Tags
Since WGB AP acting as client, it can be associated to any (Autonomous or Lightweight) other AP. In this post we will see how WGB associated with a CAPWAP AP. Here is the setup for this post (Note that CAPWAP AP acting as root AP for WGB).
There are few guidelines you need to remember in this set up.
1. Only WGB in client mode supported. (so in WGB – no infrastructure clientconfiguration is required)
2. CCKM, H-REAP, Web Authentication, Idle time out not supported.
3. MAC filtering, Link tests, Idle timeout for wired clients connected to WGB is not supported.
4. WGB only support 20 clients
5. Wired client behind WGB to connect to Anchor controller you have to enable vlans in WGB (using config wgb vlan enable command)
Let’s test this with open authentication & later on will add security. First you have to define a WLAN (called WGB-CAPWAP) on the controller where WGB can associate.
Now in the WGB (AAP2 ) here is the configuration. It’s pretty straight forward & very simple.
dot11 ssid WGB-CAPWAP authentication open ! interface Dot11Radio1 ssid WGB-CAPWAP station-role workgroup-bridge
I have configured the AAP2 BVI1 interface to dhcp to simulate a wired device behind the WGB. On the WLC, if you look at Monitor-> Clients you can see WGB associated & client is shown as a WGB.
You can verify this via WLC CLI as well.
(WLC2) >show wgb summary WGB Vlan Client Support.......................... Disabled Number of WGBs................................... 1 MAC Address IP Address AP Name Status WLAN Auth Protocol Clients ----------------- --------------- ----------------- --------- ---- ---- ---------------- ------- 68:ef:bd:0f:d9:5a 10.10.15.54 LAP2 Assoc 9 Yes 802.11n(5 GHz) 1 (WLC2) >show wgb detail 68:ef:bd:0f:d9:5a Number of wired client(s): 1 MAC Address IP Address AP Name Mobility WLAN Auth ----------------- --------------- ----------------- ---------- ---- ---- 00:1f:16:18:df:ec 10.10.15.52 LAP2 Local 9 Yes
Let’s say you want to tunnel this WGB wired client traffic to Anchor controller (WLC1 with IP 10.10.111.10 not shown in the diagram). See Auto-Anchor Mobility post to see how you can configure this.
Without enabling VLANs in WGB you cannot anchored wired client onto Anchor controller. You will see something like this when try to connect wired client to WGB. Here is the WLC1 (Anchor) & WLC2 (Foreign) CLI output.
(WLC2) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 68:ef:bd:0f:d9:5a LAP2 Excluded 9 No 802.11n(5 GHz) 29 No (WLC2) >show client detail 68:ef:bd:0f:d9:5a Client MAC Address............................... 68:ef:bd:0f:d9:5a Client Username ................................. N/A AP MAC Address................................... a0:cf:5b:9e:e8:20 AP Name.......................................... LAP2 Client State..................................... Excluded Client NAC OOB State............................. Access Workgroup Bridge................................. 0 client(s) Wireless LAN Id.................................. 9 BSSID............................................ a0:cf:5b:9e:e8:27 Connected For ................................... 27 secs Channel.......................................... 149 IP Address....................................... Unknown Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... 5 Client E2E version............................... No E2E support Diagnostics Capability........................... Not Supported S69 Capability................................... Not Supported Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. disabled WMM Support...................................... Enabled Power Save....................................... OFF Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0, ............................................. 48.0,54.0 Mobility State................................... None Mobility Move Count.............................. 0 Security Policy Completed........................ No Policy Manager State............................. DHCP_REQD Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... No Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ management VLAN............................................. 112 Quarantine VLAN.................................. 0 Access VLAN...................................... 112 Client Capabilities:
Once you configure “config wgb vlan enable” on your controller you will see wired client behind WGB gets an IP in vlan 13 (provided by Anchor Controller- WLC1). Here is the some verification commands
(WLC1) >show wgb summary WGB Vlan Client Support.......................... Enabled Number of WGBs................................... 1 MAC Address IP Address AP Name Status WLAN Auth Protocol Clients ----------------- --------------- ----------------- --------- ---- ---- ---------------- ------- 68:ef:bd:0f:d9:5a 10.10.13.12 10.10.112.10 Assoc 9 Yes Mobile 1 (WLC1) >show wgb detail 68:ef:bd:0f:d9:5a Number of wired client(s): 1 MAC Address IP Address AP Name Mobility WLAN Auth ----------------- --------------- ----------------- ---------- ---- ---- 5c:26:0a:65:8f:37 10.10.13.14 10.10.112.10 ExpAnchor 9 Yes (WLC1) >show client summary Number of Clients................................ 3 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:1f:16:18:df:ec 10.10.112.10 Associated 9 No Mobile 1 No 5c:26:0a:65:8f:37 10.10.112.10 Associated 9 Yes Mobile 1 No 68:ef:bd:0f:d9:5a 10.10.112.10 Associated 9 Yes Mobile 1 No (WLC1) >show client detail 5c:26:0a:65:8f:37 Client MAC Address............................... 5c:26:0a:65:8f:37 Client Username ................................. N/A AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: 68:ef:bd:0f:d9:5a Wireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 775 secs Channel.......................................... N/A IP Address....................................... 10.10.13.14 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.112.10 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ vlan13 VLAN............................................. 13 Quarantine VLAN.................................. 0 Access VLAN...................................... 13
Here is the output on WLC2 (Foreign Controller)
(WLC2) >show wgb summary WGB Vlan Client Support.......................... Enabled Number of WGBs................................... 1 MAC Address IP Address AP Name Status WLAN Auth Protocol Clients ----------------- --------------- ----------------- --------- ---- ---- ---------------- ------- 68:ef:bd:0f:d9:5a 10.10.13.12 LAP2 Assoc 9 Yes 802.11n(5 GHz) 1 (WLC2) >show wgb detail 68:ef:bd:0f:d9:5a Number of wired client(s): 1 MAC Address IP Address AP Name Mobility WLAN Auth ----------------- --------------- ----------------- ---------- ---- ---- 5c:26:0a:65:8f:37 Unknown LAP2 ExpForeign 9 Yes (WLC2) >show client detail 5c:26:0a:65:8f:37 Client MAC Address............................... 5c:26:0a:65:8f:37 Client Username ................................. N/A AP MAC Address................................... a0:cf:5b:9e:e8:20 AP Name.......................................... LAP2 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: 68:ef:bd:0f:d9:5a Wireless LAN Id.................................. 9 BSSID............................................ a0:cf:5b:9e:e8:27 Connected For ................................... 1078 secs Channel.......................................... 149 IP Address....................................... Unknown Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. disabled WMM Support...................................... Disabled Power Save....................................... OFF Supported Rates.................................. Mobility State................................... Export Foreign Mobility Anchor IP Address....................... 10.10.111.10 Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ management VLAN............................................. 112 Quarantine VLAN.................................. 0 Access VLAN...................................... 0
That’s pretty much it. I will leave security settings for you to practice and add preferred method of security of this WGB client.
Related Posts
1. Lightweight to Autonomous (vice versa) Conversion
2. Multiple SSID Config on Autonomous AP
3. Autonomous AP – Wireless Bridges
4. WorkGroup Bridge – WGB Configurations
5. Autonomous AP – Repeater
6. Configuring Authentication in AAP
7. Autonomous AP – QoS
8. WGB with EAP-FAST
mrn-cciew 
Good afternoon
Cant understand one thing: why when configuring wgb with autonomous ap we use infrastructure client command on the root ap, but with a lightweight ap we should use no infrastructure client command on the wgb access point?
“Infrastructure Client” command is not mandatory, even in Autonomous mode. It is required if you want to provide some reliable multicast across to WGB clients or if you want to support multiple vlan behind WGB in autonomous AP act as root.
In lightweight AP as root, WGB in infrastructure mode is not supported.
HTH
Rasika
Rasika,
I’m confused about the part where it says CCKM is not supported.
Does this mean that the WLAN configuration on the WLC cannot use WPA2/AES + CCKM for when the WGB authenticates to the LWAPP?
Or does it mean that the WGB cannot use CCKM for any wireless clients that might want to connect to it?
This link here shows CCKM being a valid option, and the fastest one available for roaming (if the WGB is mobile).
http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1130-ag-series/113198-wgb-roam-config.html#config3
Rasika Nayanajith your posts are the best regarding WLAN on the internet.
Well i am confused and stuck on a little basic concept .
Is the CAPWAP tunnel between WLC/WLC and LAP/WLC Wireless or its wired ?
Because in unified/Centralized communication where WLC support 200+ APs ,then how can we have so much AP connections over the wire if its not wireless connection between AP and WLC ,mean we can’t have switch chassis that much etc.
2nd is the CAPWAP or Eoip tunnel between WLC and LAP or WLC and WLC be created over GRE/ipsec or any other Layer-3 tunnel ?
Waiting for your quick reply.
CAPWAP tunnel is between AP & WLC.
EoIP tunnel is used between two WLCs when configuring mobility between them.
It will work over any L3 communication.
HTH
Rasika
Hi Rasika
Can this work with the CAPWAP AP configured as mode local or does it need to be mode bridge with role root?
Yes, it works with CAPWAP AP is in Local mode or FlexConnect. It does not need to be in Bridge mode
HTH
Rasika