Configure two Cisco Waps root bridge and non root bridge

SWM

Help

I have two Cisco 1240AG WAP's that I am trying to configure to allow two offices buildings (about 20m apart) to connect to each other.

Both WAP's were working, although the client did not know the username passwords, and as a result could not change the WPA key and the IP subnet was also wrong.
Long story short, we had no current config and I discovered that these WAPS do not have a rommon mode, so a complete reset was done and reconfigure, so both devices have been blanked and resetup.

The Radio0-802.11G interfaces on both devices are working well and allowing clients to connect.
I am trying to get the WAP's talking via the 802.11A interfaces, with one device in "Root Bridge" and the other in "non-Root Bridge".

My problem is the non-root bridge device keeps showing :software hardware status disabled when I select non root bridge. If i configure this interface as a AP it enables fine....
Config ...
Radio0-802.11G on WAP1 is rootbridge

interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid ADELWAP1
!
no dfs band block
parent 1 001c.0ed1.c3d0
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
channel dfs
station-role root bridge
antenna gain 22
bridge-group 1
bridge-group 1 spanning-disabled
!


Radio0-802.11G on WAP2 is non rootbridge
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid ADELWAP2
!
parent 1 001c.0ed1.d9b0
parent timeout 65535
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
station-role non-root bridge
antenna receive right
antenna transmit right
antenna gain 22
bridge-group 1
bridge-group 1 spanning-disabled

Any clues on what I am doing wrong ?

tech-airman

SWM,

Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.

tiersten

tech-airman wrote: »

Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.

It wouldn't bridge the two LANs if you set it as repeater.

tiersten

SWM wrote: »

My problem is the non-root bridge device keeps showing :software hardware status disabled when I select non root bridge. If i configure this interface as a AP it enables fine....

The non root bridge can't associate with the root bridge. What does the log say?

SWM wrote: »

encryption mode ciphers tkip

No AES support in your AP?

SWM wrote: »

parent 1 001c.0ed1.c3d0

The root bridge shouldn't have a parent?

SWM wrote: »

antenna gain 22

You do have a directional antenna with gain?

SWM wrote: »

parent 1 001c.0ed1.d9b0
parent timeout 65535

When I setup a bridge, I just specified the root bridge's SSID in the non root bridge config.

interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid SSIDofRootBridgeHere
!
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge
bridge-group 1
bridge-group 1 spanning-disabled
!

tech-airman

tiersten wrote: »

It wouldn't bridge the two LANs if you set it as repeater.

tiersten,

I was just trying to deal with the equipment that already exists which is a pair of WAPs.

tiersten

tiersten wrote: »

No AES support in your AP?

The 1240AG series of APs should support AES. I just tried it on my spare 1242.

tiersten

tech-airman wrote: »

tiersten,

I was just trying to deal with the equipment that already exists which is a pair of WAPs.

Okay? SWM is trying to replicate the original configuration. If there isn't a wired LAN in the 2nd building then a repeater would work. If there is one then you'd need to use a bridge.

SWM

Thanks for all the replies
[HTML]
Quote:Originally Posted by tech-airman Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.It wouldn't bridge the two LANs if you set it as repeater. [/HTML]

Correct, thats why a repeater is not a option. Each WAP needs to provide local Wireless and ethernet access.

[HTML]
Quote:Originally Posted by SWM parent 1 001c.0ed1.c3d0[/HTML]

I was clutching at straws when I entered that. The event log on the non root bridge indicated it cannot associate, so I gave it the root-bridge mac address.

[HTML]
Quote:Originally Posted by SWM antenna gain 22You do have a directional antenna with gain?[/HTML]

Yes each site has a 22db external roof mounted antenna

[HTML]
Quote:Originally Posted by SWM encryption mode ciphers tkipNo AES support in your AP?
[/HTML]

I am happy to tighten security once the two waps are talking. hey I would even use WEP just to get bi directional communication happening, and then increase security.

I used the GUI interface to configure and its put the same SSID on both the A and G radio !

Do i need a different SSID on each but a matching SSID on both A's at each site that match each other? The Cisco help and documentation is very vague.

tiersten

SWM wrote: »

I am happy to tighten security once the two waps are talking. hey I would even use WEP just to get bi directional communication happening, and then increase security.

Ah. I was wondering why you chose TKIP thats all. I'd have to stop talking to you if you did use WEP however

SWM wrote: »

I used the GUI interface to configure and its put the same SSID on both the A and G radio !

That is the default. You can change it from the GUI via SECURITY -> SSID Manager.

Select the SSID you want to modify and then check/uncheck the relevant radio.

SWM wrote: »

Do i need a different SSID on each but a matching SSID on both A's at each site that match each other?

You can have the same SSID on both radios if you want. It doesn't matter.

For your 802.11a link though you need to make sure that both bridges have the same SSID set for 802.11a. The non root bridge needs to have that SSID set as the Infrastructure SSID.

Very rough set of steps:

1. Create a SSID with relevant security for the 802.11g radio on both APs.
2. Create a SSID with relevant security for the 802.11a radio on both APs.
3. Set the 802.11g radio in both APs to be in Access Point mode.
4. Set the 802.11a radios in both APs to use the correct antenna socket since you've got an external antenna.
5. Set the 802.11a radio in one to be in root bridge mode.
6. Set the 802.11a radio in the remaining AP to be in non root bridge mode.
7. Set the SSID as the Infrastructure SSID on the non root bridge.
8. Enable both radios on both APs

I know you've done some of these steps before. That should be enough to get them to talk to each other and act as a bridge + AP. What does the log show anyway?

tiersten

Oh and work on your quoting! Press quote next to a post and see how it does the quoting.

tech-airman

tiersten wrote: »

Okay? SWM is trying to replicate the original configuration. If there isn't a wired LAN in the 2nd building then a repeater would work. If there is one then you'd need to use a bridge.

tiersten,

At the time of my post, the above was unknown information based on the OP at the time.

tiersten

tech-airman wrote: »

tiersten,

At the time of my post, the above was unknown information based on the OP at the time.

You could work out that SVM was trying to bridge two LANs together using 802.11a. The 802.11a radios were in root and non root bridged mode with client access disabled. Client devices using the 802.11g radios which are in AP mode.

SWM

Thanks tiersten for the replies

Internet Exploder 8 had a Hemorrhage, sorry about the quotes...:)

"For your 802.11a link though you need to make sure that both bridges have the same SSID set for 802.11a. The non root bridge needs to have that SSID set as the Infrastructure SSID"

So you are saying both external 802.11a interfaces have the SAME SSID. Is this how the non-root bridge knows who it is allowed to communicate with? If so what prevents another WAP from attempting to connect to my root-bridge WAP if it can see and copies my SSID ?

tiersten

SWM wrote: »

So you are saying both external 802.11a interfaces have the SAME SSID. Is this how the non-root bridge knows who it is allowed to communicate with?

Yes. The root bridge advertises its own SSID and you tell the non root bridge to look for that SSID. I didn't notice that you had two different SSIDs in your config.

SWM wrote: »

If so what prevents another WAP from attempting to connect to my root-bridge WAP if it can see and copies my SSID ?

Same way you stop people accessing your AP. Encryption

You should be able to restrict it based on MAC address as well.

tech-airman

SWM,

SWM wrote: »

Thanks for all the replies
[HTML]
Quote:Originally Posted by tech-airman Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.It wouldn't bridge the two LANs if you set it as repeater. [/HTML]

Correct, thats why a repeater is not a option. Each WAP needs to provide local Wireless and ethernet access.

Questions:

1. Where does Ethernet access in Building 1 go to?
2. Where does Ethernet access in Building 2 go to?
3. How and why does the network in Building 1 need to be connected with the network in Building 2?
4. Does any building have a WAN/upstream link and if so, which building(s)?

SWM wrote: »

[HTML]
Quote:Originally Posted by SWM parent 1 001c.0ed1.c3d0[/HTML]

I was clutching at straws when I entered that. The event log on the non root bridge indicated it cannot associate, so I gave it the root-bridge mac address.

According to the "Cisco Aironet Access Point FAQ" at cisco.com, it states...

Cisco Aironet Access Point FAQ wrote:

Q: Which devices can associate with an AP?

• AP to client
• AP to AP (in repeater mode)
• AP (in repeater mode) to base station (in AP mode)
• AP to workgroup bridge

Note that "AP (in non-root bridge mode)" is NOT listed. The purpose of using an AP (in non-root bridge mode)" is so that the AP can associate with a wireless bridge in root bridge mode. You cannot associate an AP in non-root bridge mode with an AP in root bridge mode as you learned.

Source:

1. "cisco Aironet Access Point FAQ" webpage at cisco.com - Cisco Aironet Access Point FAQ - Cisco Systems

SWM wrote: »

[HTML]
Quote:Originally Posted by SWM antenna gain 22You do have a directional antenna with gain?[/HTML]

Yes each site has a 22db external roof mounted antenna

[HTML]
Quote:Originally Posted by SWM encryption mode ciphers tkipNo AES support in your AP?
[/HTML]

I am happy to tighten security once the two waps are talking. hey I would even use WEP just to get bi directional communication happening, and then increase security.

I used the GUI interface to configure and its put the same SSID on both the A and G radio !

Do i need a different SSID on each but a matching SSID on both A's at each site that match each other? The Cisco help and documentation is very vague.

SWM

thanks, for all the help.

I will give it a go over the next day or so, because I have external antenna, I cannot configure it on my workbench, have to connect the antenna and both device in each building.

Second building is a concrete warehouse with a tin roof. So until I get the WAP's working I have no phone or Internet access. So walking back and forth is starting to get annoying...

Cheers and thanks once again, I will let you know....

tiersten

tech-airman wrote: »

Note that "AP (in non-root bridge mode)" is NOT listed. The purpose of using an AP (in non-root bridge mode)" is so that the AP can associate with a wireless bridge in root bridge mode. You cannot associate an AP in non-root bridge mode with an AP in root bridge mode as you learned.

It does work and that is how you're supposed to do it.

tiersten

SWM wrote: »

I will give it a go over the next day or so, because I have external antenna, I cannot configure it on my workbench, have to connect the antenna and both device in each building.

Yeah. It is much easier to play about if you don't need to go downstairs, outside, walk across, inside and then upstairs every time you want to change something on the other AP I guess you can't temporarily remove them?

SWM wrote: »

So until I get the WAP's working I have no phone

Ehh... No big loss...

SWM wrote: »

or Internet access.

Now this is more annoying

tech-airman

tiersten wrote: »

It does work and that is how you're supposed to do it.

tiersten,

Show me where "...you're supposed to do it?" While we're at it, show me where "...it does work....?" The OP clearly shows that it does NOT work.

tiersten

tech-airman wrote: »

tiersten,

Show me where "...you're supposed to do it?" While we're at it, show me where "...it does work....?" The OP clearly shows that it does NOT work.

An access point in root bridge mode is the same as a wireless bridge in root bridge mode. The wireless bridges are designed to only do bridging. The access points are capable of both. Read the Link-Role Flexibility section of the 1240AG datasheet.

It does work because I've got it running here between two 1242s. 802.11g for client access and 802.11a as the backhaul using bridge mode. One is in root bridge mode and one is in non root bridge mode.

It won't work for the OP because he hasn't got it configured properly. The SSIDs aren't the same for one.

SWM

Hi tech-airman
Questions:

1. Where does Ethernet access in Building 1 go to?
2. Where does Ethernet access in Building 2 go to?
3. How and why does the network in Building 1 need to be connected with the network in Building 2?
4. Does any building have a WAN/upstream link and if so, which building(s)?

Answers

1. Ethernet in main building is our main LAN, i,e servers, printers DSL router etc, workstations etc
2. Ethernet is second office is used for offsite data backup, and the odd workstation (second building is a warehouse)
3 User need to take laptops from Building one and connect to server infrastructure in building 1 whilst using wireless when in building two.
4 As I said building one has all the infrastructure.

The end result needs to be laptops or desktops can be connect either via ethernet cable or wireless in the second office (a tad slower) but have full connectivity...

Hope this make sense

tech-airman

SWM wrote: »

Hi tech-airman
Questions:

1. Where does Ethernet access in Building 1 go to?
2. Where does Ethernet access in Building 2 go to?
3. How and why does the network in Building 1 need to be connected with the network in Building 2?
4. Does any building have a WAN/upstream link and if so, which building(s)?

Answers

1. Ethernet in main building is our main LAN, i,e servers, printers DSL router etc, workstations etc
2. Ethernet is second office is used for offsite data backup, and the odd workstation (second building is a warehouse)
3 User need to take laptops from Building one and connect to server infrastructure in building 1 whilst using wireless when in building two.
4 As I said building one has all the infrastructure.

The end result needs to be laptops or desktops can be connect either via ethernet cable or wireless in the second office (a tad slower) but have full connectivity...

Hope this make sense

SWM,

Thank you for helping me understand your network better. At this time, here's my recommendations:

1. For the WAP in Building 2, set the Dot11Radio1 interface to "station-role workgroup bridge"
2. For the WAP in Building 2, set the Dot11Radio0 interface to "station-role access point"
3. Verify that the SSID used on the WAP in Building 1 matches that with the WAP in Building 2.
4. Make sure that from an IP scheme perspective that both the WAP in Building 1 and the WAP in Building 2 share the same IP sub/network.
5. Post back if these steps help or not.

tiersten

tech-airman wrote: »

For the WAP in Building 2, set the Dot11Radio1 interface to "station-role workgroup bridge"

For what SVM wants, it should be configured as a root bridge and non root bridge. A workgroup bridge won't do transparent bridging because the bridge is associated as a client device. A root bridge/non root bridge setup will do transparent bridging.

SWM

Thanks tiersten for all your help, its working perfectly.

Once I created the SSID that matched on both "A" External intefaces and the required security, the interface on the "non-root-bridge" automatically became "enabled and up" as it could associate with the "root-bridge"

thanks again.

tiersten

SWM wrote: »

Thanks tiersten for all your help, its working perfectly.

Once I created the SSID that matched on both "A" External intefaces and the required security, the interface on the "non-root-bridge" automatically became "enabled and up" as it could associate with the "root-bridge"

Great that you've got it working. You had pretty much all the config actually apart from the matching 802.11a SSIDs. I do agree that the documentation is a little lacking. The web GUI runs like molasses as well which can get frustrating.

Make sure nobody loses the passwords this time

EricO

I'm glad your issue got resolved. If you ever need to trunk multiple vlans across these things let me know. I've got a couple of configs where the g side is the AP, and the A side is trunking multiple vlans from one building to another.

pierris

hello.
i have the same problem.
with root bridge and non-root bridge configuration.
i am trying to connect the two points via "a" with the same SSID

can anyone write the steps with some more details???????????

timcredible

EricO wrote: »

I'm glad your issue got resolved. If you ever need to trunk multiple vlans across these things let me know. I've got a couple of configs where the g side is the AP, and the A side is trunking multiple vlans from one building to another.

i'm trying to do that exact thing - would you mind helping out? thanks.

Muis78

EricO wrote: »

I'm glad your issue got resolved. If you ever need to trunk multiple vlans across these things let me know. I've got a couple of configs where the g side is the AP, and the A side is trunking multiple vlans from one building to another.

Hi all

I am having the same problem linking two Cisco 1262 AP in 2 seperate buildings with multiple Vlans..One AP in root bridge mode and the second AP in non root bridge mode.. Any config to asist me in setting the APs up so the non root bridge AP can see the Vlans