Cisco Router 860, 880 Series User Manual

							      Workgroup Bridge Mode
Understanding Workgroup Bridge Mode
3
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
Treating Workgroup Bridges as Infrastructure Devices or as Client Devices
The access point to which a workgroup bridge associates can treat the workgroup bridge as an 
infrastructure device or as a simple client device. By default, access points and bridges treat workgroup 
bridges as client devices.
For increased reliability, you can configure access points and bridges to treat workgroup bridges not as 
client devices but as infrastructure devices, like access points or bridges. Treating a workgroup bridge 
as an infrastructure device means that the access point reliably delivers multicast packets, including 
Address Resolution Protocol (ARP) packets, to the workgroup bridge. You use the infrastructure-client 
command in interface configuration mode to configure access points and bridges to treat workgroup 
bridges as infrastructure devices. 
Configuring access points and bridges to treat a workgroup bridge as a client device allows more 
workgroup bridges to associate to the same access point, or to associate using an SSID that is not an 
infrastructure SSID. The performance cost of reliable multicast delivery—duplication of each multicast 
packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup 
bridges, that can associate to an access point or bridge. To increase beyond 20 the number of workgroup 
bridges that can associate to the access point, the access point must reduce the delivery reliability of 
multicast packets to workgroup bridges. With reduced reliability, the access point cannot confirm 
whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the 
access point’s coverage area might lose IP connectivity. When you treat workgroup bridges as client 
devices, you increase performance but reduce reliability. You use the no infrastructure client command 
to configure access points and bridges to treat workgroup bridges as simple client devices. This is the 
default setting.
You should use a workgroup bridge as an infrastructure device if the devices connected to the workgroup 
bridge require network reliability equivalent to that of an access point or a bridge. You should use a 
workgroup bridge as a client device if these conditions are true:
 More than 20 workgroup bridges associate to the same access point or bridge
 The workgroup bridge associates using an SSID that is not an infrastructure SSID
 The workgroup bridge is mobile
Configuring a Workgroup Bridge for Roaming
If your workgroup bridge is mobile, you can configure it to scan for a better radio connection to a parent 
access point or bridge. Use this command to configure the workgroup bridge as a mobile station:
ap(config)# mobile station
When you enable this setting, the workgroup bridge scans for a new parent association when it 
encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high 
frame-loss percentage. Using these criteria, a workgroup bridge configured as a mobile station searches 
for a new parent association and roams to a new parent before it loses its current association. When the 
mobile station setting is disabled (the default setting) the workgroup bridge does not search for a new 
association until it loses its current association.  
						

							      Workgroup Bridge Mode
Understanding Workgroup Bridge Mode
4
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
Configuring a Workgroup Bridge for Limited Channel Scanning
In mobile environments such as railroads, a workgroup bridge, instead of scanning all the channels, will 
be restricted to scan only a set of limited channels in order to reduce the handoff delay when the 
workgroup bridge roams from one access point to another. By limiting the number of channels the 
workgroup bridge scans to only those required, the mobile workgroup bridge achieves and maintains a 
continuous wireless LAN connection with fast and smooth roaming. 
Configuring the Limited Channel Set
This limited channel set is configured using the mobile station scan  CLI command 
to invoke scanning to all or specified channels. There is no limitation on the maximum number of 
channels that can be configured. The maximum number of channels that can be configured is restricted 
only by the number of channels a radio can support. When executed, the workgroup bridge only scans 
this limited channel set. This limited channel feature also affects the known channel list that the 
workgroup bridge receives from the access point to which it is currently associated. Channels are added 
to the known channel list only if they are also a part of the limited channel set. 
The following example shows how the command is used. In the example, channels 1, 6, and 11 are 
specified to scan:
ap#
ap#confure terminal
Enter configuration commands, one per line. End with CNTL/Z.ap(config)#int d0
ap(config-if)#ssid limited_scan
ap(config-if)#station-role workgroup-bridge ap(config-if)#mobile station 
ap(config-if)#mobile station scan 1 6 11
ap(config-if)#endap#
Use the no mobile station scan command to restore scanning to all the channels. 
Ignoring the CCX Neighbor List
In addition, the workgroup bridge updates its known channel list using CCX reports such as the AP 
Adjacent report or Enhanced Neighbor List report. However, when a workgroup bridge is configured for 
limited channel scanning, it does not need to process the CCX reports to update its known channel list. 
Use the mobile station ignore neighbor-list command to disable processing of CCX neighbor list 
reports. This command is effective only if the workgroup bridge is configured for limited scanning 
channel scanning. The following example shows how this command is used 
ap#
ap#confure terminalEnter configuration commands, one per line. End with CNTL/Z.
ap(config)#int d0
ap(config-if)#mobile station ignore neighbor-list ap(config-if)#end 
						

							      Workgroup Bridge Mode
Configuring Workgroup Bridge Mode
5
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
Configuring a Client VLAN
If the devices connected to the workgroup bridge’s Ethernet port should all be assigned to a particular 
VLAN, you can configure a VLAN for the connected devices. Enter this command on the workgroup 
bridge:
ap(config)# workgroup-bridge client-vlan vlan-id
All the devices connected to the workgroup bridge’s Ethernet port are assigned to that VLAN.
Configuring Workgroup Bridge Mode
To configure an access point as a workgroup bridge follow these steps, beginning in privileged EXEC 
mode:
CommandDescription
Step 1configure terminalEnters global configuration mode.
Step 2interface dot11radio port Enters interface configuration mode for the radio 
interface.
Step 3station-role workgroup-bridgeSets the radio role to workgroup bridge. If your 
access point contains two radios, the radio that is not 
set to workgroup bridge mode is automatically 
disabled.
Step 4ssid ssid-stringCreates the SSID that the workgroup bridge uses to 
associate to a parent access point or bridge. 
Step 5infrastructure-ssidDesignates the SSID as an infrastructure SSID. 
NoteThe workgroup bridge must use an 
infrastructure SSID to associate to a root 
access point or bridge.
Step 6authentication client  
username username  
password password
(Optional) If the parent access point is configured to 
require LEAP authentication, configure the 
username and password that the workgroup bridge 
uses when it performs LEAP authentication. This 
username and password must match the username 
and password that you set up for the workgroup 
bridge on the authentication server.
Step 7exitExits SSID configuration mode and return to radio 
interface configuration mode. 
						

							      Workgroup Bridge Mode
Configuring Workgroup Bridge Mode
6
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
This example shows how to configure an access point as a workgroup bridge. In this example, the 
workgroup bridge uses the configured username and password to perform LEAP authentication, and the 
devices attached to its Ethernet port are assigned to VLAN 22:
AP# configure terminal
AP(config)# interface dot11radio 0
AP(config-if)# station-role workgroup-bridgeAP(config-if)# ssid infra
AP(config-ssid)# infrastructure-ssid
AP(config-ssid)# authentication client username wgb1 password cisco123AP(config-ssid)# exit
AP(config-if)# exit
AP(config)# workgroup-bridge client-vlan 22AP(config)# end
Step 8parent {1-4} mac-address [timeout](Optional) Enters the MAC address for the access 
point to which the workgroup bridge should 
associate. 
 You can enter MAC addresses for up to four 
parent access points. The workgroup bridge 
attempts to associate to MAC address 1 first; if 
that access point does not respond, the 
workgroup bridge tries the next access point in 
its parent list. 
NoteIf multiple BSSIDs are configured on the 
parent access point, the MAC address for the 
parent might change if a BSSID on the 
parent is added or deleted.
 (Optional) You can also enter a timeout value in 
seconds. The timeout value determines how 
long the workgroup bridge attempts to associate 
to a parent access point before trying the next 
parent in the list. Enter a timeout value from 0 
to 65535 seconds.
Step 9exitExits radio configuration mode and return to global 
configuration mode.
Step 10workgroup-bridge client-vlan vlan-id(Optional) Specifies the VLAN to which the devices 
that are connected to the workgroup bridge’s 
Ethernet port are assigned.
Step 11mobile station(Optional) Configures the workgroup bridge as a 
mobile station. When you enable this setting, the 
workgroup bridge scans for a new parent association 
when it encounters a poor Received Signal Strength 
Indicator (RSSI), excessive radio interference, or a 
high frame-loss percentage. When this setting is 
disabled (the default setting) the workgroup bridge 
does not search for a new association until it loses its 
current association. 
Step 12endReturns to privileged EXEC mode.
Command Description 
						

							      Workgroup Bridge Mode
The Workgroup Bridge in a Lightweight Environment
7
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
The Workgroup Bridge in a Lightweight Environment
You can configure an access point to operate as a workgroup bridge so that it can provide wireless 
connectivity to a lightweight access point on behalf of clients that are connected by Ethernet to the 
workgroup bridge access point. A workgroup bridge connects to a wired network over a single wireless 
segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them 
to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The workgroup 
bridge provides wireless access connectivity to wired clients by establishing a single connection to the 
lightweight access point. The lightweight access point treats the workgroup bridge as a wireless client 
(
Figure 2).
Figure 2 Workgroup Bridge in a Lightweight Environment
NoteIf the lightweight access point fails, the workgroup bridge attempts to associate to another access point.
Wired
clients
Controller Access point
WGB Hub
DHCP/ACS
/TFTB/FTPSwitch
230519 
						

							      Workgroup Bridge Mode
The Workgroup Bridge in a Lightweight Environment
8
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
Guidelines for Using Workgroup Bridges in a Lightweight Environment
Follow these guidelines for using workgroup bridges on your lightweight network.
NoteIf your access point has two radios, you can configure only one for workgroup bridge mode. This radio 
is used to connect to the lightweight access point. Cisco recommends that you disable the second radio.
Perform one of the following to enable the workgroup bridge mode on the workgroup bridge:
 On the workgroup bridge access point CLI, enter this command: station-role workgroup-bridge
The workgroup bridge can associate only to lightweight access points. 
 Only workgroup bridge in client mode (which is the default value) are supported. Those in 
infrastructure mode are not supported. Perform the following to enable client mode on the 
workgroup bridge:
 –On the workgroup bridge access point CLI, enter this command: no infrastructure client.
NoteVLANs are not supported for use with workgroup bridges.
 These lightweight features are supported for use with a workgroup bridge:
 –Guest N+1 redundancy
 –Local EAP
 These lightweight features are not supported for use with a workgroup bridge:
 –Cisco Centralized Key Management (CCKM)
 –Hybrid REAP
 –Idle timeout
 –Web authentication
NoteIf a workgroup bridge associates to a web-authentication WLAN, the workgroup bridge is added to the 
exclusion list, and all of the workgroup bridge wired clients are deleted.
 In a mesh network, a workgroup bridge can associate to any mesh access point, regardless of 
whether it acts as a root access point or a mesh access point.
 Wired clients that are connected to the workgroup bridge are not authenticated for security. Instead, 
the workgroup bridge is authenticated against the access point to which it associates. Therefore, we 
recommend that you physically secure the wired side of the workgroup bridge.
 With Layer 3 roaming, if you plug a wired client into the workgroup bridge network after the 
workgroup bridge has roamed to another controller (for example, to a foreign controller), the wired 
client’s IP address displays only on the anchor controller, not on the foreign controller.
 When you delete a workgroup bridge record from the controller, all of the workgroup bridge wired 
clients’ records are also deleted.
 Wired clients that are connected to a workgroup bridge inherit the workgroup bridge’s QoS and 
AAA override attributes.
 These features are not supported for wired clients connected to a workgroup bridge: 
						

							      Workgroup Bridge Mode
The Workgroup Bridge in a Lightweight Environment
9
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
 –MAC filtering
 –Link tests
 –Idle timeout
 You do not need to configure anything on the controller to enable the workgroup bridge to 
communicate with the lightweight access point. However, to ensure proper communication, you 
should create a WLAN on the controller that matches the SSID and security method that are 
configured on the workgroup bridge.
Sample Workgroup Bridge Configuration
Here is a sample configuration of a workgroup bridge access point using static WEP with a 40-bit WEP 
key:
ap#confure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ap(config)#dot11 ssid WGB_with_static_WEPap(config-ssid)#authentication open
ap(config-ssid)#guest-mode
ap(config-ssid)#exitap(config)#interface dot11Radio 0
ap(config)#station-role workgroup-bridge
ap(config-if)#encry mode wep 40
ap(config-if)#encry key 1 size 40 0 1234567890ap(config-if)#WGB_with_static_WEP
ap(config-if)#end
To verify that the workgroup bridge is associated to an access point, enter this command on the 
workgroup bridge:
show dot11 association
If a wired client does not send traffic for an extended period of time, the workgroup bridge removes the 
client from its bridge table, even if traffic is continuously being sent to the wired client. As a result, the 
traffic flow to the wired client fails. To avoid the traffic loss, prevent the wired client from being removed 
from the bridge table by configuring the aging-out timer on the workgroup bridge to a large value. Use 
the following Cisco
 IOS commands on the workgroup bridge:
configure terminal
bridge bridge-group-number aging-time seconds
exitend
where bridge-group-number is a value between 1 and 255, and seconds is a value between 10 and 
1,000,000. We recommend configuring the seconds parameter to a value greater than the wired client’s 
idle period. 
						

							      Workgroup Bridge Mode
The Workgroup Bridge in a Lightweight Environment
10
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx 
						

							CH A P T E R
17-1
Book Title
OL-xxxxx-xx
17
Administering the Wireless Device
This chapter describes the following administration tasks.
Controlling and Securing Access to the Wireless Device
 Disabling the Mode Button Function, page 17-2
 Preventing Unauthorized Access to Your Access Point, page 17-3
 Protecting Access to Privileged EXEC Commands, page 17-3
 Controlling Access Point Access with RADIUS, page 17-9
 Controlling Access Point Access with TACACS+, page 17-14
Administering the Hardware and Software
 Administering the Wireless Hardware and Software, page 17-17
 –Resetting the Wireless Device to Factory Default Configuration, page 17-17
 –Rebooting the Wireless Device, page 17-17
 –Upgrading Software on the Access Point, page 17-18
 –Downgrading Software on the Access Point, page 17-20
 –Recovering Software on the Access Point, page 17-20
 –Monitoring the Wireless Device, page 17-20
 Managing the System Time and Date, page 17-21
 Configuring a System Name and Prompt, page 17-25
 Creating a Banner, page 17-28
Administering Wireless Device Communication
 Configuring Ethernet Speed and Duplex Settings, page 17-30
 Configuring the Access Point for Wireless Network Management, page 17-31
 Configuring the Access Point for Local Authentication and Authorization, page 17-31
 Configuring the Authentication Cache and Profile, page 17-32
 Configuring the Access Point to Provide DHCP Service, page 17-35
 Configuring the Access Point for Secure Shell, page 17-38
 Configuring Client ARP Caching, page 17-39
 Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging, page 17-40 
						

							17-2
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Disabling the Mode Button Function
Disabling the Mode Button Function
You can disable the mode button on the wireless device by using the [no] boot mode-button command.
CautionThis command disables password recovery. If you lose the privileged EXEC mode password for the 
access point after entering this command, you will need to contact the Cisco Technical Assistance Center 
(TAC) to regain access to the access point CLI.
NoteTo reboot the wireless device use the service-module wlan-ap reset command from the router’s Cisco 
IOS CLI. See the 
“Rebooting the Wireless Device” section on page 17-17 for information about this 
command.
The mode button is enabled by default. Follow these steps to disable the access point’s mode button, 
beginning in the privilege EXEC mode:
You can check the status of the mode-button by executing the show boot or show boot mode-button 
commands in the privileged EXEC mode. The status does not appear in the running configuration. The 
following shows a typical response to the show boot and show boot mode-button commands:
ap# show boot 
BOOT path-list: flash:/c1200-k9w7-mx-v123_7_ja.20050430/c1200-k9w7-mx.v123_7_ja.20050430 Config file: flash:/config.txt 
Private Config file: flash:/private-config 
Enable Break: no Manual boot:no 
Mode button:on 
Enable IOS break: no HELPER path-list: 
NVRAM/Config file 
buffer size: 32768  
ap#show boot mode-button 
on ap#
NoteAs long as the privileged EXEC password is known, you can use the boot mode-button command to 
restore the mode button to normal operation. 
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2no boot mode-buttonDisables the access point’s mode button. 
Step 3endNoteIt is not necessary to save the configuration.