https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4947827#M262098 <P>I'm not going to try to answer your questions because I've never tried to work out the answers myself.<BR />The IOS config was originally created for LAN bridging and they re-used it for APs so I've also just accepted the defaults and left it at that.</P> <P>However it's worth pointing out that most of the IOS APs will be end of support in a few months time (apart from IW3702 which has a few years left) so you should probably not be spending too much time on IOS APs.&nbsp; All the new APs (since Wave 2 AC) run AP-COS which is a completely different OS.</P> Wed, 25 Oct 2023 13:25:10 GMT Rich R 2023-10-25T13:25:10Z https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4947104#M262072 <P>In every sample of configuring wireless access points, including Cisco documentation (notably the older Aeronet ones), I find the following lines to be configured on the bridge group which includes the radio interface:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Yet I can find no explanation anywhere why they are always there, and what do these actually do?&nbsp;</P><P>block-unknown-source - the only Cisco doc I find is a configuration sample which states "blocks traffic that comes from unknown MAC address sources".&nbsp; Understandable enough - but none of the samples contain any configuration to specify allowed MAC addresses (including actual live APs, and they work totally fine). I know some APs can be configured to use MAC address authentication, yet on APs not so configured the above line is still present.</P><P>no source-learning - same Cisco doc merely states "disables source learning". Great. Learning what? From who? Does it mean automatic MAC-address learning? Would fit to block-unknown-source so that the AP will not learn the MAC of an attacker, but again, where are the allowed MAC addresses? Or is that something totally unrelated to MAC addresses?</P><P>no unicast-flooding - I understand the concept, every switch does unicast flooding, but why would we not want this on an AP?&nbsp;</P><P>spanning-disabled: this of course disables STP. Yet I do not quite understand how STP even comes into the picture on a wireless AP - typically it has one wired ethernet port and one or more radio antennas. STP would ensure no multiple links between devices exists. How does this apply to wireless APs?</P> Tue, 24 Oct 2023 19:40:24 GMT https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4947104#M262072 pschulz 2023-10-24T19:40:24Z https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4947827#M262098 <P>I'm not going to try to answer your questions because I've never tried to work out the answers myself.<BR />The IOS config was originally created for LAN bridging and they re-used it for APs so I've also just accepted the defaults and left it at that.</P> <P>However it's worth pointing out that most of the IOS APs will be end of support in a few months time (apart from IW3702 which has a few years left) so you should probably not be spending too much time on IOS APs.&nbsp; All the new APs (since Wave 2 AC) run AP-COS which is a completely different OS.</P> Wed, 25 Oct 2023 13:25:10 GMT https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4947827#M262098 Rich R 2023-10-25T13:25:10Z https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4955134#M262682 <P>Understood on the (relative) irrelevance of these IOS commands - it's time to move on.</P> Tue, 07 Nov 2023 18:54:42 GMT https://community.cisco.com/t5/wireless/wireless-ap-bridge-commands/m-p/4955134#M262682 pschulz 2023-11-07T18:54:42Z