Configure Access Point 9105AXW as Work Group Bridge (WGB) with Wireless Lan Controller (WLC) 9800 Series

Introduction

This document describes how to configure an Access Point 9105AXW as WGB to connect with Wireless network managed by WLC 9800 Series.

Prerequisites

Requirements

Cisco recommends that you have basic knowledge in Cisco IOS®-XE WLC 9800 series and Wave 2 Access Points (APs).

Components Used

In this example these components were used:

• WLC 9800-CL with version 17.6.3;
• Control And Provisioning of Wireless Access Points (CAPWAP) APs model 2802I;
• AP 9105AXW as WGB with version 17.8.1;
• Switch 802.1q capable;
• Wired clients laptops with Windows 10.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

A WGB is an AP mode to provide wireless connectivity to wired clients that are connected to the Ethernet port(s) of the WGB AP.

A WGB connects a wired network over a single wireless segment. It learns the MAC addresses of its wired clients on the Ethernet interface and reports them to the WLC through infrastructure AP via Internet Access Point Protocol (IAPP) messages.

The WGB establishes a single wireless connection to the root AP, which in turn, treats the WGB as a wireless client.

Please check the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Cupertino 17.8.x for detailed information about the feature matrix and AP support for WGB mode:

Chapter: Workgroup Bridges. 

Network Diagram

In this document all configurations and verifications are done with the topology presented here:

This example explains how to configure an AP 9105AXW as WGB with the support of multiple VLANs, associated to a CAPWAP AP.

The Access Point can be in Local mode, FlexConnect or Bridge Mode (Mesh).

This document shows the configuration of Local Mode and FlexConnect mode of the root AP.

This scenario requires that the WGB is connected to a switch that support 802.1q, otherwise WGB cannot support multiple VLANs. In this example the WGB is connected to a Cisco Switch C1000 series.

If the switch does not support 802.1q, all the clients are assigned to the native VLAN.

In this example, the WGB connects to the WLAN with WPA2-PSK security and is assigned to VLAN 100. The clients connected to the switch behind the WGB are assigned to VLAN 101 and 102 as shown in the topology.

The WGB AP 9105AXW has additional 3 LAN ports, so we can also use those to connect wired clients. In this example there is a client connected to port LAN1.

Configurations

WLC Configuration

In the WLC the configuration follows a regular WLAN configuration with the requirement of CCX Aironet IE Support enabled.

GUI:

Step 1. Create the WLAN and make sure Aironet IE is enabled:

Step 2. Create the policy profile and enable Broadcast Tagging and WGB VLAN:

Step 3. Create the Policy Tag and map the WLAN to the Policy Profile:

Step 4. Apply the Policy Tag to the Root APs.

CLI:

WLC9800# configure terminal 
WLC9800(config)# wlan WGBTest
WLC9800(config-wlan)# security wpa akm psk
WLC9800(config-wlan)# security wpa psk set-key ascii 0 cisco123
WLC9800(config-wlan)# ccx aironet-iesupport
WLC9800(config-wlan)# exit
WLC9800(config)# wireless profile policy Policy4VLAN100
WLC9800(config-wireless-policy)# description "test-wgb"
WLC9800(config-wireless-policy)# vlan 100
WLC9800(config-wireless-policy)# wgb vlan <-- Configures WGB VLAN client support.
WLC9800(config-wireless-policy)# wgb broadcast-tagging <-- Configures WGB broadcast tagging on a WLAN.
WLC9800(config-wireless-policy)# no shutdown
WLC9800(config-wireless-policy)# exit
WLC9800(config)# wireless tag policy WGBtestTag 
WLC9800(config-policy-tag)# wlan WGBTest policy Policy4VLAN100
WLC9800(config-policy-tag)# end

WLC9800# configure terminal 
WLC9800(config)# ap 7070.8b53.76fc
WLC9800(config-ap-tag)# policy-tag WGBtestTag
WLC9800(config)# ap 70db.9897.f946
WLC9800(config-ap-tag)# policy-tag WGBtestTag

WGB Configuration

Step 1. Connect to the AP and move the AP in to the Workgroup Bridge mode:

WGB# ap-type workgroup-bridge

Step 2. You can then configure the WGB hostname, management credentials and ip address mode dhcp or static. In this example its used DHCP:

WGB# configure ap address ipv4 dhcp
WGB# configure ap management add username Cisco password Cisco secret Cisco
WGB# configure ap hostname WGB

Step 3. Configure an SSID Profile with the SSID name and security settings. In this example, the WLAN uses WPA2-PSK:

WGB# configure ssid-profile WGB_profile ssid WGBTest authentication psk cisco!123 key-management wpa2

There are several combinations possible. The command sintax is as follows:

configure ssid-profilessid-profile-namessidSSID-Nameauthentication{open| pskpreshared-keykey-management{dot11r| wpa2| dot11w|{optional| required}}| eap profileeap-profile-namekey-management{dot11r| wpa2| dot11w|{optional| required}}

Step 4. Attach the SSID profile to a radio interface. Here it uses radio 0 (2.4Ghz):

WGB# configure dot11radio r0 mode wgb ssid-profile WGB_profile

To delete a profile from the radio use the command:

WGB# configure ssid-profile WGB_profile delete

Step 5. The Cisco Wave 2 and 11AXAPs as Workgroup Bridge recognizes the Ethernet clients only when the traffic has the bridging tag. Use the command to enable the bridging tag:

WGB# configure wgb broadcast tagging enable 

Switch Configuration

This is the configuration of the switch connected to the WGB.

Step 1. Create the VLANs:

switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#vlan 101,102,103
switch(config-vlan)#end

Step 2. Configure the interfaces that to result in the configuration:

!
interface GigabitEthernet1/0/1
description WGB trunk link
switchport trunk allowed vlan 1,100-102
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet1/0/2
description Wired Client 1
switchport access vlan 101
switchport mode access
!
interface GigabitEthernet1/0/3
description Wired Client 2
switchport access vlan 102
switchport mode access
!

Verify

WGB Configuration

Check the WGB configuration:

WGB#show run 
AP Name : WGB
AP Mode : WorkGroupBridge
CDP State : Enabled
Watchdog monitoring : Enabled
SSH State : Disabled
AP Username : Cisco
Session Timeout : 300


Radio and WLAN-Profile mapping:-
====================================
Radio ID Radio Mode SSID-Profile SSID Authentication 
----------------------------------------------------------------------------------------------------------
0 WGB WGB_profile WGBTest PSK


Radio configurations:-
===============================
Radio Id : 0
Admin state : ENABLED
Mode : WGB
Dot11 type : 11ax
Radio Id : NA
Admin state : NA
Mode : NA


WGB specific configuration:-
====================================
WGB Radio Id : 0
Mode State : Enable
SSID Profile : WGB_profile
UWGB Radio Id : NA
Mode Enable : NA
SSID Profile : NA
MAC Address : NA
Rx Beacon Missing Count : 30
Packet retries Value : 64
Packet retries Action : Drop
RSSI Threshold Value : -70 dBm
Threshold timeout : 20 sec
HSR-Scan status : Disable
Auth response timeout : 5000 Msec
Assoc response timeout : 5000 Msec
WGB channel scan timeout : 40 Msec
Dhcp response timeout : 60 Sec
EAP timeout : 3000 Msec
Bridge table aging-time : 1000000 Sec
Probe pak data rate type : NA
Probe pak data rate : 0
Antenna Band Mode : Dual
Broadcast tagging : Enable


Total configurations size on different structure:-
=====================================================
Total channels : 0
Total SSID-Profiles : 1
Total Root-AP SSID-Profile : 0
Total EAP Profiles : 0
Total QOS Profiles : 0
Total dot1x credentials : 0
Total PKI truspoints : 0
Total bridge groups : 0


Total SSID profiles configured are:
===========================================
SSID-Profile : WGB_profile
SSID Name : WGBTest
SSID Profile path : /data/platform/wbridge/WGB_profile
Auth type : PSK
Key management : WPA2
DTIM Period : 1
QOS profile :

[...]

*** End of WBridge configurations ***

WGB#show wgb ssid

Configured SSIDs details: 
SSID-Profile SSID Authentication DTIM 
=======================================================================================
WGB_profile WGBTest PSK 1


Connected SSIDs details:
Radio ID : 0
Radio Mode : RootAP
BSSID : 70:7D:B9:E3:2A:E0
SSID : WGBTest
Authentication : PSK

Verify the Status of a WGB on the WLC

WLC9800# show wireless client summary

WLC9800# show wireless wgb summary

WLC9800# show wireless wgb mac-address xx:xx:xx:xx:xx:xx detail

Troubleshoot

Verify that the WGB is connected to the Root AP:

WGB#show wgb dot11 associations 
Uplink Radio ID : 0
Uplink Radio MAC : F0:1D:2D:52:CB:60
SSID Name : WGBTest
Parent AP Name : AP500F.80F6.016
Parent AP MAC : 70:7D:B9:E3:2A:E0
Uplink State : CONNECTED
Auth Type : PSK
Key management Type : WPA2
Dot11 type : 11n
Channel : 1
Bandwidth : 20 MHz
Current Datarate : 144 Mbps
Max Datarate : 286 Mbps
RSSI : 18
IP : 192.168.100.21/24
Default Gateway : 192.168.100.1
DNS Server1 : 192.168.1.254
IPV6 : ::/128
Assoc timeout : 5000 Msec
Auth timeout : 5000 Msec
Dhcp timeout : 60 Sec

Check WGB statistics with regards to Management, Control, Data packets and Roam Statistics:

WGB#show wgb statistic ?
packet Management, Control, Data packets
roaming roaming
WGB#show wgb statistic packet

Multicast/Unicast Packet statistics 
Multicast Tx : 3345
Unicast Tx : 460
Multicast Rx : 2417
Unicast Rx : 3838
Multicast Bridge : 0
Unicast Flood : 3377

Interface Packet Statistics 
Wbridge0 Tx : 2515
Wired0 Tx : 14196
Wbridge1 Tx : 0
Wired1 Tx : 488
AppHostIntf1 Tx : 435
Wbridge0 Rx : 5495
Wired0 Rx : 2519
Wbridge1 Rx : 0
Wired1 Rx : 127
AppHostIntf1 Rx : 315

Management Packet Statistics 
Mgmt tx : 16
Mgmt scan tx : 0
Mgmt assoc req tx : 8
Mgmt reassoc req tx : 0
Mgmt deauth tx : 0
Mgmt disassoc tx : 0
Mgmt action tx : 0
Mgmt auth tx : 8

Mgmt rx : 52
Mgmt scan rx : 0
Mgmt beacon rx : 0
Mgmt assoc resp rx : 7
Mgmt reassoc resp rx : 0
Mgmt deauth rx : 3
Mgmt disassoc rx : 0
Mgmt action rx : 34
Mgmt auth rx : 8

Mgmt discard tx : 0
Mgmt discard rx : 0
Mgmt drop rx : 0

Eapol rx : 14
Eapol tx : 14
Eapol drop rx : 0

Rx Broadcast from multiple vlans
port VLAN_ID rx_bc2mc_cnt
0 101 43
0 102 17

To debug the WGB you have several possibilities:

WGB#debug wgb ?
client Debug WGB and wired clients
configuration Enable configuration debugs
dot11 IEEE 802.11 debug command
dot11v 802.11v Processing
iapp Debug WGB IAPP
uplink Enable uplink debugs

To debug the WGB from the WLC side, use the client troubleshoot process like for any wireless client, with collection of RA trace for the WGB mac address.

For more details on how to troubleshoot wireless client connections please check these documents:

Catalyst 9800 Wireless Controllers Common Wireless Client Connectivity Issues

Understand Wireless Debugs and Log Collection on Catalyst 9800 Wireless LAN Controllers

Check clients connected to the WGB from the WGB side. Example:

WGB#show wgb bridge 
***Client ip table entries*** 
mac vap port vlan_id seen_ip confirm_ago fast_brg
F8:E4:3B:EE:53:AF 0 wired1 0 192.168.100.23 6.844000 true
3C:18:A0:1C:B0:E2 0 wired0 101 192.168.101.22 22.182000 true
F8:E4:3B:EE:4F:7A 0 wired0 102 192.168.102.21 65.144000 true
WGB#

The client connected to the LAN port 1 (wired1) shows up with vlan_id = 0 which means that the traffic from this client goes in the WGB native VLAN. In this example its VLAN 100.

The clients connected on port wired0 are the clients connected to the switch that is in turn connected to the back port of the WGB (PoE in port in the 9105AXW). Here the traffic is received with VLAN tag which the WGB then forwards via the wireless link to the RootAP.

From the WLC GUI you can view the clients and diferentiate WGBs and Wired Clients behind WGBs: