Aironet APs: Bridge Groups and BVI

By stretch | Monday, February 20, 2012 at 1:10 a.m. UTC

The command line configuration of Cisco Aironet access points can be confusing to someone who doesn't understand what's going on behind the scenes. "What's a bridge group? How is it different from a VLAN? Why do I have subinterfaces and a BVI?" In this article, we'll walk through a basic multiple SSID configuration on an Aironet one section at a time and shed some light on how bridge groups are used to tie everything together.

Our example will make use of two SSIDs:

  • VLAN 10: Corporate
  • VLAN 20: Guest

Configuration

Global Configuration

dot11 ssid Corporate
   vlan 10
!
dot11 ssid Guest
   vlan 20
!
bridge irb

Two relevant functions are performed in the snippet above. First, our two SSIDs (Corporate and Guest) are defined and associated with VLANs. Second, integrated routing and bridging (IRB) is enabled with the command bridge irb. This allows to define bridge groups and a BVI.

Radio Interface Configuration

Our access point has two physical radio (wireless) interfaces: Dot11Radio0 (2.4 GHz) and Dot11Radio1 (5 GHz). Since we want to enable both SSIDs on both radios, the interfaces are configured identically.

interface Dot11Radio0
 no ip address
 !
 ssid Corporate
 !
 ssid Guest
 !
 mbssid
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 bridge-group 1
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 2

interface Dot11Radio1
 no ip address
 !
 ssid Corporate
 !
 ssid Guest
 !
 mbssid
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 bridge-group 1
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 bridge-group 2

First, we assign both SSIDs to the physical radio interfaces. We also include the command mbssid to ensure that each SSID receives a unique BSSID (which is analogous to a MAC address).

Next, we create a subinterface for each SSID, .10 and .20. Each subinterface is mapped to both a VLAN and a bridge group. We'll talk more about bridge groups shortly.

Ethernet Interface Configuration

interface FastEthernet0
 no ip address
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 bridge-group 1
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 bridge-group 2

The configuration of our FastEthernet interface should look similar to that of our radio interfaces. Two subinterfaces are attached to the physical interface, with each tied to its respective VLAN and bridge group.

BVI Configuration

interface BVI1
 ip address 192.168.10.123 255.255.255.0
 no ip route-cache

Finally, we configure the bridge virtual interface (BVI) for management. A BVI interface is mapped to a bridge group by its numeric identifier (in this case, 1), similar to how a VLAN interface is mapped to a VLAN. It may help to refer to VLAN interfaces as switch virtual interfaces (SVIs); BVIs are the same concept but applied to bridge groups instead of VLANs.

BVI1 is the default BVI on Aironet access points and cannot be deleted:

ap(config)# no interface bvi1
%command not allowed, cannot remove BVI 1

While you can create BVIs for other bridge groups, only one of them can be assigned an IP address for management (similar to how a layer two-only Catalyst switch can only have one active VLAN interface). And since BVI1 is going to be there anyway, we might as well use it.

Note that the IP address assigned to BVI1 must be in the same subnet as any SSID assigned to the bridge group (in this case, the Corporate SSID).

Putting it all Together

ap_bridge_groups.png

Working from top to bottom, we can see that:

  • SSIDs are mapped to VLANs.
  • VLANs are mapped to radio subinterfaces.
  • Radio subinterfaces are mapped to bridge groups.
  • Ethernet subinterfaces are also mapped to bridge groups.
  • BVI1 is assigned an IP address tied to bridge group 1.

This configuration keeps wireless traffic belonging to one SSID isolated from traffic belonging to the other as it transits the access point from the wired interface to the wireless interface and vice versa. Note that because there is no BVI2 interface, the access point has no IP address reachable directly from the Guest SSID.

What About Those Other Bridge Group Commands?

You may have noticed that, when assigning a radio interface to a bridge group with the bridge-group command, four or five additional commands also appear out of nowhere. For example, here's the full configuration of interface Dot11Radio0.10 from our lab as it appears in the running configuration:

interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled

These are default commands which tweak the behavior of bridge groups on the access point, primarily by disabling spanning tree and compensating for its absence. Unless you have a specific reason to modify them, just let these commands be.

About the Author

Jeremy Stretch is a freelance networking engineer, instructor, and the maintainer of PacketLife.net. He currently lives in Fairfax, Virginia, on the edge of the Washington, DC metro area. Although primarily an R&S guy, he likes to get into everything, and runs a free network training lab out of his basement for fun. You can contact him by email or follow him on Twitter.

Posted in Wireless

Comments

Mike (guest) commented on Monday, February 20, 2012 at 1:57 a.m. UTC

Great article, Jeremy! Thanks.

Michael (guest) commented on Monday, February 20, 2012 at 2:01 a.m. UTC

So is there a difference between bridge group and vlan?

stretch commented on Monday, February 20, 2012 at 2:25 a.m. UTC

@Michael: Bridge groups are used internally to the device to bridge traffic from one routed interface to another. They can be used similar to VLANs internally, but don't provide any traffic isolation outside of the device as VLANs do with tagging.

Akos (guest) commented on Monday, February 20, 2012 at 9:29 a.m. UTC

Great article, Jeremy, many thanks! I'm not too familiar with the WAP products, but the C877 integrated service router seems to work in a pretty similar way, so my question is, why would you use bridge groups, why not just use those subinterfaces (both radio and LAN) as routed interfaces?

Incidentally, any suggestion for how to enable multicast across the readio interface (i.e. between two devices attached to the same SSID)? I've been scratching my head over this for weeks.

Pim (guest) commented on Monday, February 20, 2012 at 11:48 a.m. UTC

What if you want your management traffic to be in a separate vlan that is not broadcasted in a SSID.

Would you still need any Bvi?
Or could you just create a Vlan interface with an ip address?

Lee Jones (guest) commented on Monday, February 20, 2012 at 8:34 p.m. UTC

Great post Jeremy! Great site by the way!

Naren (guest) commented on Tuesday, February 21, 2012 at 12:54 a.m. UTC

Very good information ! Thank you very much Jeremy ! :)

Chris Bennett (cgb) (guest) commented on Wednesday, February 22, 2012 at 4:23 a.m. UTC

Pim (and Stretch),

On Aironet APs, you can't assign an IP to anything other than a bridged virtual interface. And the only BVI you can use for IP is 1. This is because you have to enable 'route IP' for the bridge, and on the Aironets I've configured, it only allows you to use bridge group 1...

zoran-1131ag#show ver | inc ^Cisco
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)
zoran-1131ag#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
zoran-1131ag(config)#no bridge 1 route ip
%command not allowed, cannot remove bridge 1 route ip
zoran-1131ag(config)#bridge 20 route ip
%command not allowed, route ip only allowed on bridge group 1

I include my hardware & IOS version in case it's changed, but in the past I've tried to use a different bridge group number for management routing & I couldn't make it work.... :(

Chris

jomajo commented on Friday, February 24, 2012 at 11:40 a.m. UTC

Ok. So then solution would be ( to separate management traffic to be in a vlan that is not broadcasted in a SSID) to use BVI 1 with IP address and map it with FastEthernet subinterface, and create two different bridge groups. For example:

interface Dot11Radio0
!
ssid Corporate
!
ssid Guest
!
mbssid
bridge-group 1 (This is by default, and we can't turn this off)
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 2
!
interface Dot11Radio0.30
encapsulation dot1Q 30
bridge-group 3

!

Richard B. (guest) commented on Sunday, March 4, 2012 at 3:53 a.m. UTC

Excellent post! Perfect timing since I was about to roll-out a second SSID on my Aironets next week, and this solidifies my understanding of the radio-vlan-bridgegroup-interface relationships.

P.S. Love the networking challenges required for posting.

Dieselboy (guest) commented on Wednesday, March 28, 2012 at 9:20 a.m. UTC

Regarding bridge-group 1, I've ran into some issues with AP's telling me I cannot remove this group from the radio physical interfaces. For ease of use, management or using a basic configuration template type to configure many APs for different sites, I've configured a text file offline and uploaded which works perfect like in the example above. In some cases I've modified an existing AP running config and found the AP gives errors when you try to remove the bridge group 1 from the physical radio interfaces.

It is possible to configure a management IP on the fa0 interface and subinterface.

revbob commented on Sunday, May 6, 2012 at 12:18 p.m. UTC

Great article. And very timely for me.

The problem I'm having is I can authenticate to my WAPs but not getting any IP address. I'm pretty sure this is related to the crappy Netgear switch that the WAP connects to.

Normally nn the switch the WAP connects to you would need to have that port set as a trunk port to allow traffic from both the guest and private VLANs correct?

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
Layer three of the OSI model is the _____ layer.