In this post we will see how to configure Multiple VLAN on a work group bridge in Unified Wireless environment. This is useful if you want to put wired client behind WGB into different vlan. Here is the topology for this post where we will create two different vlan for WGB clients. WGB will associate to a unified wireless AP (LAP2) which is joined to WLC1.
Here is the WLC1 config where we have 3 dynamic interfaces 8,9 & 20 (vlan20 will be the WGB native vlan). MRN-WGB wlan configured with WPA2-PSK. First of all you have to configure necessary DHCP pools & SVI interfaces on CAT2. Also WLC should connected via trunk port & LAP2 is connected via access port as shown in the below.
ip dhcp excluded-address 192.168.8.1 192.168.8.99 ip dhcp excluded-address 192.168.9.1 192.168.9.99 ip dhcp excluded-address 192.168.20.1 192.168.20.99 ! ip dhcp pool VLAN9 network 192.168.9.0 255.255.255.0 default-router 192.168.9.1 domain-name mrn.com dns-server 192.168.200.1 address 192.168.9.100 client-id 0100.1f16.18df.ec <- PC IP reservation ! ip dhcp pool VLAN8 network 192.168.8.0 255.255.255.0 default-router 192.168.8.1 domain-name mrn.com dns-server 192.168.200.1 address 192.168.8.100 client-id 0000.18fe.a5dc.3e <-Printer IP reservation ! ip dhcp pool vlan20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.254 dns-server 192.168.200.1 domain-name mrn.com address 192.168.20.199 client-id 0158.bfea.59f8.01 <- CAT5 IP reservation address 192.168.20.120 client-id 0144.d3ca.af43.43 <- WGB IP Reservation ! interface Vlan8 ip address 192.168.8.1 255.255.255.0 interface Vlan9 ip address 192.168.9.1 255.255.255.0 interface Vlan20 ip address 192.168.20.254 255.255.255.0 ! interface GigabitEthernet1/0/1 description WLC1 Port1 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 8-18,20,23,111,113 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast trunk ! interface FastEthernet1/0/11 description TEMP LAP2 switchport access vlan 20 switchport mode access mls qos trust dscp spanning-tree portfast
Here is the WLC1 config related to this. Since I have used a WLAN ID (>16) AP group to be configured to advertise this SSID. Radio policy configured for “802.11a-only” since WGB configured on 5GHz band.
(WLC1) >config interface create vlan20 20 (WLC1) >config interface address dynamic-interface vlan20 192.168.20.10 255.255.255.0 192.168.20.254 (WLC1) >config interface dhcp dynamic-interface vlan20 primary 192.168.20.254 (WLC1) >config interface port vlan20 1 (WLC1) >config interface create vlan8 8 (WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1 (WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1 (WLC1) >config interface port vlan8 1 (WLC1) >config interface create vlan9 9 (WLC1) >config interface address dynamic-interface vlan8 192.168.9.10 255.255.255.0 192.168.9.1 (WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.9.1 (WLC1) >config interface port vlan9 1 (WLC1) >config wlan create 20 MRN-WGB MRN-WGB (WLC1) >config wlan radio 20 802.11a-only (WLC1) >config wlan broadcast-ssid disable 20 (WLC1) >config wlan security wpa wpa2 ciphers aes enable 20 (WLC1) >config wlan security wpa akm psk set-key ascii MRN-CCIEW 20 (WLC1) >config wlan enable 20 (WLC1) >config wlan apgroup add mrn-wgb "WGB AP GROUP" (WLC1) >config wlan apgroup interface-mapping add mrn-wgb 20 vlan20 (WLC1) >config ap group-name mrn-wgb LAP2 Changing the AP's group name will cause the AP to reboot. Are you sure you want to continue? (y/n) y
In order to have multiple VLAN support you have to configure VLAN tagging feature on WGB. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB. You can use following CLI command on WGB to do this.
WGB(config)#workgroup-bridge unified-vlan-client
WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.
In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC. In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.
Also note that “bridge 8 address 0018.fea5.dc3e forward GigabitEthernet0.8” command to prevent passive client behind WGB loose its connectivity. This command will add a permanent entry into WGB bridge table of this client (it is required as passive client does not trigger any traffic towards network) which will update via IAPP to the LAP2 by WGB.
Here is the full configuration of WGB. I have assigned DHCP IP (in native VLAN 20) to WGB itself in order to manage it. This is also help to sync WGB to a NTP server.
dot11 ssid MRN-WGB vlan 20 authentication open authentication key-management wpa version 2 wpa-psk ascii MRN-CCIEW ! interface Dot11Radio1 encryption vlan 20 mode ciphers aes-ccm ssid MRN-WGB station-role workgroup-bridge ! interface Dot11Radio1.8 encapsulation dot1Q 8 bridge-group 8 ! interface Dot11Radio1.9 encapsulation dot1Q 9 bridge-group 9 ! interface Dot11Radio1.20 encapsulation dot1Q 20 native bridge-group 1 ! interface GigabitEthernet0.8 encapsulation dot1Q 8 bridge-group 8 ! interface GigabitEthernet0.9 encapsulation dot1Q 9 bridge-group 9 ! interface GigabitEthernet0.20 encapsulation dot1Q 20 native bridge-group 1 ! interface BVI1 ip address dhcp client-id GigabitEthernet0 workgroup-bridge unified-vlan-client bridge 8 address 0018.fea5.dc3e forward GigabitEthernet0.8
Here is the CAT5 configuration where I have used dynamic IP assignment in order to check WGB client connectivity. You could have assign IP statically as well.
vlan 8-9,20 ! interface GigabitEthernet0/1 description WGB TRUNK switchport trunk native vlan 20 switchport trunk allowed vlan 7-9,20 switchport mode trunk switchport nonegotiate spanning-tree portfast trunk ! interface GigabitEthernet0/6 description WGB-PC switchport access vlan 9 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/8 description WGB-Printer switchport access vlan 8 switchport mode access spanning-tree portfast ! interface Vlan20 description NetMgmt ip dhcp client client-id hex 0158BFEA59F801 ip address dhcp ! ip default-gateway 192.168.20.254
Now you can verify clients will get IPs from each individual VLANs as you expected.
WGB#sh bridge Total of 300 station blocks, 291 free Codes: P - permanent, S - self Bridge Group 1: Address Action Interface Age RX count TX count 001f.caca.ea4f forward Vi0.20 2 0 0 001a.e3a7.ff50 forward Vi0.20 1 0 0 001a.e3a7.ff46 forward Vi0.20 1 319 0 58bf.ea59.f801 forward Gi0.20 0 23748 2 Bridge Group 8: 0018.fea5.dc3e forward Gi0.8 P 362 0 58bf.ea59.f801 forward Gi0.8 0 23748 0 Bridge Group 9: 001f.1618.dfec forward Gi0.9 0 156349 0 58bf.ea59.f801 forward Gi0.9 0 23109 0 WGB#show dot11 associations 802.11 Client Stations on Dot11Radio1: SSID [MRN-WGB] : MAC Address IP address Device Name Parent State 001f.caca.ea4f 10.10.111.10 LWAPP-Parent LAP2 - Assoc WGB#show dot11 associations 001f.caca.ea4f Address : 001f.caca.ea4f Name : LAP2 IP Address : 10.10.111.10 Gateway Address : 0.0.0.0 Netmask Address : 0.0.0.0 Interface : Dot11Radio 1 Device : LWAPP-Parent Software Version : NONE CCX Version : 5 Client MFP : On State : Assoc Parent : - SSID : MRN-WGB VLAN : 20 Hops to Infra : 0 Association Id : 1 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP Current Rate : 54.0 Capability : WMM Supported Rates : 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -23 dBm Connected for : 3060 seconds Signal to Noise : 72 dB Activity Timeout : 15 seconds Power-save : Off Last Activity : 0 seconds ago Apsd DE AC(s) : NONE Packets Input : 35230 Packets Output : 11730 Bytes Input : 5725422 Bytes Output : 3095817 Duplicates Rcvd : 0 Data Retries : 171 Decrypt Failed : 1763 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0
From WLC you can verify the client connectivity as well.
(WLC1) >show wgb summary WGB Vlan Client Support.......................... Enabled Number of WGBs................................... 1 MAC Address IP Address AP Name Status WLAN Auth Protocol Clients ----------------- --------------- ----------------- --------- ---- ---- ---------------- ------- 44:d3:ca:af:43:43 192.168.20.120 LAP2 Assoc 20 Yes 802.11n(5 GHz) 4 (WLC1) >show wgb detail 44:d3:ca:af:43:43 Number of wired client(s): 4 MAC Address IP Address AP Name Mobility WLAN Auth ----------------- --------------- ----------------- ---------- ---- ---- 58:bf:ea:59:f8:01 192.168.20.199 LAP2 Local 20 Yes 00:18:fe:a5:dc:3e 192.168.8.100 LAP2 Local 20 Yes 00:1f:16:18:df:ec 192.168.9.100 LAP2 Local 20 Yes 58:bf:ea:59:f8:41 192.168.20.199 LAP2 Local 20 Yes (WLC1) >show client summary Number of Clients................................ 5 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:18:fe:a5:dc:3e LAP2 Associated 20 Yes N/A 1 No 00:1f:16:18:df:ec LAP2 Associated 20 Yes N/A 1 No 44:d3:ca:af:43:43 LAP2 Associated 20 Yes 802.11n(5 GHz) 1 No 58:bf:ea:59:f8:01 LAP2 Associated 20 Yes N/A 1 No 58:bf:ea:59:f8:41 LAP2 Associated 20 Yes N/A 1 No (WLC1) >show client detail 58:bf:ea:59:f8:01 Client MAC Address............................... 58:bf:ea:59:f8:01 Client Username ................................. N/A AP MAC Address................................... 00:1f:ca:ca:ea:40 AP Name.......................................... LAP2 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: 44:d3:ca:af:43:43 Wireless LAN Id.................................. 20 BSSID............................................ 00:1f:ca:ca:ea:4f Connected For ................................... 3978 secs Channel.......................................... 36 IP Address....................................... 192.168.20.199 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Disabled (WLC1) >show client detail 44:d3:ca:af:43:43 Client MAC Address............................... 44:d3:ca:af:43:43 Client Username ................................. N/A AP MAC Address................................... 00:1f:ca:ca:ea:40 AP Name.......................................... LAP2 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge................................. 4 client(s) Wireless LAN Id.................................. 20 BSSID............................................ 00:1f:ca:ca:ea:4f Connected For ................................... 4002 secs Channel.......................................... 36 IP Address....................................... 192.168.20.120 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... 5 Client E2E version............................... No E2E support Diagnostics Capability........................... Not Supported S69 Capability................................... Not Supported Mirroring........................................ Disabled (WLC1) >show client detail 00:18:fe:a5:dc:3e Client MAC Address............................... 00:18:fe:a5:dc:3e Client Username ................................. N/A AP MAC Address................................... 00:1f:ca:ca:ea:40 AP Name.......................................... LAP2 Client State..................................... Associated Client NAC OOB State............................. Access Workgroup Bridge Client.......................... WGB: 44:d3:ca:af:43:43 Wireless LAN Id.................................. 20 BSSID............................................ 00:1f:ca:ca:ea:4f Connected For ................................... 4047 secs Channel.......................................... 36 IP Address....................................... 192.168.8.100 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Disabled
You can access WGB via GUI using its assigned IP(192.168.20.120)
You can refer following Cisco Documents as well.
1. Mesh & WGB Multiple VLAN support config example
2. Outdoor Mesh Design Guide
In next post we will see how to configure WGB-Roaming related settings.
Related Posts
1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. WGB-IOS AP with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Config Example
mrn-cciew 
hello,
What about a firewall (PIX / ASA) behind a Unified Infrastructure WGB?
best regards
Why do you require ASA/PIX behind a WGB ? Normally WGB is used for connect wired client (or clients who do not have wireless interface) to wireless network specially in mobile environment.
Rasika
Hi Rasika,
Great blog! Minor comment, the WLC WGB vlan support is disabled by default so you will require WLC> ‘config wgb vlan enable’. In my case I had to disable/enable my MRN-WGB to get the Unified-VLAN client (IP phone) connectivity.
Keep up the good work.
G
HI Arian,
Thanks for highlighting it here.. Really appreciated
Rasika
Hi Rasika,
Very very helpfull post here. One silly question with this Unified AP – WGB setup:
Would an OEAP connect to the WLC1 (5508) and work as expected if connected to one of the VLANs (8 or 9)? I want to somehow “extend” corporate SSID behind the WGB.
Thanks M.
Hi Manod,
Not to clear what is your requirement. Is this you looking for or something else ?
WLC -> LAP -> WGB -> VLAN 8 -> OEAP600
Regards
Rasika
Hi Rasika,
Is this possible? Will it work?
Not too sure, I doubted.
But if you have the setup you could test it out & see
Rasika
Hi Rasika,
Yes that is the setup I am looking for. Except for the OEAP600 I will be using a 2602i AP as an OEAP.
Hello,
I was hoping you could clarify your example. Is LAP2 in your example a Mesh AP (i.e. Bridge Mode)?
Thanks,
Mitch
It is just local mode AP registered to WLC
Hi! Nice blog! Congrats!
I have a question, WGB with multiple VLAN works in a Flexconnect deployment?
Thanks in advance!
Haven’t test it & none of those config listed in Cisco Docs. So if you have a setup give it a try.
HTH
Rasika
Hi! Thanks for the nice blog!
I´ve got a special question:
I have a Autonomous WGB connected to a Cisco WLC on 5Ghz Band. now i need a different SSID on 2,4GHz Band for Client Access on the WGB (i would take the SSID to a Guest VLAN) is this possible? i also took the wired clients to a seperate VLAN – this is already working, but i do not get connectivity for this 2,4GHz Clients. (5GHz Band is in WGB mode, 2,4GHz Band is in Root mode)
Is there a possibility to realize this?
Thanks in advance!!
Christian.
Have you had a look on this. It may help
https://mrncciew.com/2014/01/04/wireless-wired-clients-behind-wgb/
HTH
Rasika