profile for the 5 GHz, 2.4 GHz, or 6 GHz network. ap dot11 {5ghz | 24ghz | 6ghz } edca-parameters iot-low-latency Example: |
|
Step 4 |
Enables the radio network. no ap dot11 {5ghz | 24ghz | 6ghz } shutdown Example: |
|
Step 5 |
Returns to privileged EXEC mode. end Example: |
|
Step 6 |
Displays the current configuration. show ap dot11 {5ghz | 24ghz | 6ghz } network Example: |
Aggregation is the process of grouping packet data frames together, rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU).
The A-MPDU parameters define the size of an aggregated packet and define the proper spacing between aggregated packets so that the receive side WLAN station can decode the packet properly.
To configure profiled based A-MPDU under 2.4G, 5G and 6G radio, use the following commands:
WLC(config)# ap dot11 {5ghz | 24ghz | 6ghz } rf-profile <profile-name >
WLC(config-rf-profile)# [no ] dot11n a-mpdu tx block-ack window-size <1-255 >
Global configuration is a special profile which can also be configured bu using the following command:
WLC(config)#[no ] ap dot11 {5ghz | 24ghz | 6ghz } dot11n a-mpdu tx block-ack window-size <1-255 >
To bind different RF profiles with the radio RF tag, use the following command:
WLC(config)# wireless tag rf <rf-tag-name >
WLC (config-wireless-rf-tag)# 5ghz-rf-policy <rf-profile-name >
Note |
RF profile level configured a-mpdu tx block-ack window-size value takes preference over globally configured value. |
To display configured a-mpdu length value, use the following command:
# show controllers dot11Radio <radio_slot_id >
AP# show controllers dot11Radio 1
Radio Aggregation Config:
=========================
TX A-MPDU Priority: 0x3f
TX A-MSDU Priority: 0x3f
TX A-MPDU Window: 0x7fYou can upload the current configuration of an existing WGB to a server and then you can download it for newly deployed WGBs.
Use the copy configuration upload <sftp:|tftp:> ip-address [directory] [file-name] command to upload the working configuration of an existing WGB to a server.
Device#copy configuration upload <sftp:|tftp:> ip-address [directory] [file-name]Use the copy configuration download <sftp:|tftp:> ip-address [directory] [file-name] command to download a sample configuration to all WGBs in the deployment.
Device#copy configuration download <sftp:|tftp:> ip-address [directory] [file-name]Note |
When you execute the copy configuration download command, the AP starts to reboot. The new configuration takes effect only after the reboot. |
Use the show run command to check whether the AP is in WGB mode or uWGB mode.
WGB:
Device#show run
AP Name : APFC58.9A15.C808
AP Mode : WorkGroupBridge
CDP State : Enabled
Watchdog monitoring : Enabled
SSH State : Disabled
AP Username : admin
Session Timeout : 300
Radio and WLAN-Profile mapping:-
====================================
Radio ID Radio Mode SSID-Profile SSID
Authentication
--------------------------------------------------------------------------------
--------------------------
1 WGB myssid demo
OPEN
Radio configurations:-
===============================
Radio Id : NA
Admin state : NA
Mode : NA
Radio Id : 1
Admin state : DISABLED
Mode : WGB
Dot11 type : 11ax
Radio Id : NA
Admin state : NA
Mode : NA
uWGB:
Device#show run
AP Name : APFC58.9A15.C808
AP Mode : WorkGroupBridge
CDP State : Enabled
Watchdog monitoring : Enabled
SSH State : Disabled
AP Username : admin
Session Timeout : 300
Radio and WLAN-Profile mapping:-
====================================
Radio ID Radio Mode SSID-Profile SSID
Authentication
--------------------------------------------------------------------------------
--------------------------
1 UWGB myssid demo
OPEN
Radio configurations:-
===============================
Radio Id : NA
Admin state : NA
Mode : NA
Radio Id : 1
Admin state : DISABLED
Mode : UWGB
Uclient mac : 0009.0001.0001
Current state : WGB
UClient timeout : 0 Sec
Dot11 type : 11ax
Radio Id : NA
Admin state : NA
Mode : NA
Use the show wgb dot11 associations command to view the WGB and uWGB configuration.
WGB:
Device#show wgb dot11 associations
Uplink Radio ID : 1
Uplink Radio MAC : 00:99:9A:15:B4:91
SSID Name : roam-m44-open
Parent AP Name : APFC58.9A15.C964
Parent AP MAC : 00:99:9A:15:DE:4C
Uplink State : CONNECTED
Auth Type : OPEN
Dot11 type : 11ax
Channel : 100
Bandwidth : 20 MHz
Current Datarate (Tx/Rx) : 86/86 Mbps
Max Datarate : 143 Mbps
RSSI : 53
IP : 192.168.1.101/24
Default Gateway : 192.168.1.1
IPV6 : ::/128
Assoc timeout : 100 Msec
Auth timeout : 100 Msec
Dhcp timeout : 60 SecuWGB:
Device#show wgb dot11 associations
Uplink Radio ID : 1
Uplink Radio MAC : 00:09:00:01:00:01
SSID Name : roam-m44-open
Parent AP MAC : FC:58:9A:15:DE:4C
Uplink State : CONNECTED
Auth Type : OPEN
Uclient mac : 00:09:00:01:00:01
Current state : UWGB
Uclient timeout : 60 Sec
Dot11 type : 11ax
Channel : 36
Bandwidth : 20 MHz
Current Datarate (Tx/Rx) : 77/0 Mbps
Max Datarate : 143 Mbps
RSSI : 60
IP : 0.0.0.0
IPV6 : ::/128
Assoc timeout : 100 Msec
Auth timeout : 100 Msec
Dhcp timeout : 60 SecSimple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language that is used for monitoring and managing devices in a network.
WGBs provide network administrators with an SNMP interface, allowing them to poll various states and counters. This enables administrators to easily monitor the health of their WGBs in the field.
By default, SNMP is disabled.
The SNMP framework has the following components, which are as follows.
SNMP Manager : The Simple Network Management Protocol (SNMP) manager is a system that controls and monitors the activities of network hosts using SNMP. The most common managing system is a network management system (NMS). The term NMS can be applied either to a dedicated device used for network management or to the applications used on such a device.
SNMP Agent: The Simple Network Management Protocol (SNMP) agent is the software component within a managed device that maintains the data for the device and reports this data, as needed, to managing systems.
SNMP MIB: An SNMP agent contains MIB variables, whose values the SNMP manager can request or change through Get or Set operations. A manager can get a value from an agent or store a value in that agent. The agent gathers data from the SNMP MIB, the repository for information about device parameters and network data. The agent can also respond to manager requests to get or set data.
The following illustration shows the SNMP process. SNMP agent receives a request from SNMP client, and it passes the request to the subagent. The subagent then returns a response to the SNMP agent and the agent creates an SNMP response packet and sends the response to the remote network management station that initiated the request.
Cisco IOS software supports the following versions of SNMP:
SNMPv2c—The community-string-based administrative framework for SNMPv2. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 classic), and uses the community-based security model of SNMPv1.
SNMPv3—Version 3 of SNMP. SNMPv3 uses the following security features to provide secure access to devices:
Message integrity—Ensuring that a packet has not been tampered with in transit.
Authentication—Determining that the message is from a valid source.
Encryption—Scrambling the contents of a packet to prevent it from being learned by an unauthorized source.
The Management Information Base (MIB) is a database of the objects that can be managed on a device. The managed objects, or variables, can be set or read to provide information on the network devices and interfaces and are organized hierarchically. The MIB consists of collections of managed objects identified by object identifiers. MIBs are accessed using a network management protocol such as SNMP.
The MIB module provides network management information on IEEE 802.11 wireless device association management and data packet forwarding configuration and statistics.
An Object Identifier (OID) uniquely identifies a MIB object on a managed network device. The OID identifies the MIB object’s location in the MIB hierarchy, and provides a means of accessing the MIB object in a network of managed devices
Given below is a list of objects that are supported by the SNMP Management and Information Base (MIB): CISCO-DOT11-ASSOCIATION-MIB.
|
OID Object Name |
OID |
OID Type |
OID Description |
|---|---|---|---|
|
cDot11ParentAddress |
1.3.6.1.4.1.9.9.273.1.1.1 |
String |
Provides the MAC address of the parent access point. |
|
cDot11ActiveWirelessClients |
1.3.6.1.4.1.9.9.273.1.1.2.1.1 |
Gauge |
The device on this interface is currently associating with the number of wireless clients. |
|
cDot11ActiveBridges |
1.3.6.1.4.1.9.9.273.1.1.2.1.2 |
Gauge |
The device on this interface is currently associating with the number of bridges. |
|
cDot11ActiveRepeaters |
1.3.6.1.4.1.9.9.273.1.1.2.1.3 |
Gauge |
The device on the interface is currently associating with the number of repeaters. |
|
cDot11AssStatsAssociated |
1.3.6.1.4.1.9.9.273.1.1.3.1.1 |
Counter |
When device restarts, the object counts the number of stations associated with the device on the interface. |
|
cDot11AssStatsAuthenticated |
1.3.6.1.4.1.9.9.273.1.1.3.1.2 |
Counter |
When the device restarted, it currently counts the number of stations authenticated with the device on the interface. |
|
cDot11AssStatsRoamedIn |
1.3.6.1.4.1.9.9.273.1.1.3.1.3 |
Counter |
When the device restarted, the object counts the number of stations roamed from another device to the device on the interface. |
|
cDot11AssStatsRoamedAway |
1.3.6.1.4.1.9.9.273.1.1.3.1.4 |
Counter |
This object counts the number of stations roamed away from the device on the interface since device re-started. |
|
cDot11AssStatsDeauthenticated |
1.3.6.1.4.1.9.9.273.1.1.3.1.5 |
Counter |
This object counts the number of stations deauthenticated with this device on the interface since device re-started |
|
cDot11AssStatsDisassociated |
1.3.6.1.4.1.9.9.273.1.1.3.1.6 |
Counter |
This object counts the number of stations disassociated with this device on the interface since device re-started |
|
cd11IfCipherMicFailClientAddress |
1.3.6.1.4.1.9.9.273.1.1.4.1.1 |
String |
This is MAC address of the client attached to the radio interface that caused the most recent MIC failure |
|
cd11IfCipherTkipLocalMicFailures |
1.3.6.1.4.1.9.9.273.1.1.4.1.2 |
Counter |
When the device restarted, the object counts the number of MIC failures encountered on the radio interface. |
|
cd11IfCipherTkipRemotMicFailures |
1.3.6.1.4.1.9.9.273.1.1.4.1.3 |
Counter |
When the device restarted, the object counts the number of MIC failures reported by clients on the radio interface. |
|
cd11IfCipherTkipCounterMeasInvok |
1.3.6.1.4.1.9.9.273.1.1.4.1.4 |
Counter |
When the device restarted, the object counts the number of TKIP Counter Measures invoked on the interface. |
|
cd11IfCipherCcmpReplaysDiscarded |
1.3.6.1.4.1.9.9.273.1.1.4.1.5 |
Counter |
When the device restarted, the object counts the number of received unicast fragments discarded by replay mechanism on the interface. |
|
cd11IfCipherTkipReplaysDetected |
1.3.6.1.4.1.9.9.273.1.1.4.1.6 |
When the device restarted, the object counts the number of TKIP replay errors detected on this interface. |
|
|
cDot11ClientRoleClassType |
1.3.6.1.4.1.9.9.273.1.2.1.1.3 |
Counter |
The role classification of the client |
|
cDot11ClientDevType |
1.3.6.1.4.1.9.9.273.1.2.1.1.4 |
EnumVal |
The device type of the client. |
|
cDot11ClientRadioType |
1.3.6.1.4.1.9.9.273.1.2.1.1.5 |
EnumVal |
The radio classification of the client. |
|
cDot11ClientWepEnabled |
1.3.6.1.4.1.9.9.273.1.2.1.1.6 |
EnumVal |
Whether WEP key mechanism is used for transmitting frames of data for the client |
|
cDot11ClientWepKeyMixEnabled |
1.3.6.1.4.1.9.9.273.1.2.1.1.7 |
EnumVal |
Whether this client is using WEP key mixing |
|
cDot11ClientMicEnabled |
1.3.6.1.4.1.9.9.273.1.2.1.1.8 |
EnumVal |
Whether the MIC is enabled for the client |
|
cDot11ClientPowerSaveMode |
1.3.6.1.4.1.9.9.273.1.2.1.1.9 |
EnumVal |
The power management mode of the client. |
|
cDot11ClientAid |
1.3.6.1.4.1.9.9.273.1.2.1.1.10 |
Gauge |
This is the association identification number of clients or multicast addresses associating with the device. |
|
cDot11ClientDataRateSet |
1.3.6.1.4.1.9.9.273.1.2.1.1.11 |
String |
Is a set of data rates at which this client can transmit and receive data |
|
cDot11ClientSoftwareVersion |
1.3.6.1.4.1.9.9.273.1.2.1.1.12 |
String |
Cisco IOS software version |
|
cDot11ClientName |
1.3.6.1.4.1.9.9.273.1.2.1.1.13 |
String |
Cisco IOS device hostname |
|
cDot11ClientAssociationState |
1.3.6.1.4.1.9.9.273.1.2.1.1.14 |
EnumVal |
The object indicates the state of the authentication and association process |
|
cDot11ClientVlanId |
1.3.6.1.4.1.9.9.273.1.2.1.1.17 |
Gauge |
The VLAN which the wireless client is assigned to when it is successfully associated to the wireless station. |
|
cDot11ClientSubIfIndex |
1.3.6.1.4.1.9.9.273.1.2.1.1.18 |
Integer |
This is the ifIndex of the sub-interface which this wireless client is assigned to when it is successfully associated to the wireless station. |
|
cDot11ClientAuthenAlgorithm |
1.3.6.1.4.1.9.9.273.1.2.1.1.19 |
EnumVal |
The IEEE 802.1x authentication methods performed between the wireless station and this client during association |
|
cDot11ClientDot1xAuthenAlgorithm |
1.3.6.1.4.1.9.9.273.1.2.1.1.21 |
Octet String |
The IEEE 802.1x authentication methods performed between the wireless client and the authentication server. |
|
cDot11ClientUpTime |
1.3.6.1.4.1.9.9.273.1.3.1.1.2 |
Gauge |
The time in seconds that this client has been associated with this device |
|
cDot11ClientSignalStrength |
1.3.6.1.4.1.9.9.273.1.3.1.1.3 |
Integer |
The device-dependent measure the signal strength of the most recently received packet from the client. |
|
cDot11ClientSigQuality |
1.3.6.1.4.1.9.9.273.1.3.1.1.4 |
Gauge |
The device-dependent measure the signal quality of the most recently received packet from the client. |
|
cDot11ClientPacketsReceived |
1.3.6.1.4.1.9.9.273.1.3.1.1.6 |
Counter |
The number of packets received from this client. |
|
cDot11ClientBytesReceived |
1.3.6.1.4.1.9.9.273.1.3.1.1.7 |
Counter |
The number of bytes received from the client. |
|
cDot11ClientPacketsSent |
1.3.6.1.4.1.9.9.273.1.3.1.1.8 |
Counter |
The number of packets sent to the client. |
|
cDot11ClientBytesSent |
1.3.6.1.4.1.9.9.273.1.3.1.1.9 |
Counter |
The number of bytes sent to the client. |
|
cDot11ClientMsduRetries |
1.3.6.1.4.1.9.9.273.1.3.1.1.11 |
Counter |
The counter increases when it successfully transmits an MSDU after one or more retransmissions. |
|
cDot11ClientMsduFails |
1.3.6.1.4.1.9.9.273.1.3.1.1.12 |
Counter |
The counter increments when the client fails to transmit an MSDU successfully because the number of transmit attempts exceeds a certain limit. |
The following CLI commands are used for SNMP configuration.
Note |
|
|
Step 1 |
Enter the SNMP v2c community ID number (SNMP v2c only). Device#configure snmp v2c community-id <length 1-64 > |
||
|
Step 2 |
Specify the SNMP protocol version. Device#configure snmp version {v2c | v3 } |
||
|
Step 3 |
Specify the SNMP v3 authentication protocol (SNMP v3 only). Device#configure snmp auth-method <md5 | sha > |
||
|
Step 4 |
Enter the SNMP v3 username (SNMP v3 only). Device#configure snmp v3 username <length 32 > |
||
|
Step 5 |
Enter the SNMP v3 user password (SNMP v3 only). Device#configure snmp v3 password <length 8-64 > |
||
|
Step 6 |
Specify the SNMP v3 encryption protocol (SNMP v3 only). Device#configure snmp encryption {des | aes | none }
|
||
|
Step 7 |
Enter the SNMP v3 encryption passphrase (SNMP v3 only). Device#configure snmp secret <length 8-64 > |
||
|
Step 8 |
Enable SNMP functionality in WGB. Device#configure snmp enabled To configure SNMP v2c, repeat Step 1 through Step 2 and Step 8. To configure SNMP v3, repeat Step 2 through Step 8. |
||
|
Step 9 |
Disable SNMP configuration. Device#configure snmp disabled When SNMP is disabled, all related configuration is removed. |
Example of SNMP configuration.
CLI for configuring SNMP v2c:
Device#configure snmp v2 community-id <length 1-64>
Device#configure snmp version v2c
Device#configure snmp enabledCLI for configuring SNMP v3 (security level AuthPriv):
Device#configure snmp auth-method <md5|sha>
Device#configure snmp v3 username <length 32>
Device#configure snmp v3 password <length 8-64>
Device#configure snmp secret <length 8-64>
Device#configure snmp encryption <aes|des>
Device#configure snmp version v3
Device#configure snmp enabledCLI for configuring SNMP v3 (security level AuthNoPriv):
Device#configure snmp auth-method <md5|sha>
Device#configure snmp v3 username <length 32>
Device#configure snmp v3 password <length 8-64>
Device#configure snmp encryption none
Device#configure snmp version v3
Device#configure snmp enabledUse the following show command to verify the SNMP configuration.
Show output of SNMP version v3:
Device# show snmp
SNMP: enabled
Version: v3
Community ID: test
Username: username
Password: password
Authentication method: SHA
Encryption: AES
Encryption Passphrase: passphrase
Engine ID: 0x8000000903c0f87fe5f314
Show output of SNMP version v2c:
Device# show snmp
SNMP: enabled
Version: v2c
Community ID: test
Username: username
Password: password
Authentication method: SHA
Encryption: AES
Encryption Passphrase: passphrase
Engine ID: 0x8000000903c0f87fe5f314
Starting from Cisco Unified Industrial Wireless Software Release 17.14.1, WGB allows you to classify different packets from two wired ports and mark them to the different access control driver queues according to the user configuration.
In addition to TCP or UDP, WGB also supports ethertype-based and DSCP-based classification. To meet the jitter and latency requirement, the WGB must classify packets and assign them to different access control queues based on the field environment.
WGB allows you to create custom rules to map incoming packets from an Ethernet port to specific priority queues on the wireless side. WGB offers the functionality to map upstream data traffic based on either IEEE 802.1p (dot1p) or Differentiated Services Code Point (DSCP).
You can configure the rules based on Ethernet type (for example, Profinet), transport layer port numbers or port range, and DSCP. It ensures forwarding packets to the different access control queues on the wireless network, facilitating efficient QoS enforcement.
As incoming packets arrive at the Ethernet port, it directs them to a specific access control queue on the wireless side using a customized rule-based mapping.
The customized rule dictates the classification and assignment of packets to different access control queues based on predetermined criteria such as source/destination IP addresses, port numbers, or protocol types. Once defined, the rules identify critical services or traffic within the incoming packets. Matching these critical services using the defined rules enables mapping them to higher priority queues within the network infrastructure.
Using rule-based traffic classification and mapping on the WGB, you can effectively manage and prioritize network traffic to meet the specific demands of critical applications and services. This approach enables you to enforce QoS policies effectively within your network to maintain optimal network performance, minimizes latency for critical services, and enhances overall user experience.
Classification is the process of distinguishing one traffic from another by examining the fields in the packet. The device enables classification only when QoS is enabled.
During classification, the device performs a lookup and assigns a QoS label to the packet. The QoS label indicates all QoS actions to perform on the packet and identifies the queue from which the packet is sent.
Layer 2 ethernet frames use the Ethertype field to carry classification information. The ethertype field, typically 2 bytes in size, normally indicates the type of data encapsulated in the frames
Layer 3 IP packets carry the classification information in the type of service (ToS) field that has 8 bits. The ToS field carries either an IP precedence value or a Differentiated Services Code Point (DSCP) value. IP precedence values range 0–7. DSCP values range 0–63.
Layer 4 TCP segments or UDP datagrams carry the classification information in the source or destination port field. These port fields specify the port numbers associated with the sender and receiver of the data, enabling networking devices to classify traffic based on predetermined criteria.
The system assigns traffic to a specific service class based on ether type, DSCP, or UDP/TCP port (or port range), treating packets within the service class consistently. The WGB help to classify different packets from the two wired ports and map them to the different driver queues according to the user config.
The data plane statistics provide counts of how many times each rule hit by network traffic. These counters are essential for network administrators to analyse the effectiveness of their rules and policies, and optimize network performance.
The control plane is a part of a network architecture responsible for managing and configuring how data is forwarded though the network.
When QoS is disabled, access points follows the legacy mapping behavior and perform the following:
Retrieve the Tag Control Information (TCI) priority from the VLAN element for the specified ethertype 0x8100.
For ethertype 0x8892 (profinet) QoS mapping, assigns the TCI priority as 6.
For ethertype 0x0800 (IP) and 0x86DD (IPv6), the DSCP priority is set according to the default dscp2dot1p mapping table.
======= dscp mapping =======
Default dscp2dot1p Table Value:
[0]->0 [1]->0 [2]->0 [3]->0 [4]->0 [5]->0 [6]->0 [7]->0
[8]->1 [9]->1 [10]->1 [11]->1 [12]->1 [13]->1 [14]->1 [15]->1
[16]->2 [17]->2 [18]->2 [19]->2 [20]->2 [21]->2 [22]->2 [23]->2
[24]->3 [25]->3 [26]->3 [27]->3 [28]->3 [29]->3 [30]->3 [31]->3
[32]->4 [33]->4 [34]->4 [35]->4 [36]->4 [37]->4 [38]->4 [39]->4
[40]->5 [41]->5 [42]->5 [43]->5 [44]->5 [45]->5 [46]->5 [47]->5
[48]->6 [49]->6 [50]->6 [51]->6 [52]->6 [53]->6 [54]->6 [55]->6
[56]->7 [57]->7 [58]->7 [59]->7 [60]->7 [61]->7 [62]->7 [63]->7
When QoS is enabled, access points perform the following:
The priority for an ethertype QoS mapping 0x8892 (profinet) is based on the configuration setting.
For ethertype 0x0800 (IP) and 0x86DD (IPv6), the priority is based on mapping rules that consider port or DSCP.
Check the UDP/TCP port (or port range) rule.
Check the DSCP rule.
Assigns the user priority value 0 to non-IPv4/IPv6 packets.
If there is no rule configuration, the QoS profile follows the legacy mapping behavior.
Note |
if 802.1p priority exists, it overrides any customised rule. |
The following commands allow users to define the different classification rules for configuring WGB QoS mapping.
|
Step 1 |
Enable the QoS mapping profile. Device#config wgb qos-mapping <profile-name > enable Example: |
||
|
Step 2 |
WGB QoS mapping profile rules based on ethernet type. The below command is used to set the rules based on ethernet frame type.
Example:If the command specify a profile that does not exist, the command will create a new empty profile and then add mapping rule to it.
Example:The command will issue a warning message if it specifies a profile that does not exist. Furthermore, if deleting the specified mapping rule leaves the profile empty, it will be automatically removed. |
||
|
Step 3 |
Rules based on port-id/range. The below command is used to set the rules based on L4 port id/range.
Example:If the command specify a profile that does not exist, the command will create a new empty profile and then add mapping rule to it.
Example:The command will issue a warning message if it specifies a profile that does not exist. Furthermore, if deleting the specified mapping rule leaves the profile empty, it will be automatically removed. |
||
|
Step 4 |
Rules based on DSCP. The below command is used to set the rules based on IPv4/IPv6 packet DSCP value.
Example:If the command specify a profile that does not exist, the command will create a new empty profile and then add mapping rule to it.
Example:The command will issue a warning message if it specifies a profile that does not exist. Furthermore, if deleting the specified mapping rule leaves the profile empty, it will be automatically removed.
|
||
|
Step 5 |
Disable the QoS mapping profile. Device#config wgb qos-mapping <profile-name > disable Example:When disabled, the command clear the profile from the datapath and retain it in the WGB configuration file. If the specified profile does not exist, the command issue a warning message and will not create a new empty profile. |
||
|
Step 6 |
Delete the QoS mapping profile. Device#config wgb qos-mapping <profile-name > delete Example:When deleted, the profile is removed from data path and WGB configuration. |
To verify the WGB QoS mapping configuration on the Control Plane, run the show wgb qos-mapping .
Device# show wgb qos-mapping
Number of QoS Mapping Profiles: 2
====================================
Profile name : qos1
Profile status : active
Number of Rules: 8
Rules:
L4 srcport : 31000-31100, dstport : 6666-7777, priority : 7
L4 srcport : 23000, dstport : N/A, priority : 3
L4 srcport : N/A, dstport : 20000-20100, priority : 5
L4 srcport : N/A, dstport : 2222, priority : 2
L4 srcport : 12300-12500, dstport : N/A, priority : 6
IPv4/IPv6 dscp: 43, priority : 1
Ethernet type : 0x8892, priority : 0
L4 srcport : 8888, dstport : 9999, priority : 4
Profile name : qos2
Profile status : inactive
Number of Rules: 8
Rules:
L4 srcport : 31000-31100, dstport : 6666-7777, priority : 2
L4 srcport : 23000, dstport : N/A, priority : 6
L4 srcport : N/A, dstport : 20000-20100, priority : 4
L4 srcport : N/A, dstport : 2222, priority : 7
L4 srcport : 12300-12500, dstport : N/A, priority : 3
IPv4/IPv6 dscp: 43, priority : 0
Ethernet type : 0x8892, priority : 1
L4 srcport : 8888, dstport : 9999, priority : 5
To verify the WGB QoS mapping configuration on the Data Plane, run the show datapath qos-mapping rule .
Device# show datapath qos-mapping rule
Status: active
QoS Mapping entries
======= dscp mapping =======
Default dscp2dot1p Table Value:
[0]->0 [1]->0 [2]->0 [3]->0 [4]->0 [5]->0 [6]->0 [7]->0
[8]->1 [9]->1 [10]->1 [11]->1 [12]->1 [13]->1 [14]->1 [15]->1
[16]->2 [17]->2 [18]->2 [19]->2 [20]->2 [21]->2 [22]->2 [23]->2
[24]->3 [25]->3 [26]->3 [27]->3 [28]->3 [29]->3 [30]->3 [31]->3
[32]->4 [33]->4 [34]->4 [35]->4 [36]->4 [37]->4 [38]->4 [39]->4
[40]->5 [41]->5 [42]->5 [43]->5 [44]->5 [45]->5 [46]->5 [47]->5
[48]->6 [49]->6 [50]->6 [51]->6 [52]->6 [53]->6 [54]->6 [55]->6
[56]->7 [57]->7 [58]->7 [59]->7 [60]->7 [61]->7 [62]->7 [63]->7
active dscp2dot1p Table Value:
[0]->0 [1]->0 [2]->0 [3]->0 [4]->0 [5]->0 [6]->0 [7]->0
[8]->1 [9]->1 [10]->1 [11]->1 [12]->1 [13]->1 [14]->1 [15]->1
[16]->7 [17]->2 [18]->2 [19]->2 [20]->2 [21]->2 [22]->2 [23]->2
[24]->3 [25]->3 [26]->3 [27]->3 [28]->3 [29]->3 [30]->3 [31]->3
[32]->4 [33]->4 [34]->4 [35]->4 [36]->4 [37]->4 [38]->4 [39]->4
[40]->5 [41]->5 [42]->5 [43]->5 [44]->5 [45]->5 [46]->5 [47]->5
[48]->6 [49]->6 [50]->6 [51]->6 [52]->6 [53]->6 [54]->6 [55]->6
[56]->7 [57]->7 [58]->7 [59]->7 [60]->7 [61]->7 [62]->7 [63]->7
To verify the WGB QoS mapping statistics on Data Plane, run the show datapath qos-mapping statistics command.
Device# show datapath qos-mapping statistics
======= pkt stats per dscp-mapping rule =======
dscp up pkt_cnt
16 7 0To clear the WGB QoS mapping statistics on Data Plane, run the clear datapath qos-mapping statistics command.
Note |
The command clears packet count statistics per rule on data-plane. |
Feedback