Workgroup Bridge Mode

Table Of Contents

Workgroup Bridge Mode

Understanding Workgroup Bridge Mode

Treating Workgroup Bridges as Infrastructure Devices or as Client Devices

Configuring a Workgroup Bridge for Roaming

Configuring a Workgroup Bridge for Limited Channel Scanning

Configuring the Limited Channel Set

Ignoring the CCX Neighbor List

Configuring a Client VLAN

Configuring Workgroup Bridge Mode

The Workgroup Bridge in a Lightweight Environment

Guidelines for Using Workgroup Bridges in a Lightweight Environment

Sample Workgroup Bridge Configuration

Workgroup Bridge Mode

---

This module describes how to configure your wireless device as a workgroup bridge and contains the following sections:

•Understanding Workgroup Bridge Mode

•Configuring Workgroup Bridge Mode

•The Workgroup Bridge in a Lightweight Environment

Understanding Workgroup Bridge Mode

You can configure the device as a workgroup bridge. In workgroup bridge mode, the device associates to another access point as a client and provides a network connection for the equipment connected to its Ethernet port. For example, if you need to provide wireless connectivity for a group of network printers, you can connect the printers to a hub or to a switch, connect the hub or switch to the access point Ethernet port, and configure the access point as a workgroup bridge. The workgroup bridge associates to an access point on your network.

If your access point has two radios, either the 2.4-GHz radio or the 5-GHz radio can function in workgroup bridge mode. When you configure one radio interface as a workgroup bridge, the other radio interface remains up.

---

Caution An access point in workgroup bridge mode can introduce a bridge loop if you connect its Ethernet port to your wired LAN. To avoid a bridge loop on your network, disconnect the workgroup bridge from your wired LAN before or soon after you configure it as a workgroup bridge.

---

---

Note If multiple basic service set identifiers (BSSIDs) are configured on a root access point that is designated as the parent of a workgroup bridge, the parent MAC address might change if a BSSID on the parent is added or deleted. If you use multiple BSSIDs on your wireless LAN and a workgroup bridge on your wireless LAN is configured to associate to a specific parent, check the association status of the workgroup bridge when you add or delete BSSIDs on the parent access point. If necessary, reconfigure the workgroup bridge to use the BSSID's new MAC address.

---

---

Note Although it functions as a bridge, an access point in workgroup bridge mode has a limited radio range. Workgroup bridges do not support the distance setting, which enables you to configure wireless bridges to communicate across several kilometers.

---

Figure 1 shows an access point in workgroup bridge mode.

Figure 1 Access Point in Workgroup Bridge Mode

Treating Workgroup Bridges as Infrastructure Devices or as Client Devices

The access point to which a workgroup bridge associates can treat the workgroup bridge as an infrastructure device or as a simple client device. By default, access points and bridges treat workgroup bridges as client devices.

For increased reliability, you can configure access points and bridges to treat workgroup bridges not as client devices but as infrastructure devices, like access points or bridges. Treating a workgroup bridge as an infrastructure device means that the access point reliably delivers multicast packets, including Address Resolution Protocol (ARP) packets, to the workgroup bridge. You use the infrastructure -client command in interface configuration mode to configure access points and bridges to treat workgroup bridges as infrastructure devices.

Configuring access points and bridges to treat a workgroup bridge as a client device allows more workgroup bridges to associate to the same access point, or to associate to the access point by using a service set identifier (SSID) that is not an infrastructure SSID. The performance cost of reliable multicast delivery—duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to an access point or bridge. To increase beyond 20 the number of workgroup bridges that can associate to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges. With reduced reliability, the access point cannot confirm whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the access point's coverage area might lose IP connectivity. When you treat workgroup bridges as client devices, you increase performance but reduce reliability. You use the no infrastructure client command to configure access points and bridges to treat workgroup bridges as simple client devices. This is the default setting.

You should use a workgroup bridge as an infrastructure device if the devices connected to the workgroup bridge require network reliability equivalent to that of an access point or a bridge.

You should use a workgroup bridge as a client device if these conditions are true:

•More than 20 workgroup bridges associate to the same access point or bridge.

•The workgroup bridge associates by using an SSID that is not an infrastructure SSID.

•The workgroup bridge is mobile.

Configuring a Workgroup Bridge for Roaming

If your workgroup bridge is mobile, you can configure it to scan for a better radio connection to a parent access point or bridge. Use the following command to configure the workgroup bridge as a mobile station:

ap(config)# mobile station

When you enable this setting, the workgroup bridge scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. Using these criteria, a workgroup bridge configured as a mobile station searches for a new parent association and roams to a new parent before it loses its current association. When the mobile station setting is disabled (the default setting) the workgroup bridge does not search for a new association until it loses its current association.

Configuring a Workgroup Bridge for Limited Channel Scanning

In mobile environments such as railroads, instead of scanning all the channels, a workgroup bridge is restricted to scaningn only a set of limited channels in order to reduce the handoff delay when the workgroup bridge roams from one access point to another. By limiting the number of channels the workgroup bridge scans to only those required, the mobile workgroup bridge achieves and maintains a continuous wireless LAN connection with fast and smooth roaming.

Configuring the Limited Channel Set

To configure the limited channel set, use the mobile station scan <set of channels> command. This command invokes scanning to all or specified channels. The maximum number of channels that can be configured is unlimited. The maximum number of channels that can be configured is restricted only by the number of channels that a radio can support. When the command is executed, the workgroup bridge scans only the limited channel set. This limited channel feature also affects the known channel list that the workgroup bridge receives from the access point to which it is currently associated. Channels are added to the known channel list only if they are also a part of the limited channel set.

The following example shows how the command is used. In the example, channels 1, 6, and 11 are specified to be scanned.

ap#

ap# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

ap(config)#int d0

ap(config-if)# ssid limited_scan

ap(config-if)# station-role workgroup-bridge 

ap(config-if)# mobile station 

ap(config-if)# mobile station scan 1 6 11

ap(config-if)# end

ap#

Use the no mobile station scan command to restore scanning to all the channels.

Ignoring the CCX Neighbor List

In addition, the workgroup bridge updates its known channel list using CCX reports such as the AP Adjacent report or Enhanced Neighbor List report. However, when a workgroup bridge is configured for limited channel scanning, it does not need to process the CCX reports to update its known channel list. Use the mobile station ignore neighbor-list command to disable processing of CCX neighbor list reports. This command is effective only if the workgroup bridge is configured for limited channel scanning. The following example shows how this command is used:

ap#

ap# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

ap(config)# int d0

ap(config-if)# mobile station ignore neighbor-list 

ap(config-if)# end

Configuring a Client VLAN

If all the devices connected to the workgroup bridge Ethernet port should be assigned to a particular VLAN, you can configure a VLAN for the connected devices. Enter this command on the workgroup bridge:

ap(config)# workgroup-bridge client-vlan vlan-id

All the devices connected to the workgroup bridge Ethernet port are assigned to that VLAN.

Configuring Workgroup Bridge Mode

To configure an access point as a workgroup bridge, follow these steps, beginning in privileged EXEC mode:

	Command	Description
Step 1	configure terminal	Enters global configuration mode.
Step 2	interface dot11radio port	Enters interface configuration mode for the radio interface.
Step 3	station-role workgroup-bridge	Sets the radio role to workgroup bridge. If your access point contains two radios, the radio that is not set to workgroup bridge mode is automatically disabled.
Step 4	ssid ssid-string	Creates the SSID that the workgroup bridge uses to associate to a parent access point or bridge.
Step 5	infrastructure-ssid	Designates the SSID as an infrastructure SSID. Note The workgroup bridge must use an infrastructure SSID to associate to a root access point or bridge.
Step 6	authentication client username username password password	(Optional) If the parent access point is configured to require Light Extensible Authentication Protocol (LEAP) authentication, configure the username and password that the workgroup bridge uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the workgroup bridge on the authentication server.
Step 7	exit	Exits SSID configuration mode and return to radio interface configuration mode.
Step 8	parent {1-4} mac-address [timeout]	(Optional) Enters the MAC address for the access point to which the workgroup bridge should associate. •You can enter MAC addresses for up to four parent access points. The workgroup bridge attempts to associate to MAC address 1 first; if that access point does not respond, the workgroup bridge tries the next access point in its parent list. Note If multiple BSSIDs are configured on the parent access point, the MAC address for the parent might change if a BSSID on the parent is added or deleted. •(Optional) You can also enter a timeout value in seconds. The timeout value determines how long the workgroup bridge attempts to associate to a parent access point before trying the next parent in the list. Enter a timeout value from 0 to 65535 seconds.
Step 9	exit	Exits radio configuration mode and return to global configuration mode.
Step 10	workgroup-bridge client-vlan vlan-id	(Optional) Specifies the VLAN to which the devices that are connected to the workgroup bridge's Ethernet port are assigned.
Step 11	mobile station	(Optional) Configures the workgroup bridge as a mobile station. When you enable this setting, the workgroup bridge scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. When this setting is disabled (the default setting) the workgroup bridge does not search for a new association until it loses its current association.
Step 12	end	Returns to privileged EXEC mode.

The following example shows how to configure an access point as a workgroup bridge. In this example, the workgroup bridge uses the configured username and password to perform LEAP authentication, and the devices attached to its Ethernet port are assigned to VLAN 22:

AP# configure terminal

AP(config)# interface dot11radio 0

AP(config-if)# station-role workgroup-bridge

AP(config-if)# ssid infra

AP(config-ssid)# infrastructure-ssid

AP(config-ssid)# authentication client username wgb1 password cisco123

AP(config-ssid)# exit

AP(config-if)# exit

AP(config)# workgroup-bridge client-vlan 22

AP(config)# end

The Workgroup Bridge in a Lightweight Environment

You can configure an access point to operate as a workgroup bridge so that it can provide wireless connectivity to a lightweight access point for clients that are connected by Ethernet to the workgroup bridge access point. A workgroup bridge connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The workgroup bridge provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the workgroup bridge as a wireless client (Figure 2).

Figure 2 Workgroup Bridge in a Lightweight Environment

---

Note If the lightweight access point fails, the workgroup bridge attempts to associate to another access point.

---

Guidelines for Using Workgroup Bridges in a Lightweight Environment

Follow these guidelines for using workgroup bridges on your lightweight network.

---

Note If your access point has two radios, you can configure only one for workgroup bridge mode. This radio is used to connect to the lightweight access point. We recommend that you disable the second radio.

---

•Perform one of the following to enable the workgroup bridge mode on the workgroup bridge:

–On the workgroup bridge access point CLI, enter this command: station-role workgroup-bridge

The workgroup bridge can associate only to lightweight access points.

–Only workgroup bridge in client mode (which is the default value) are supported. Those in infrastructure mode are not supported. To enable client mode on the workgroup bridge, on the workgroup bridge access point CLI, enter the no infrastructure client command.

---

Note VLANs are not supported for use with workgroup bridges.

---

•These lightweight features are supported for use with a workgroup bridge:

–Guest N+1 redundancy

–Local edge access point (EAP)

•These lightweight features are not supported for use with a workgroup bridge:

–Cisco Centralized Key Management (CCKM)

–Hybrid remote edge access point (REAP)

–Idle timeout

–Web authentication

---

Note If a workgroup bridge associates to a web-authentication WLAN, the workgroup bridge is added to the exclusion list, and all the workgroup bridge wired clients are deleted.

---

•In a mesh network, a workgroup bridge can associate to any mesh access point, regardless of whether it acts as a root access point or it acts as a mesh access point.

•Wired clients that are connected to the workgroup bridge are not authenticated for security. Instead, the workgroup bridge is authenticated against the access point to which it associates. Therefore, we recommend that you physically secure the wired side of the workgroup bridge.

•With Layer 3 roaming, if you plug a wired client into the workgroup bridge network after the workgroup bridge has roamed to another controller (for example, to a foreign controller), the wired client's IP address displays only on the anchor controller, not on the foreign controller.

•When you delete a workgroup bridge record from the controller, all of the workgroup bridge wired clients' records are also deleted.

•Wired clients that are connected to a workgroup bridge inherit the workgroup bridge's Quality of Service (QoS) and Authentication, Authorization and Accounting (AAA) override attributes.

•These features are not supported for wired clients that are connected to a workgroup bridge:

–MAC filtering

–Link tests

–Idle timeout

•You do not need to configure anything on the controller to enable the workgroup bridge to communicate with the lightweight access point. However, to ensure proper communication, you should create a WLAN on the controller that matches the SSID and security method that are configured on the workgroup bridge.

Sample Workgroup Bridge Configuration

The following is a sample configuration of a workgroup bridge access point using static Wired Equivalent Privacy (WEP) with a 40-bit WEP key:

ap# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

ap(config)# dot11 ssid WGB_with_static_WEP

ap(config-ssid)# authentication open

ap(config-ssid)# guest-mode

ap(config-ssid)# exit

ap(config)# interface dot11Radio 0

ap(config)# station-role workgroup-bridge

ap(config-if)# encry mode wep 40

ap(config-if)# encry key 1 size 40 0 1234567890

ap(config-if)# WGB_with_static_WEP

ap(config-if)# end

To verify that the workgroup bridge is associated to an access point, enter the following command on the workgroup bridge:

show dot11 association

If a wired client does not send traffic for an extended period of time, the workgroup bridge removes the client from its bridge table, even if traffic is continuously being sent to the wired client. As a result, the traffic flow to the wired client fails. To avoid the traffic loss, prevent the wired client from being removed from the bridge table by configuring the aging-out timer on the workgroup bridge to a large value. Enter the following Cisco IOS commands on the workgroup bridge:

configure terminal

bridge bridge-group-number aging-time seconds

exit

end

where bridge-group-number is a value between 1 and 255, and seconds is a value between 10 and 1,000,000. We recommend configuring the seconds parameter to a value greater than the wired client's idle period.