IOS AP-WGB with Multiple VLAN

Tags

In this post we will see how to configure a WGB to support multiple VLAN for the wired clients behind WGB. Here is the topology for this post where VLAN7 & VLAN8 defined for the wired clients behind WGB. VLAN20 is used as native VLAN & AAP1, WGB & CAT5 is assigned IPs in that vlan.

In Autonomous mode, WGB should be a “infrastructure-client” in order to support Multiple VLAN.

Here is the CAT2 configuration where DHCP pools & SVI defined.

ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.8.1 192.168.8.99
ip dhcp excluded-address 192.168.20.1 192.168.20.99
!
ip dhcp pool VLAN7
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.7.100 client-id 0100.1f16.18df.ec <- PC IP reservation
!
ip dhcp pool VLAN8
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.8.100 client-id 0000.18fe.a5dc.3e <- Printer IP reservation
!
ip dhcp pool vlan20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254 
   dns-server 192.168.200.1 192.231.203.132 192.231.203.3 
   domain-name mrn.com
   address 192.168.20.120 client-id 0144.d3ca.af43.43<- WGB IP reservation
!
interface FastEthernet1/0/13
 description TEMP-AAP1-1142
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk

You can configure AAP1 as shown below. Note that SSID configured as “infrastructure-SSID” in order to only infrastructure devices can associate to SSID. Also configured Dot11 Radio 1 as “infrastructure-client” in order to make sure WGB associate in “infrastructure-client” mode. This is mandatory to support multiple vlan behind WGB in this IOS-AP-WGB mode.(In Unified method still client mode WGB support this feature with “workgroup-bridge unified-vlan-client” on WGB). This also give reliability for Multicast traffic for the client behind WGB. WLAN security is configured with WPA2-PSK.

hostname AAP1
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
 infrastructure-client
!
interface Dot11Radio1.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

WGB can be configured as shown in below. “station-role” should be “workgroup-bridge”.

hostname WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio1.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip dhcp client client-id GigabitEthernet0 <- IP for WGB Mgmt purposes
 ip address dhcp

CAT5 (Switch Behind WGB) can be configured as follows.

vlan 7-8,20
!
interface GigabitEthernet0/1
 description WGB TRUNK
 switchport trunk native vlan 20
 switchport trunk allowed vlan 7-9,20
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet0/7
 description WGB-PC
 switchport access vlan 7
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description WGB-Printer
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface Vlan20
 description SW-MGMT
 ip address 192.168.20.199 255.255.255.0
!
ip default-gateway 192.168.20.254
ntp server 10.10.205.20

Once you configure like this, you can verify the devices will get the IP addresses from each VLAN.

AAP1#sh dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
0018.fea5.dc3e 192.168.8.100   WGB-client    -               44d3.caaf.4343 Assoc    
001f.1618.dfec 192.168.7.100   WGB-client    -               44d3.caaf.4343 Assoc    
58bf.ea59.f801 0.0.0.0         WGB-client    -               44d3.caaf.4343 Assoc    
58bf.ea59.f841 192.168.20.199  WGB-client    -               44d3.caaf.4343 Assoc

Initially you could reach all of the wired clients behind WGB. But few minutes later You would notice you could not ping the printer IP. This is because printer is a passive client (where no traffic initiated from it) to keep it is MAC address in the WGB bridge table.

You could avoid this in following ways.

1. Increase the aging-out timer
2. Add static entry in WGB for the passive client

You can configure aging time for a bridge-group as follows. You can configure larger aging-time for the bridge group where Printer (or passive client) associates. In my case I will configure this for bridge-group 8.

WGB(config)#bridge ?
  <1-255>            Bridge Group number for Bridging.
  crb                Concurrent routing and bridging
  irb                Integrated routing and bridging
  mac-address-table  MAC-address table configuration commands

WGB(config)#bridge 8 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 8 aging-time ?
  <10-1000000>  Seconds

WGB(config)#bridge 8 aging-time 86400

You can achieve the same by configuring static entry in the WrGB bridge table. In this way given MAC address will not be age out from the WGB table.

WGB(config)#bridge 8 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 8 address ?
  H.H.H  Ethernet mac-address

WGB(config)#bridge 8 address 0018.fea5.dc3e ?
  discard  Discard datagrams from/to this address
  forward  Forward datagrams from/to this address

WGB(config)#bridge 8 address 0018.fea5.dc3e forward ?
  Async               Async interface
  Auto-Template       Auto-Template interface
  BVI                 Bridge-Group Virtual Interface
  CDMA-Ix             CDMA Ix interface
  CTunnel             CTunnel interface
  Dialer              Dialer interface
  Dot11Radio          Dot11 interface
  GigabitEthernet     GigabitEthernet IEEE 802.3z
  LongReachEthernet   Long-Reach Ethernet interface
  Loopback            Loopback interface
  Multilink           Multilink-group interface
  Null                Null interface
  Tunnel              Tunnel interface
  Vif                 PGM Multicast Host interface
  Virtual-Dot11Radio  Virtual dot11 interface
  Virtual-PPP         Virtual PPP interface
  Virtual-Template    Virtual Template interface
  Virtual-TokenRing   Virtual TokenRing
  vmi                 Virtual Multipoint Interface

WGB(config)#bridge 8 address 0018.fea5.dc3e forward g0.8

There are few other timers available if you require further optimization of these timer values.(Introduced in 12.4(25d)JA release & later). I have not changed default timer values in this example.

WGB(config)#workgroup-bridge ?
  client-vlan          Ethernet client VLAN number
  timeouts             Fine tuning WGB time-outs config commands
  unified-vlan-client  Enable Unified VLAN client

WGB(config)#workgroup-bridge timeouts ?
  assoc-response  Association Response time-out value
  auth-response   Authentication Response time-out value
  client-add      client-add time-out value
  eap-timeout     EAP Timeout value
  iapp-refresh    IAPP Refresh time-out value

WGB(config)#workgroup-bridge timeouts assoc-response ?
  <300-5000>  Milli Seconds  <- Default 5000 ms

WGB(config)#workgroup-bridge timeouts auth-response ?
  <300-5000>  Milli Seconds <- Default 5000 ms   

WGB(config)#workgroup-bridge timeouts client-add ?
  <300-5000>  Milli Seconds <- Default 5000 ms

WGB(config)#workgroup-bridge timeouts eap-timeout ?
  <2-60>  Seconds <-Defult 0

WGB(config)#workgroup-bridge timeouts iapp-refresh ?
  <100-1000>  Milli Seconds <- Default 5000 ms

In case the switch behind the WGB is not supporting VLAN (like Hub, etc) you can assign all wired client to a single VLAN by using “workgroup-bridge client vlan <vlan-id>” command.

You can refer the following Reference guide for CLI command explanations in detail.

1. IOS Command Reference – Cisco IOS Releases 15.2(2)JA, 12.4(25d)JA, and 12.3(8)JEE
2. Cisco DOC-21999 :WGB with multiple VLANs

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. WGB-CAPWAP with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Config Example

3 thoughts on “IOS AP-WGB with Multiple VLAN”

Raul said:

August 2, 2013 at 10:26 am

Good post nayarasi !

Regard to this. Have you heard about an issue with the multicat traffic in wich the WGB pass the multicast to their wired clients just in the native vlan? I mean, WGB would not support multicast traffic in different vlans, but just in the native one. All this in a mesh network infrastructure.

Thank you!

Raul said:

August 2, 2013 at 11:13 am

I found this in the “Using Cisco Workgroup Bridges” based on “Cisco Wireless LAN Controller Lightweight Access Points Configuration Guide, Release 7.4” :

“The broadcast forwarding toward wired WGB clients works only on the native VLAN. If additional VLANs are configured, only the native VLAN forwards broadcast traffic.”

I assume this apply for multicast as well. It seems to me that this is supported just in one direction (from client WGB to WLC).

Raul said:

August 2, 2013 at 11:45 am

Sorry for bother you again friend….
But,.. complementing the fact that this is supported in one direction, is when wired clients in multiple VLANS behind the WGB obtain IP by DHCP. This works fine. But in this case the broadcast packets (DHCP Discovery, DHCP request) GO to the WLC.