Configure two Cisco Waps root bridge and non root bridge

SWMSWM Member Posts: 287
Help

I have two Cisco 1240AG WAP's that I am trying to configure to allow two offices buildings (about 20m apart) to connect to each other.

Both WAP's were working, although the client did not know the username passwords, and as a result could not change the WPA key and the IP subnet was also wrong.
Long story short, we had no current config and I discovered that these WAPS do not have a rommon mode, so a complete reset was done and reconfigure, so both devices have been blanked and resetup.

The Radio0-802.11G interfaces on both devices are working well and allowing clients to connect.
I am trying to get the WAP's talking via the 802.11A interfaces, with one device in "Root Bridge" and the other in "non-Root Bridge".

My problem is the non-root bridge device keeps showing :software hardware status disabled when I select non root bridge. If i configure this interface as a AP it enables fine....
Config ...
Radio0-802.11G on WAP1 is rootbridge

interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid ADELWAP1
!
no dfs band block
parent 1 001c.0ed1.c3d0
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
channel dfs
station-role root bridge
antenna gain 22
bridge-group 1
bridge-group 1 spanning-disabled
!


Radio0-802.11G on WAP2 is non rootbridge
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid ADELWAP2
!
parent 1 001c.0ed1.d9b0
parent timeout 65535
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
station-role non-root bridge
antenna receive right
antenna transmit right
antenna gain 22
bridge-group 1
bridge-group 1 spanning-disabled

Any clues on what I am doing wrong ?
Isn't Bill such a Great Guy!!!!

Comments

  • tech-airmantech-airman Member Posts: 953
    SWM,

    Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.
  • tierstentiersten Member Posts: 4,505
    Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.
    It wouldn't bridge the two LANs if you set it as repeater.
  • tierstentiersten Member Posts: 4,505
    SWM wrote: »
    My problem is the non-root bridge device keeps showing :software hardware status disabled when I select non root bridge. If i configure this interface as a AP it enables fine....
    The non root bridge can't associate with the root bridge. What does the log say?
    SWM wrote: »
    encryption mode ciphers tkip
    No AES support in your AP?
    SWM wrote: »
    parent 1 001c.0ed1.c3d0
    The root bridge shouldn't have a parent?
    SWM wrote: »
    antenna gain 22
    You do have a directional antenna with gain?
    SWM wrote: »
    parent 1 001c.0ed1.d9b0
    parent timeout 65535
    When I setup a bridge, I just specified the root bridge's SSID in the non root bridge config.

    interface Dot11Radio1
    no ip address
    no ip route-cache
    !
    encryption mode ciphers aes-ccm
    !
    ssid SSIDofRootBridgeHere
    !
    speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role non-root bridge
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
  • tech-airmantech-airman Member Posts: 953
    tiersten wrote: »
    It wouldn't bridge the two LANs if you set it as repeater.

    tiersten,

    I was just trying to deal with the equipment that already exists which is a pair of WAPs.
  • tierstentiersten Member Posts: 4,505
    tiersten wrote: »
    No AES support in your AP?
    The 1240AG series of APs should support AES. I just tried it on my spare 1242.
  • tierstentiersten Member Posts: 4,505
    tiersten,

    I was just trying to deal with the equipment that already exists which is a pair of WAPs.
    Okay? SWM is trying to replicate the original configuration. If there isn't a wired LAN in the 2nd building then a repeater would work. If there is one then you'd need to use a bridge.
  • SWMSWM Member Posts: 287
    Thanks for all the replies :)
    [HTML]
    Quote:Originally Posted by tech-airman viewpost.gif Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.It wouldn't bridge the two LANs if you set it as repeater. [/HTML]

    Correct, thats why a repeater is not a option. Each WAP needs to provide local Wireless and ethernet access.

    [HTML]
    Quote:Originally Posted by SWM viewpost.gif parent 1 001c.0ed1.c3d0[/HTML]

    I was clutching at straws when I entered that. The event log on the non root bridge indicated it cannot associate, so I gave it the root-bridge mac address.

    [HTML]
    Quote:Originally Posted by SWM viewpost.gif antenna gain 22You do have a directional antenna with gain?[/HTML]

    Yes each site has a 22db external roof mounted antenna

    [HTML]
    Quote:Originally Posted by SWM viewpost.gif encryption mode ciphers tkipNo AES support in your AP?
    [/HTML]

    I am happy to tighten security once the two waps are talking. hey I would even use WEP just to get bi directional communication happening, and then increase security.

    I used the GUI interface to configure and its put the same SSID on both the A and G radio !

    Do i need a different SSID on each but a matching SSID on both A's at each site that match each other? The Cisco help and documentation is very vague.
    Isn't Bill such a Great Guy!!!!
  • tierstentiersten Member Posts: 4,505
    SWM wrote: »
    I am happy to tighten security once the two waps are talking. hey I would even use WEP just to get bi directional communication happening, and then increase security.
    Ah. I was wondering why you chose TKIP thats all. I'd have to stop talking to you if you did use WEP however :D
    SWM wrote: »
    I used the GUI interface to configure and its put the same SSID on both the A and G radio !
    That is the default. You can change it from the GUI via SECURITY -> SSID Manager.

    Select the SSID you want to modify and then check/uncheck the relevant radio.
    SWM wrote: »
    Do i need a different SSID on each but a matching SSID on both A's at each site that match each other?
    You can have the same SSID on both radios if you want. It doesn't matter.

    For your 802.11a link though you need to make sure that both bridges have the same SSID set for 802.11a. The non root bridge needs to have that SSID set as the Infrastructure SSID.

    Very rough set of steps:

    1. Create a SSID with relevant security for the 802.11g radio on both APs.
    2. Create a SSID with relevant security for the 802.11a radio on both APs.
    3. Set the 802.11g radio in both APs to be in Access Point mode.
    4. Set the 802.11a radios in both APs to use the correct antenna socket since you've got an external antenna.
    5. Set the 802.11a radio in one to be in root bridge mode.
    6. Set the 802.11a radio in the remaining AP to be in non root bridge mode.
    7. Set the SSID as the Infrastructure SSID on the non root bridge.
    8. Enable both radios on both APs

    I know you've done some of these steps before. That should be enough to get them to talk to each other and act as a bridge + AP. What does the log show anyway?
  • tierstentiersten Member Posts: 4,505
    Oh and work on your quoting! :) Press quote next to a post and see how it does the quoting.
  • tech-airmantech-airman Member Posts: 953
    tiersten wrote: »
    Okay? SWM is trying to replicate the original configuration. If there isn't a wired LAN in the 2nd building then a repeater would work. If there is one then you'd need to use a bridge.

    tiersten,

    At the time of my post, the above was unknown information based on the OP at the time.
  • tierstentiersten Member Posts: 4,505
    tiersten,

    At the time of my post, the above was unknown information based on the OP at the time.
    You could work out that SVM was trying to bridge two LANs together using 802.11a. The 802.11a radios were in root and non root bridged mode with client access disabled. Client devices using the 802.11g radios which are in AP mode.
  • SWMSWM Member Posts: 287
    Thanks tiersten for the replies

    Internet Exploder 8 had a Hemorrhage, sorry about the quotes...:)

    "For your 802.11a link though you need to make sure that both bridges have the same SSID set for 802.11a. The non root bridge needs to have that SSID set as the Infrastructure SSID"

    So you are saying both external 802.11a interfaces have the SAME SSID. Is this how the non-root bridge knows who it is allowed to communicate with? If so what prevents another WAP from attempting to connect to my root-bridge WAP if it can see and copies my SSID ?
    Isn't Bill such a Great Guy!!!!
  • tierstentiersten Member Posts: 4,505
    SWM wrote: »
    So you are saying both external 802.11a interfaces have the SAME SSID. Is this how the non-root bridge knows who it is allowed to communicate with?
    Yes. The root bridge advertises its own SSID and you tell the non root bridge to look for that SSID. I didn't notice that you had two different SSIDs in your config.
    SWM wrote: »
    If so what prevents another WAP from attempting to connect to my root-bridge WAP if it can see and copies my SSID ?
    Same way you stop people accessing your AP. Encryption :)

    You should be able to restrict it based on MAC address as well.
  • tech-airmantech-airman Member Posts: 953
    SWM,
    SWM wrote: »
    Thanks for all the replies :)
    [HTML]
    Quote:Originally Posted by tech-airman viewpost.gif Instead of configuring the second WAP as a non-root bridge, try configuring the second WAP as a repeater.It wouldn't bridge the two LANs if you set it as repeater. [/HTML]

    Correct, thats why a repeater is not a option. Each WAP needs to provide local Wireless and ethernet access.

    Questions:
    1. Where does Ethernet access in Building 1 go to?
    2. Where does Ethernet access in Building 2 go to?
    3. How and why does the network in Building 1 need to be connected with the network in Building 2?
    4. Does any building have a WAN/upstream link and if so, which building(s)?
    SWM wrote: »
    [HTML]
    Quote:Originally Posted by SWM viewpost.gif parent 1 001c.0ed1.c3d0[/HTML]

    I was clutching at straws when I entered that. The event log on the non root bridge indicated it cannot associate, so I gave it the root-bridge mac address.

    According to the "Cisco Aironet Access Point FAQ" at cisco.com, it states...
    Q: Which devices can associate with an AP?
    • AP to client
    • AP to AP (in repeater mode)
    • AP (in repeater mode) to base station (in AP mode)
    • AP to workgroup bridge

    Note that "AP (in non-root bridge mode)" is NOT listed. The purpose of using an AP (in non-root bridge mode)" is so that the AP can associate with a wireless bridge in root bridge mode. You cannot associate an AP in non-root bridge mode with an AP in root bridge mode as you learned.

    Source:
    1. "cisco Aironet Access Point FAQ" webpage at cisco.com - Cisco Aironet Access Point FAQ - Cisco Systems
    SWM wrote: »
    [HTML]
    Quote:Originally Posted by SWM viewpost.gif antenna gain 22You do have a directional antenna with gain?[/HTML]

    Yes each site has a 22db external roof mounted antenna

    [HTML]
    Quote:Originally Posted by SWM viewpost.gif encryption mode ciphers tkipNo AES support in your AP?
    [/HTML]

    I am happy to tighten security once the two waps are talking. hey I would even use WEP just to get bi directional communication happening, and then increase security.

    I used the GUI interface to configure and its put the same SSID on both the A and G radio !

    Do i need a different SSID on each but a matching SSID on both A's at each site that match each other? The Cisco help and documentation is very vague.
  • SWMSWM Member Posts: 287
    thanks, for all the help.

    I will give it a go over the next day or so, because I have external antenna, I cannot configure it on my workbench, have to connect the antenna and both device in each building.

    Second building is a concrete warehouse with a tin roof. So until I get the WAP's working I have no phone or Internet access. So walking back and forth is starting to get annoying... :)

    Cheers and thanks once again, I will let you know....
    Isn't Bill such a Great Guy!!!!
  • tierstentiersten Member Posts: 4,505
    Note that "AP (in non-root bridge mode)" is NOT listed. The purpose of using an AP (in non-root bridge mode)" is so that the AP can associate with a wireless bridge in root bridge mode. You cannot associate an AP in non-root bridge mode with an AP in root bridge mode as you learned.
    It does work and that is how you're supposed to do it.
  • tierstentiersten Member Posts: 4,505
    SWM wrote: »
    I will give it a go over the next day or so, because I have external antenna, I cannot configure it on my workbench, have to connect the antenna and both device in each building.
    Yeah. It is much easier to play about if you don't need to go downstairs, outside, walk across, inside and then upstairs every time you want to change something on the other AP :D I guess you can't temporarily remove them?
    SWM wrote: »
    So until I get the WAP's working I have no phone
    Ehh... No big loss...
    SWM wrote: »
    or Internet access.
    Now this is more annoying ;)
  • tech-airmantech-airman Member Posts: 953
    tiersten wrote: »
    It does work and that is how you're supposed to do it.

    tiersten,

    Show me where "...you're supposed to do it?" While we're at it, show me where "...it does work....?" The OP clearly shows that it does NOT work.
  • tierstentiersten Member Posts: 4,505
    tiersten,

    Show me where "...you're supposed to do it?" While we're at it, show me where "...it does work....?" The OP clearly shows that it does NOT work.
    An access point in root bridge mode is the same as a wireless bridge in root bridge mode. The wireless bridges are designed to only do bridging. The access points are capable of both. Read the Link-Role Flexibility section of the 1240AG datasheet.

    It does work because I've got it running here between two 1242s. 802.11g for client access and 802.11a as the backhaul using bridge mode. One is in root bridge mode and one is in non root bridge mode.

    It won't work for the OP because he hasn't got it configured properly. The SSIDs aren't the same for one.
  • SWMSWM Member Posts: 287
    Hi tech-airman
    Questions:
    1. Where does Ethernet access in Building 1 go to?
    2. Where does Ethernet access in Building 2 go to?
    3. How and why does the network in Building 1 need to be connected with the network in Building 2?
    4. Does any building have a WAN/upstream link and if so, which building(s)?
    Answers

    1. Ethernet in main building is our main LAN, i,e servers, printers DSL router etc, workstations etc
    2. Ethernet is second office is used for offsite data backup, and the odd workstation (second building is a warehouse)
    3 User need to take laptops from Building one and connect to server infrastructure in building 1 whilst using wireless when in building two.
    4 As I said building one has all the infrastructure.

    The end result needs to be laptops or desktops can be connect either via ethernet cable or wireless in the second office (a tad slower) but have full connectivity...

    Hope this make sense
    Isn't Bill such a Great Guy!!!!
  • tech-airmantech-airman Member Posts: 953
    SWM wrote: »
    Hi tech-airman
    Questions:
    1. Where does Ethernet access in Building 1 go to?
    2. Where does Ethernet access in Building 2 go to?
    3. How and why does the network in Building 1 need to be connected with the network in Building 2?
    4. Does any building have a WAN/upstream link and if so, which building(s)?
    Answers

    1. Ethernet in main building is our main LAN, i,e servers, printers DSL router etc, workstations etc
    2. Ethernet is second office is used for offsite data backup, and the odd workstation (second building is a warehouse)
    3 User need to take laptops from Building one and connect to server infrastructure in building 1 whilst using wireless when in building two.
    4 As I said building one has all the infrastructure.

    The end result needs to be laptops or desktops can be connect either via ethernet cable or wireless in the second office (a tad slower) but have full connectivity...

    Hope this make sense

    SWM,

    Thank you for helping me understand your network better. At this time, here's my recommendations:
    1. For the WAP in Building 2, set the Dot11Radio1 interface to "station-role workgroup bridge"
    2. For the WAP in Building 2, set the Dot11Radio0 interface to "station-role access point"
    3. Verify that the SSID used on the WAP in Building 1 matches that with the WAP in Building 2.
    4. Make sure that from an IP scheme perspective that both the WAP in Building 1 and the WAP in Building 2 share the same IP sub/network.
    5. Post back if these steps help or not.
  • tierstentiersten Member Posts: 4,505
    For the WAP in Building 2, set the Dot11Radio1 interface to "station-role workgroup bridge"
    For what SVM wants, it should be configured as a root bridge and non root bridge. A workgroup bridge won't do transparent bridging because the bridge is associated as a client device. A root bridge/non root bridge setup will do transparent bridging.
  • SWMSWM Member Posts: 287
    Thanks tiersten for all your help, its working perfectly.

    Once I created the SSID that matched on both "A" External intefaces and the required security, the interface on the "non-root-bridge" automatically became "enabled and up" as it could associate with the "root-bridge"

    thanks again. icon_cheers.gif
    Isn't Bill such a Great Guy!!!!
  • tierstentiersten Member Posts: 4,505
    SWM wrote: »
    Thanks tiersten for all your help, its working perfectly.

    Once I created the SSID that matched on both "A" External intefaces and the required security, the interface on the "non-root-bridge" automatically became "enabled and up" as it could associate with the "root-bridge"
    Great that you've got it working. You had pretty much all the config actually apart from the matching 802.11a SSIDs. I do agree that the documentation is a little lacking. The web GUI runs like molasses as well which can get frustrating.

    Make sure nobody loses the passwords this time ;)
  • EricOEricO Member Posts: 93 ■■□□□□□□□□
    I'm glad your issue got resolved. If you ever need to trunk multiple vlans across these things let me know. I've got a couple of configs where the g side is the AP, and the A side is trunking multiple vlans from one building to another.
  • pierrispierris Registered Users Posts: 2 ■□□□□□□□□□
    hello.
    i have the same problem.
    with root bridge and non-root bridge configuration.
    i am trying to connect the two points via "a" with the same SSID

    can anyone write the steps with some more details???????????
  • timcredibletimcredible Registered Users Posts: 1 ■□□□□□□□□□
    EricO wrote: »
    I'm glad your issue got resolved. If you ever need to trunk multiple vlans across these things let me know. I've got a couple of configs where the g side is the AP, and the A side is trunking multiple vlans from one building to another.

    i'm trying to do that exact thing - would you mind helping out? thanks.
  • Muis78Muis78 Registered Users Posts: 1 ■□□□□□□□□□
    EricO wrote: »
    I'm glad your issue got resolved. If you ever need to trunk multiple vlans across these things let me know. I've got a couple of configs where the g side is the AP, and the A side is trunking multiple vlans from one building to another.

    Hi all

    I am having the same problem linking two Cisco 1262 AP in 2 seperate buildings with multiple Vlans..One AP in root bridge mode and the second AP in non root bridge mode.. Any config to asist me in setting the APs up so the non root bridge AP can see the Vlans
Sign In or Register to comment.