Showing results for 
Search instead for 
Did you mean: 

Wireless Industrial Profile - Cisco Verified Profile

Raman Ratan
Cisco Employee
Cisco Employee

This document provides guidance and validated reference for Wireless Industrial Profile deployments.

  • MESH
  • RLAN
  • WGB


Sanatomba Singh @moisingh  for MESH

Alexander Charles Stephan Savarinathan @asavarin  for RLAN

Raman Ratan  for WGB


Wireless Industrial Profile

Cisco Catalyst 9800 Controllers and Access Points

Cisco Validated Profile (CVP)




MESH Solution Overview

A wireless mesh networking use cisco Access Points to extend network coverage wirelessly. Mesh networking can employ indoor and outdoor Mesh Access Points, cisco C9800 wireless controllers, Cisco DNA Center to provide scalable, central management and mobility between indoor and outdoor deployments. CAPWAP control manages the connection of Mesh Access points to the network.

End-to-end security within the mesh network is supported by employing Advanced Encryption Standard (AES) encryption between the wireless mesh access points and Wi-Fi Protected Access 2 (WPA2) clients.

Non Fabric Mesh deployment Topology





Hardware Specification and Requirements

Hardware Platform

Model Name

Access Points

Cisco Aironet outdoor - 1542, 1562, 1572

Cisco Aironet Wave2 indoor- 1815i, 1815m, 1830,1850, 2800, 3800 and 4800

Cisco Aironet AX- 9130, 9124

Cisco Aironet IOT- IW6300, 6300, IW9167 Series.

Cisco wireless controller

EWC - (Cisco Embedded Wireless Controller)

Cisco DNA Center

1.4 release onward

Cisco Prime Infrastructure

3.7 release onward

Mesh Access Points

Mesh Access Points should be configured with bridge mode. Access points in a mesh network operate in one of the following two ways.

  1. Root Access Points (RAP)
  2. Mesh Access Points (MAP)

Access Points can be order as a Mesh mode or can be converted from the local mode to Mesh Mode. To use access point as a root access point, you must reconfigure the mesh access points.
While the RAPs have wired connections to their controller, MAPs have wireless connections to their controller via the RAP or another MAP. MAPs communicate among themselves and back to the RAP using wireless connections over the 802.11a/n/ac/ax radio backhaul. MAPs use the Cisco Adaptive Wireless Path Protocol (AWPP) to determine the best path through the other mesh access points to the controller.

End-to-end security within the mesh network is supported by employing Advanced Encryption Standard (AES) encryption between the wireless mesh access points and Wi-Fi Protected Access 2 (WPA2) and WPA3 clients. A mesh access point establishes AWPP link with a parent Mesh AP which is already connected to the Controller before starting CAPWAP discovery.

By default, RAP or MAP does not generate Bridge Protocol Data Unit (BPDU) itself. However, the RAP or MAP forwards the BPDU to upstream devices if the RAP or MAP received the BPDU from its connected wired or wireless interface across the network.

Flex + Bridge Mode

By default, bridge mode AP behaves as a local mode AP. To make a mesh AP work in flex-connect mode, flex- bridge mode was introduced which supports flex-connect features while operating in bridge mode.

Flex mode APs are connected to trunk port with but for mesh only RAP’s connected port can be trunk port, not the MAP connected port. For ethernet bridging MAPs ethernets need to be in trunk mode. The default mode of ethernet in bridge and flex-bridge mode is trunk and default native VLAN is 0.

Mesh Supported Feature

  • AP authorization against AP MAC and AP serial number.
  • EAP authentication – Local EAP (EAP-FAST), EAP authentication with LSC.
  • Mesh Backhaul support for 2.4GHz and 5GHz.
  • Mesh Radio Resource Management
  • Mesh Convergence
  • DFS
  • Ethernet Bridging
  • Multicast over Mesh Bridging Network
  • Workgroup Bridge
  • Mesh Daisy Chaining
  • Flex+Bridge Mode
  • Backhaul Client Access
  • Air Time Fairness on Mesh
  • Subset channel Synchronization

Mesh Unsupported Feature

  • Serial backhaul AP support with separate backhaul radios for uplink and downlink.
  • Public Safety channels (4.9-GHz band) support.
  • Passive Beaconing (Anti-Stranding) 

Common Use Case

  • Ethernet Bridging – Wired clients behind RAP and MAP

    a. Same VLAN for both clients.

    b. Different VLAN for both clients.

  • WGB

    a. WGB behind the RAP

    b. WGB behind the MAP

  • Uplink loss detection.

  • Subset channel Synchronization

  • Fast convergence

  • Daisy-chaining.

  • MAP Roaming.

    a. From one RAP to another RAP b. From one MAP to another MAP c. Intra-WNCD and Inter-WNCD d. Inter Controller

  • MAP Joining
    a. MAP and RAP same or different models. b. Different types of securities.
    c. Controller upgrade or reboot.

  • Multicast with Mesh


Scale Supported

  • Cisco Recommended three MAPs in a Mesh Tree.


Mac Authorization list configuration
• aaa authorization credential-download <method_list_name> group radius <radius_server_group_name>

Creating Mesh Profile and map authorization list

  • wireless profile mesh <mesh_profile_name>
  • method authorization <method_list_name>

AP joins controller as Local mode or Mesh mode. Change AP mode to bridge mode and role to mesh/root Change AP mode from local mode to bridge.


ap name <ap_name> mode bridge
Change AP role either Mesh or Root AP
ap name ap_name role <mesh-ap/root-ap>

Subset Channel Synchronization enable controller to send all connected RAPs channel to MAPs to enable faster

convergence. Specify the Backhaul Slot for the Root AP
ap name <RAP_name> mesh backhaul radio dot11 <24ghz/5ghz> <slot slot-id>


Wireless SDA Overview


  • In SDA deployments, client traffic is sent over an overlay network that is managed by LISP (Location/ID Separation Protocol) control plane.

  • Then overlay wired clients are sending native traffic to FE (normal 802.3 frames).

  • In Wireless SDA deployments, APs are extension of the fabric. It means that APs are allowed to

    encapsulate/decapsulate wireless client traffic in VxLAN and exchange these with FE.

  • On data plane side, wireless client traffic is encapsulated in VxLAN and tunneled to FE.

  • FE has a specific interface called Access Tunnel which will take care of VxLAN processing.


SDA Mesh

    • Every Mesh AP is a fabric AP. It means that every MAP located behind a RAP (Root AP) will have a corresponding access tunnel on RAP FE.

    • Each MAP is a fabric AP and thus encapsulates client traffic in VxLAN and tunnels this traffic towards FE.

    • MAP AP will have an access tunnel plumbed on FE and will be able to encapsulate client traffic toward this tunnel without any change in infrastructure device (HW or SW). FE will create an access tunnel for

      the MAP as it would have done it for any other fabric AP.

    • The challenges in SDA mesh deployment is mesh is dynamic. The link between MAP (Mesh AP) and

      parent is wireless so can be unstable or impacted by RF conditions. That’s why a MAP can “roam” to a new parent and this without breaking the session with the WLC (CAPWAP). So, the real challenge of supporting Mesh in SDA deployment is to manage MAP roaming events to limit the traffic loss/latency.

    • Mesh COS AP shall be configurable as fabric AP (no IOS AP support).

    • Mesh Fabric AP shall keep wireless client connection during a mesh wireless uplink update (mesh roam).

    • Mesh Fabric AP, after a successful roam, shall be able to reestablish VxLAN traffic with limited traffic


    • Mesh Fabric AP shall be able to roam to an AP of the same fabric (Intra-fabric).

    • Mesh SDA solution shall be able to forward wireless client traffic with an MTU of 1500 bytes. 


SDA Mesh Topology





Show Commands on Controller

  • show fabric ap summary

  • show wireless fabric client summary

  • show wireless stats fabric control-plane all

  • show wireless mesh ap tree

  • show wireless mesh ap fabric summary

  • show ap name <name> mesh roam history 

Show Commands on Access Points

  • show mesh adjacency all

Show Commands on SDA Switch

  • show lisp all instance-id * ethernet database

  • show lisp all instance-id * ipv4 database





RLAN Solution Overview

A Remote LAN (RLAN) is used for authenticating wired clients using the controller. Once the wired client successfully joins the controller, the LAN ports can switch the traffic between central or local switching mode as per configuration. The traffic from wired client is treated as wireless client traffic by adding wireless header.

The RLAN module in AP will send the authentication/association requests for the wired client to get authenticated. The authentication of wired client through RLAN is like wireless client. RLAN uses slot 2 for configuration and control messages between the AP and WLC when you enable the OfficeExtend mode for an access point DTLS data encryption

RLAN over SDA(Fabric)–. This feature should add functionality to route traffic via VxLAN tunnel.

Controller Workflow: Controller will authenticate the client like any other local mode client. It will send client registration to map server after client is authenticated and reached mobility complete state.
To enable fabric configuration for RLAN clients, we need to configure the vnid and sgt tag information for rlan policy in addition to the existing configuration. We plan to reuse fabric policy configuration for wireless clients for rlan clients by providing a knob to configure fabric policy profile under rlan policy configuration. This information should be pushed to AP.

AP Workflow: Ap flow is same as local mode of RLAN.

 Authentication Methods

  • Open auth

  • Local auth

  • 802.1x auth

  • Mac Filtering

  • WebAuth

  • RLAN Authentication Fallback

    • From 802.1X to MAC authenecation bypass (MAB) and vice versa


Hardware and Software Specifications

The solution is validated with the hardware and software listed in the following table. For the complete list of hardware and software supported

Hardware platform

Model Name

Access points

Cisco Catalyst 9124 Series AP

Cisco Catalyst 9105AXW

Cisco Aironet OEAP 1810 series

Cisco Aironet 1815T series

Cisco Aironet 1810W series

Cisco Aironet 1815W

Cisco Catalyst IW6300 Heavy Duty Series Access Points  

Cisco 6300 Series Embedded Services Access Points

Cisco wireless controller





Cisco DNA Center



Ethernet (AUX) Port

The second Ethernet port in Cisco Aironet 1850, 2800, and 3800 Series APs is used as a link aggregation (LAG) port, by default. It is possible to use this LAG port as an RLAN port when LAG is disabled.
The following APs use LAG port as an RLAN port:

  • 1852E
  • 1852I
  • 2802E
  • 2802I
  • 3802E
  • 3802I
  • 3802P
  • 4802

Feature summary


Local Mode

Flex Mode

Fabric Local Mode

Basic RLAN feature with one client like Phone or Laptop




Multi-Client per port




Port Security – ACL / Firewall

Not Supported

Not Supported

Not Supported

Split Tunneling

Not Supported

Not Supported

Not Supported

Vlan Support on RLAN




802.1x on RLAN




Mac Filtering + 802.1x on RLAN




Web Auth on RLAN




AAA override on RLAN




Local authentication




IPv6 ACL or Flexible Netflow









Not Supported


Not Supported


Not Supported

Not Supported



Show and Debug commands



Show commands


show remote-lan summary

show remote-lan id <id>

show remote-lan name <profile-name

show remote-lan all

show remote-lan policy summary

show ap name <ap_name> lan port summary

show wireless client summary

show wireless client username cisco

show wireless client mac-address <mac> detail

show ap tag summary

show wireless tag policy summary

show wireless tag policy detailed <rlan_policy_tag_name>

Access Point

show wired client


Debug commands


set platform software trace wncd chassis active R0 all-modules debug

debug wireless mac <rlan client mac>

set plat soft trace wncd chassis active r0  lisp-agent- ?


lisp-agent-db   lisp-agent-fsm      l



lisp-agent-lib  lisp-agent-lispmsg



Access Point

debug rlan critical

debug rlan errors

debug rlan events

debug rlan info

debug client <mac-addr>


Solution Use Case Scenarios

  • Typically used for security surveillance cameras.
  • Teleworker with Wire and wireless Devices Teleworkers require always-on secure access to networked business services from the remote home office. This design guide enables the following network capabilities:
    • Common wireless device configuration for onsite and teleworker wire access
    • Authentication through IEEE 802.1x for employees and encryption for all information sent and received to the organization’s main location.
    • Simplified IT provisioning for the home office, which reduces setup time and supports varying levels of end-user skills.
    • Mobility and flexibility for voice endpoints at the teleworker location.
  • Scanners and printers.

Deployment Topology

Local and Flex








Flex + RLAN configuration:

Create Rlan policy:

ap remote-lan-policy policy-name rlan-policy-vlan14
no central switching
description rlan-policy-vlan14
ipv4 acl acl-rlan
no poe
session-timeout 0
violation-mode replace
vlan <vlan id>
no shutdown

Create rlan profile

ap remote-lan profile-name rlanprofile 2
no shutdown

Map rlan policy to rlan profile and add to wireless tag policy

wireless tag policy policy-tag-rlan-vlan9 r
emote-lan rlanprofile policy rlan-policy-vlan14 port-id 1
remote-lan rlanprofile policy rlan-policy-vlan14 port-id 2
remote-lan rlanprofile policy rlan-policy-vlan14 port-id 3

Create Site tag

wireless tag site Rlan-local-Auth
ap profile RLAN

Add policy tag to ap

ap 3c57.31c5.93a4
policy-tag policy-tag-rlan-vlan14
site-tag Rlan-local-Auth

Enable rlan port

ap name AP3c57.31c5.93a4 lan port-id 1 enable



Configure aaa method

config taaa new-model 
aaa authentication dot1x  wcm_local local
aaa authorization credential-download wcm_author local
aaa local authentication wcm_local authorization wcm_author

Configure local username

config t
username aaalocal password 0 aaalocal

Check crypto pki trustpoint  -> this step is mandatory if PEAP method is used. we can define MIC cert or SSC cert l.

ewlc-1#show crypto pki trustpoints
Trustpoint SLA-TrustPoint: 
   Subject Name:  
  cn=Cisco Licensing Root CA 
    Serial Number (hex): 01   
Certificate configured.
Trustpoint TP-self-signed-3072272689:  
  Subject Name:   
    Serial Number (hex): 01  
 Persistent self-signed certificate trust point   
Using key label TP-self-signed-3072272689

Configure eap profle and define method

 config t 
 eap profile eap_name
 method leap
 method peap
 method fast
 method tls
 pki-trustpoint TP-self-signed-3375061260


Create Rlan profile

ap remote-lan profile-name rlanprofile_local_auth 17
local-auth eap_name
security dot1x authentication-list wcm_local

no shutdown


Configure Rlan policy

ap remote-lan-policy policy-name rlan-policy-802X-localauth
aaa-policy aaa_policy_realm
no central dhcp
no central switching
description Local_auth
host-mode singlehost
no poe
fabric 802X-fabric
session-timeout 86400
violation-mode replace
no shutdown

Configure Fabric profile

wireless profile fabric 802X-fabric
client-l2-vnid 8189
sgt-tag 8189

Map rlan profile with policy tag

wireless tag policy policy-tag-rlan-local-Auth

remote-lan rlanprofile_local_auth policy rlan-policy-802X-localauth port-id 1

Create site tag

wireless tag site Rlan-local-Auth

ap profile RLAN

Add policy tag to AP

ap 843d.c670.3c40

policy-tag policy-tag-rlan-local-Auth

site-tag Rlan-local-Auth

Enable rlan port

ap name AP843D.C670.3C40 lan port-id 1 enable

Scale Supported

The client scale depends on Ethernet port which are available on a RLAN supported AP Model. Each LAN port on an AP is supports max of 4 clients.

Limitation for RLAN

  • Not all Aps support RLAN.
  • RLAN supports only a maximum of four wired clients regardless of the AP model
  • RLAN support with Virtual Roueng and Forwarding (VRF) is not available.
  • We can create a maximum of 128 RLANs and cannot use the rlan-id of an exiseng RLAN while creating another RLAN.
  • Both RLAN and WLAN profile cannot have the same names. Similarly, RLAN and WLAN policy profile cannot have the same names.
  • We can activate either web or dot1x authentication list at a time.
  • For an RLAN profile with open-auth configuration, you must map the RLAN-policy with single host mode. Mapping RLAN-policy with mule-host or mule-domain mode is not supported.
  • The controller does not assign data versus voice VLAN, based on traffic. RLAN only supports multiple VLAN assignments through 802.1x AAA override. You must create data and voice VLANs and then assign these VLANs to respective clients, based on their authentication through the 802.1x AAA override.


Feature not supported on RLAN

  • Central Web Authentication (CWA)
  • Quality of Service (QoS)
  • Bi-Directional Rate Limiting (BDRL)
  • Multicast and Broadcast
  • Identity PSK (iPSK)


Role Of Controller

  • The controller acts as an Authenticator, and Extensible Authentication Protocol (EAP) over LAN (EAPOL) messages from the wired client reaching the controller through an AP.
  • The controller communicates with the configured Authentication, Authorization, and Accounting (AAA) server.
  • The controller configures the LAN ports for an AP and pushes them to the corresponding AP.


  • RLAN: Remote Local Area Network

  • OEAP:OfficeExtend access point

  • DTLS: Datagram Transport Layer Security

  • ACL: Access Control List

  • SDA: Software Defined Access

  • EWLC: Elastic Wireless Lan Controller



  1. Remote LANs

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Cupertino 17.9.x - Remote LANs [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

  1. Configure OEAP and RLAN on Catalyst 9800 WLC

  1. Wireless compatibility matrix for the latest information





WGB Solution Overview

A workgroup bridge (WGB) is an Access Point mode to provide wireless connectivity to wired clients that are connected to the Ethernet port of the WGB AP directly or via a switch. A WGB connects a wired network over a single wireless segment by learning the MAC addresses of its wired clients on the Ethernet interface and report them to the WLC through infrastructure AP using Internet Access Point Protocol (IAPP) messaging.

The WGB establishes a single wireless connection to the root AP on any one 2.4Ghz or 5 Ghz radio, which in turn treats the WGB as a wireless client. The WGB can serve wireless clients on the other radio.

Non Fabric topology



Hardware Specifications and Requirements

Hardware Platform

Model Name





Access Points




Cisco Aironet 2700, 3700, and 1572 Series

Requires autonomous image

Cisco Aironet 2800, 3800, 4800, 1562, and

Cisco IOS-XE image starting 16.10

Cisco Catalyst 9105, 9115

Cisco IOS-XE image starting 17.8

Cisco Catalyst  9120, 9130, 9124


IW6300 and ESW6300 Series


Cisco Wireless Controller

C9800-80, C9800-40

C9800-L, C9800-CL

Starting 16.10

Remote Site Switch

Cisco Catalyst 9 series

Cisco Catalyst 3850


Cisco DNA Centre controller



Cisco Prime Infrastructure


3.10.4 + System Patch



Profile Feature summary


Wave1 Aps

Wave2 and Cat91xx Aps







UWGB mode


Supported on Wave 2 APs

IGMP Snooping or Multicast






PI support (without SNMP)


Not supported







802.11i (WPAv2)



Broadcast tagging/replicate



Unified VLAN client

Implicitly supported (No CLI required)


WGB client









Wired client support on all LAN ports

Supported in Wired-0 and Wired-1 interfaces

Supported in all Wired-0, 1 and LAN ports 1, 2, and 3


Solution Use Case Scenarios

  • Network connectivity to the passive clients in network.
  • Network Connectivity  non wireless capability clients.
  • Reliable Multicast delivery for clients in small segment network.
  • Layer 3 roaming of WGB clients in a network.
  • Network connectivity of clients behind WGB when connected with Mesh Aps.
  • Roaming in case of moving devices
  • Network connectivity with IOT Ap as WGB.
  • Network connectivity of passive clients with Third party WGB


Configuration and programable interfaces

Config Commands

Sample psk config on eWLC :

wlan <wlan profile name> <wlan id> <ssid name> 
ccx aironet-iesupport 
no security ft adaptive 
security wpa psk set-key ascii 0 <psk key>
no security wpa akm dot1x 
security wpa akm psk
no shutdown
Config Capwap ap to WGB

 ap-type workgroup-bridge

SSID Profile Configuration on WGB

configure ssid-profile ssid-profile-name ssid radio-serv-name authentication {open | psk preshared-key key-management {dot11r | wpa2 | dot11w |{optional | required }}| eap profile eap-profile-name key-management {dot11r | wpa2 | dot11w|{optional | required}}

Attach SSID Profile to Radio interface

configure dot11radio radio-interface mode wgb ssid-profile profle-name

Map Radio Interface as ROOT AP to server Wireless client behind WGB

configure dot11radio radio-int mode root-ap

Configures the WLAN at the root AP mode radio.

configure dot11Radio <0|1> wlan add ssid-profile-name ssid-number

Show Commands
  • show wireless wgb summary
  • show wireless wgb  mac-address <wgb mac-address> detail
On Access Points
  • show client summary
  • show client statistics wireless <wireless client mac>
  • show client statistics wired <wired client mac> 
  •  show wgb ssid
  • show client summary

Scale Supported

  • Only up to 20 clients inclusive of both wired and wireless client behind WGB is supported.

Restriction or Limitations or Recommendation

  • MAC filtering is not supported for wired clients.
  • Idle timeout is not supported for both WGB and wired clients.
  • Session timeout is not applicable for wired clients.
  • Web authentication is not supported.
  • To use a chain of certificates, copy all the CA certificates to a file and install it under a trust point on the WGB, else server certificate validation may fail.
  • Wired clients connected to the WGB are not authenticated for security. Instead, the WGB is authenticated against the access point to which it associates. Therefore, it is recommended to physically secure the wired side of the WGB.
  • Wired clients connected to a WGB inherit the WGB's QoS and AAA override attributes.
  • To enable the WGB to communicate with the root AP, create a WLAN and make sure that Aironet IE is enabled under the Advanced settings




Tested Hardware Specs


Client Hardware Specs

Access Points


Windows, Macmini

9130, 9124, 2800, 3800, 4800, 1542, 1562


Windows, Macmini

C9105AXW, C9105AXW, 3802E



Root Ap - 3800, 2800, 9130, CW9163

WGB - 9130, 9120, 3700



Thanks to Ian Procyk for his feedback on customer deployments

0 Replies 0
Review Cisco Networking for a $25 gift card