Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
Workgroup Bridge Mode Understanding Workgroup Bridge Mode 3 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx Treating Workgroup Bridges as Infrastructure Devices or as Client Devices The access point to which a workgroup bridge associates can treat the workgroup bridge as an infrastructure device or as a simple client device. By default, access points and bridges treat workgroup bridges as client devices. For increased reliability, you can configure access points and bridges to treat workgroup bridges not as client devices but as infrastructure devices, like access points or bridges. Treating a workgroup bridge as an infrastructure device means that the access point reliably delivers multicast packets, including Address Resolution Protocol (ARP) packets, to the workgroup bridge. You use the infrastructure-client command in interface configuration mode to configure access points and bridges to treat workgroup bridges as infrastructure devices. Configuring access points and bridges to treat a workgroup bridge as a client device allows more workgroup bridges to associate to the same access point, or to associate using an SSID that is not an infrastructure SSID. The performance cost of reliable multicast delivery—duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to an access point or bridge. To increase beyond 20 the number of workgroup bridges that can associate to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges. With reduced reliability, the access point cannot confirm whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the access point’s coverage area might lose IP connectivity. When you treat workgroup bridges as client devices, you increase performance but reduce reliability. You use the no infrastructure client command to configure access points and bridges to treat workgroup bridges as simple client devices. This is the default setting. You should use a workgroup bridge as an infrastructure device if the devices connected to the workgroup bridge require network reliability equivalent to that of an access point or a bridge. You should use a workgroup bridge as a client device if these conditions are true: More than 20 workgroup bridges associate to the same access point or bridge The workgroup bridge associates using an SSID that is not an infrastructure SSID The workgroup bridge is mobile Configuring a Workgroup Bridge for Roaming If your workgroup bridge is mobile, you can configure it to scan for a better radio connection to a parent access point or bridge. Use this command to configure the workgroup bridge as a mobile station: ap(config)# mobile station When you enable this setting, the workgroup bridge scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. Using these criteria, a workgroup bridge configured as a mobile station searches for a new parent association and roams to a new parent before it loses its current association. When the mobile station setting is disabled (the default setting) the workgroup bridge does not search for a new association until it loses its current association.
![](/img/blank.gif)
Workgroup Bridge Mode Understanding Workgroup Bridge Mode 4 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx Configuring a Workgroup Bridge for Limited Channel Scanning In mobile environments such as railroads, a workgroup bridge, instead of scanning all the channels, will be restricted to scan only a set of limited channels in order to reduce the handoff delay when the workgroup bridge roams from one access point to another. By limiting the number of channels the workgroup bridge scans to only those required, the mobile workgroup bridge achieves and maintains a continuous wireless LAN connection with fast and smooth roaming. Configuring the Limited Channel Set This limited channel set is configured using the mobile station scan CLI command to invoke scanning to all or specified channels. There is no limitation on the maximum number of channels that can be configured. The maximum number of channels that can be configured is restricted only by the number of channels a radio can support. When executed, the workgroup bridge only scans this limited channel set. This limited channel feature also affects the known channel list that the workgroup bridge receives from the access point to which it is currently associated. Channels are added to the known channel list only if they are also a part of the limited channel set. The following example shows how the command is used. In the example, channels 1, 6, and 11 are specified to scan: ap# ap#confure terminal Enter configuration commands, one per line. End with CNTL/Z.ap(config)#int d0 ap(config-if)#ssid limited_scan ap(config-if)#station-role workgroup-bridge ap(config-if)#mobile station ap(config-if)#mobile station scan 1 6 11 ap(config-if)#endap# Use the no mobile station scan command to restore scanning to all the channels. Ignoring the CCX Neighbor List In addition, the workgroup bridge updates its known channel list using CCX reports such as the AP Adjacent report or Enhanced Neighbor List report. However, when a workgroup bridge is configured for limited channel scanning, it does not need to process the CCX reports to update its known channel list. Use the mobile station ignore neighbor-list command to disable processing of CCX neighbor list reports. This command is effective only if the workgroup bridge is configured for limited scanning channel scanning. The following example shows how this command is used ap# ap#confure terminalEnter configuration commands, one per line. End with CNTL/Z. ap(config)#int d0 ap(config-if)#mobile station ignore neighbor-list ap(config-if)#end
![](/img/blank.gif)
Workgroup Bridge Mode Configuring Workgroup Bridge Mode 5 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx Configuring a Client VLAN If the devices connected to the workgroup bridge’s Ethernet port should all be assigned to a particular VLAN, you can configure a VLAN for the connected devices. Enter this command on the workgroup bridge: ap(config)# workgroup-bridge client-vlan vlan-id All the devices connected to the workgroup bridge’s Ethernet port are assigned to that VLAN. Configuring Workgroup Bridge Mode To configure an access point as a workgroup bridge follow these steps, beginning in privileged EXEC mode: CommandDescription Step 1configure terminalEnters global configuration mode. Step 2interface dot11radio port Enters interface configuration mode for the radio interface. Step 3station-role workgroup-bridgeSets the radio role to workgroup bridge. If your access point contains two radios, the radio that is not set to workgroup bridge mode is automatically disabled. Step 4ssid ssid-stringCreates the SSID that the workgroup bridge uses to associate to a parent access point or bridge. Step 5infrastructure-ssidDesignates the SSID as an infrastructure SSID. NoteThe workgroup bridge must use an infrastructure SSID to associate to a root access point or bridge. Step 6authentication client username username password password (Optional) If the parent access point is configured to require LEAP authentication, configure the username and password that the workgroup bridge uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the workgroup bridge on the authentication server. Step 7exitExits SSID configuration mode and return to radio interface configuration mode.
![](/img/blank.gif)
Workgroup Bridge Mode Configuring Workgroup Bridge Mode 6 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx This example shows how to configure an access point as a workgroup bridge. In this example, the workgroup bridge uses the configured username and password to perform LEAP authentication, and the devices attached to its Ethernet port are assigned to VLAN 22: AP# configure terminal AP(config)# interface dot11radio 0 AP(config-if)# station-role workgroup-bridgeAP(config-if)# ssid infra AP(config-ssid)# infrastructure-ssid AP(config-ssid)# authentication client username wgb1 password cisco123AP(config-ssid)# exit AP(config-if)# exit AP(config)# workgroup-bridge client-vlan 22AP(config)# end Step 8parent {1-4} mac-address [timeout](Optional) Enters the MAC address for the access point to which the workgroup bridge should associate. You can enter MAC addresses for up to four parent access points. The workgroup bridge attempts to associate to MAC address 1 first; if that access point does not respond, the workgroup bridge tries the next access point in its parent list. NoteIf multiple BSSIDs are configured on the parent access point, the MAC address for the parent might change if a BSSID on the parent is added or deleted. (Optional) You can also enter a timeout value in seconds. The timeout value determines how long the workgroup bridge attempts to associate to a parent access point before trying the next parent in the list. Enter a timeout value from 0 to 65535 seconds. Step 9exitExits radio configuration mode and return to global configuration mode. Step 10workgroup-bridge client-vlan vlan-id(Optional) Specifies the VLAN to which the devices that are connected to the workgroup bridge’s Ethernet port are assigned. Step 11mobile station(Optional) Configures the workgroup bridge as a mobile station. When you enable this setting, the workgroup bridge scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. When this setting is disabled (the default setting) the workgroup bridge does not search for a new association until it loses its current association. Step 12endReturns to privileged EXEC mode. Command Description
![](/img/blank.gif)
Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment 7 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx The Workgroup Bridge in a Lightweight Environment You can configure an access point to operate as a workgroup bridge so that it can provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Ethernet to the workgroup bridge access point. A workgroup bridge connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The workgroup bridge provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the workgroup bridge as a wireless client ( Figure 2). Figure 2 Workgroup Bridge in a Lightweight Environment NoteIf the lightweight access point fails, the workgroup bridge attempts to associate to another access point. Wired clients Controller Access point WGB Hub DHCP/ACS /TFTB/FTPSwitch 230519
![](/img/blank.gif)
Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment 8 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx Guidelines for Using Workgroup Bridges in a Lightweight Environment Follow these guidelines for using workgroup bridges on your lightweight network. NoteIf your access point has two radios, you can configure only one for workgroup bridge mode. This radio is used to connect to the lightweight access point. Cisco recommends that you disable the second radio. Perform one of the following to enable the workgroup bridge mode on the workgroup bridge: On the workgroup bridge access point CLI, enter this command: station-role workgroup-bridge The workgroup bridge can associate only to lightweight access points. Only workgroup bridge in client mode (which is the default value) are supported. Those in infrastructure mode are not supported. Perform the following to enable client mode on the workgroup bridge: –On the workgroup bridge access point CLI, enter this command: no infrastructure client. NoteVLANs are not supported for use with workgroup bridges. These lightweight features are supported for use with a workgroup bridge: –Guest N+1 redundancy –Local EAP These lightweight features are not supported for use with a workgroup bridge: –Cisco Centralized Key Management (CCKM) –Hybrid REAP –Idle timeout –Web authentication NoteIf a workgroup bridge associates to a web-authentication WLAN, the workgroup bridge is added to the exclusion list, and all of the workgroup bridge wired clients are deleted. In a mesh network, a workgroup bridge can associate to any mesh access point, regardless of whether it acts as a root access point or a mesh access point. Wired clients that are connected to the workgroup bridge are not authenticated for security. Instead, the workgroup bridge is authenticated against the access point to which it associates. Therefore, we recommend that you physically secure the wired side of the workgroup bridge. With Layer 3 roaming, if you plug a wired client into the workgroup bridge network after the workgroup bridge has roamed to another controller (for example, to a foreign controller), the wired client’s IP address displays only on the anchor controller, not on the foreign controller. When you delete a workgroup bridge record from the controller, all of the workgroup bridge wired clients’ records are also deleted. Wired clients that are connected to a workgroup bridge inherit the workgroup bridge’s QoS and AAA override attributes. These features are not supported for wired clients connected to a workgroup bridge:
![](/img/blank.gif)
Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment 9 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx –MAC filtering –Link tests –Idle timeout You do not need to configure anything on the controller to enable the workgroup bridge to communicate with the lightweight access point. However, to ensure proper communication, you should create a WLAN on the controller that matches the SSID and security method that are configured on the workgroup bridge. Sample Workgroup Bridge Configuration Here is a sample configuration of a workgroup bridge access point using static WEP with a 40-bit WEP key: ap#confure terminal Enter configuration commands, one per line. End with CNTL/Z. ap(config)#dot11 ssid WGB_with_static_WEPap(config-ssid)#authentication open ap(config-ssid)#guest-mode ap(config-ssid)#exitap(config)#interface dot11Radio 0 ap(config)#station-role workgroup-bridge ap(config-if)#encry mode wep 40 ap(config-if)#encry key 1 size 40 0 1234567890ap(config-if)#WGB_with_static_WEP ap(config-if)#end To verify that the workgroup bridge is associated to an access point, enter this command on the workgroup bridge: show dot11 association If a wired client does not send traffic for an extended period of time, the workgroup bridge removes the client from its bridge table, even if traffic is continuously being sent to the wired client. As a result, the traffic flow to the wired client fails. To avoid the traffic loss, prevent the wired client from being removed from the bridge table by configuring the aging-out timer on the workgroup bridge to a large value. Use the following Cisco IOS commands on the workgroup bridge: configure terminal bridge bridge-group-number aging-time seconds exitend where bridge-group-number is a value between 1 and 255, and seconds is a value between 10 and 1,000,000. We recommend configuring the seconds parameter to a value greater than the wired client’s idle period.
![](/img/blank.gif)
Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment 10 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx
![](/img/blank.gif)
CH A P T E R 17-1 Book Title OL-xxxxx-xx 17 Administering the Wireless Device This chapter describes the following administration tasks. Controlling and Securing Access to the Wireless Device Disabling the Mode Button Function, page 17-2 Preventing Unauthorized Access to Your Access Point, page 17-3 Protecting Access to Privileged EXEC Commands, page 17-3 Controlling Access Point Access with RADIUS, page 17-9 Controlling Access Point Access with TACACS+, page 17-14 Administering the Hardware and Software Administering the Wireless Hardware and Software, page 17-17 –Resetting the Wireless Device to Factory Default Configuration, page 17-17 –Rebooting the Wireless Device, page 17-17 –Upgrading Software on the Access Point, page 17-18 –Downgrading Software on the Access Point, page 17-20 –Recovering Software on the Access Point, page 17-20 –Monitoring the Wireless Device, page 17-20 Managing the System Time and Date, page 17-21 Configuring a System Name and Prompt, page 17-25 Creating a Banner, page 17-28 Administering Wireless Device Communication Configuring Ethernet Speed and Duplex Settings, page 17-30 Configuring the Access Point for Wireless Network Management, page 17-31 Configuring the Access Point for Local Authentication and Authorization, page 17-31 Configuring the Authentication Cache and Profile, page 17-32 Configuring the Access Point to Provide DHCP Service, page 17-35 Configuring the Access Point for Secure Shell, page 17-38 Configuring Client ARP Caching, page 17-39 Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging, page 17-40
![](/img/blank.gif)
17-2 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Disabling the Mode Button Function Disabling the Mode Button Function You can disable the mode button on the wireless device by using the [no] boot mode-button command. CautionThis command disables password recovery. If you lose the privileged EXEC mode password for the access point after entering this command, you will need to contact the Cisco Technical Assistance Center (TAC) to regain access to the access point CLI. NoteTo reboot the wireless device use the service-module wlan-ap reset command from the router’s Cisco IOS CLI. See the “Rebooting the Wireless Device” section on page 17-17 for information about this command. The mode button is enabled by default. Follow these steps to disable the access point’s mode button, beginning in the privilege EXEC mode: You can check the status of the mode-button by executing the show boot or show boot mode-button commands in the privileged EXEC mode. The status does not appear in the running configuration. The following shows a typical response to the show boot and show boot mode-button commands: ap# show boot BOOT path-list: flash:/c1200-k9w7-mx-v123_7_ja.20050430/c1200-k9w7-mx.v123_7_ja.20050430 Config file: flash:/config.txt Private Config file: flash:/private-config Enable Break: no Manual boot:no Mode button:on Enable IOS break: no HELPER path-list: NVRAM/Config file buffer size: 32768 ap#show boot mode-button on ap# NoteAs long as the privileged EXEC password is known, you can use the boot mode-button command to restore the mode button to normal operation. CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2no boot mode-buttonDisables the access point’s mode button. Step 3endNoteIt is not necessary to save the configuration.