- Preface
- 1 Overview of Access Point Features
- 2 Using the Web-Browser Interface
- 3 Using the Command-Line Interface
- 4 Configuring the Access Point for the First Time
- 5 Administrating the Access Point
- 6 Configuring Radio Settings
- 7 Configuring Multiple SSIDs
- 8 Configuring Spanning Tree Protocol
- 9 Configuring an Access Point as a Local Authenticator
- 10 Configuring WLAN Authentication and Encryption
- 11 Configuring Authentication Types
- 12 Configuring Other Services
- 13 Configuring RADIUS and TACACS+ Servers
- 14 Configuring VLANs
- 15 Configuring QoS
- 16 Configuring Filters
- 17 Configuring CDP
- 18 Configuring SNMP
- 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode
- 20 Managing Firmware and Configurations
- 21 Configuring SCEP
- 22 Configuring LLDP
- 23 Configuring L2TPv3 Over UDP/IP
- 24 Configuring Ethernet over GRE
- 25 Configuring System Message Logging
- 26 Troubleshooting
- 27 Miscellaneous AP-Specific Configurations
- APPENDIX A Protocol Filters
- APPENDIX B Supported MIBs
- APPENDIX C Error and Event Messages
Configuring Ethernet over GRE
Ethernet over GRE (EoGRE), is a tunneling protocol that enables tunneling of Layer 2 packets encapsulated in GRE header over IP core networks. Generic Routing Encapsulation (GRE) is a tunneling protocol that encapsulates a wide variety of network layer protocols inside virtual point-to-point links over a Layer 3 IPv4 or Layer 3 IPv6 access network.
Prerequisites
The following are the prerequisites for configuring EoGRE:
- Sub-interfaces for VLANs must be created to tunnel Ethernet frames with the VLAN tag. The following commands create sub interfaces for VLANs:
interface Dot11Radio interface number.sub-interface number
interface GigabitEthernet0.sub-interface number
Note The bridge ID on interfaces with the same VLAN ID, must be the same.
Configuring EoGRE
Configuring a tunnel profile defines configurable parameters to create a tunnel. The following parameters are to be configured under the dot11 tunnel:
- Tunnel address mode
- Source address
- Destination address
- Maximum segment size (MSS)
- Maximum transmission unit (MTU)
- Type of service (ToS) or Differentiated Services Code Point (DSCP)
Beginning in privileged EXEC mode, follow these steps to configure a tunnel profile under the dot11 tunnel.
Examples
Mapping SSID to Tunnel
Mapping the tunnel to the WLAN is done by using the command tunnel tunnel_profile under the SSID configuration.
Beginning in privileged EXEC mode, follow these steps to map the SSID to the tunnel.
|
|
|
---|---|---|
Examples
Configuring DHCP Snooping for EoGRE clients
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. By enabling DHCP snooping on the AP, the AP inserts the relay agent information option (DHCP option 82) which contains two sub-options Circuit ID and Remote ID.
Note DHCP Snooping is disabled by default.
Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping for EoGRE clients under dot11 SSID.
|
|
|
---|---|---|
dhcp-snoop circuit_id format {ap-mac | client-mac | eth-mac | name | ssid | type | vlan | raw word_string } |
Specify the format of the string sequence to used as the Circuit ID. To know the format to be specified, see Circuit ID and Remote ID Format and Strings. |
|
Specify the string sequence to used as the Circuit ID, in the format you have set. Each string is separated from others using a character delimiter, the default being ‘;’ |
||
dhcp-snoop remote_id format {ap-mac | client-mac | eth-mac | name | ssid | type | vlan | raw word_string } |
You need to specify the format of the string sequence to used as the Remote ID. To know the values to be specified, see Circuit ID and Remote ID Format and Strings. |
|
You need to specify the string sequence to used as the Remote ID, in the format you have set. Each string is separated from others using a character delimiter, the default being ‘;’ |
Examples
Additional Commands
The default DHCP Snooping encoding is in binary. You can set it to ASCII using the following command:
ap(config-ssid)# dhcp-snoop encoding ascii
The default DHCP Snooping string sequence delimiter is the single character ';'. To change this, use the following command:
ap(config-ssid)# dhcp-snoop delimiter single_character_or_string
The single_character_or_string can be up to 127 characters long.
Circuit ID and Remote ID Format and Strings
For both the Circuit ID and the Remote ID, you need to specify the format of the string sequence for each, before you assign the string for each.
The format and strings can be a combination of up to five out of eight values shown in the following table. When specifying the string sequence, the strings are separated by the delimiter character, the default being ‘;’.
Configuring Redundancy for Tunnel Gateway Address
Configuring a redundancy for the tunnel helps you to switchover from primary to secondary when the working gateway address fails or becomes unreachable.
The following parameters are to be configured under dot11 tunnel to configure redundancy:
Beginning in privileged EXEC mode, follow these steps to configure redundancy address for the tunnel:
Note During the switchover from primary to secondary, or vice versa, all associated clients will be deauthenticated and will reassociate after the switchover.
When both the primary and secondary are down, the SSIDs that are attached to the tunnel will also be down. Once either of the primary or secondary address can be reached by the AP, the SSID will come up and start serving clients.