Solved: Re: Wireless AP Bridge commands

pschulz · ‎10-24-2023

In every sample of configuring wireless access points, including Cisco documentation (notably the older Aeronet ones), I find the following lines to be configured on the bridge group which includes the radio interface:

bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

Yet I can find no explanation anywhere why they are always there, and what do these actually do?

block-unknown-source - the only Cisco doc I find is a configuration sample which states "blocks traffic that comes from unknown MAC address sources". Understandable enough - but none of the samples contain any configuration to specify allowed MAC addresses (including actual live APs, and they work totally fine). I know some APs can be configured to use MAC address authentication, yet on APs not so configured the above line is still present.

no source-learning - same Cisco doc merely states "disables source learning". Great. Learning what? From who? Does it mean automatic MAC-address learning? Would fit to block-unknown-source so that the AP will not learn the MAC of an attacker, but again, where are the allowed MAC addresses? Or is that something totally unrelated to MAC addresses?

no unicast-flooding - I understand the concept, every switch does unicast flooding, but why would we not want this on an AP?

spanning-disabled: this of course disables STP. Yet I do not quite understand how STP even comes into the picture on a wireless AP - typically it has one wired ethernet port and one or more radio antennas. STP would ensure no multiple links between devices exists. How does this apply to wireless APs?

Rich R · ‎10-25-2023

I'm not going to try to answer your questions because I've never tried to work out the answers myself.
The IOS config was originally created for LAN bridging and they re-used it for APs so I've also just accepted the defaults and left it at that.

However it's worth pointing out that most of the IOS APs will be end of support in a few months time (apart from IW3702 which has a few years left) so you should probably not be spending too much time on IOS APs. All the new APs (since Wave 2 AC) run AP-COS which is a completely different OS.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

Rich R · ‎10-25-2023

I'm not going to try to answer your questions because I've never tried to work out the answers myself.
The IOS config was originally created for LAN bridging and they re-used it for APs so I've also just accepted the defaults and left it at that.

However it's worth pointing out that most of the IOS APs will be end of support in a few months time (apart from IW3702 which has a few years left) so you should probably not be spending too much time on IOS APs. All the new APs (since Wave 2 AC) run AP-COS which is a completely different OS.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

pschulz · ‎11-07-2023

Understood on the (relative) irrelevance of these IOS commands - it's time to move on.