Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BR1310 Wireless Point-to-Point Bridge

I recently configured two BR1310 Access Point/Bridges into a Root & Non-Root (without clients) configuration to extend a LAN to another building. I configured the units to use LEAP (Root acting as Radius server), authenticating with Network-EAP w/ WPA2, and AES as the encryption cipher. Being that WPA2/LEAP handle the key management, I had a question regarding best practices. I currently have configured a "dot1x timeout reauth-period" of 300 seconds, in addition a broadcast-key change of the same. I have 4 VLANs trunked over this bridge, and since I have no wireless clients associating with these bridges, I'm assuming I do not need the broadcast-key rotation. The idea is that by forcing a dot1x reauth, a new PTK/PMK will be created every 300 seconds. Is that a recommended practice?

Also, being that I have 4 VLANs trunked across these bridges, is there a way to verify (via debug?) that all VLANs traffic is being encrypted by AES? Obviously when I do a "show dot11 assoc all", only my native VLAN (mgmt) shows as AES, no other VLANs.




Re: BR1310 Wireless Point-to-Point Bridge

Here is the URL for the Cisco Aironet 1300 Series Access Point/Bridge configuration guide which will help you for the configuration VLAN and authentication :

New Member

Re: BR1310 Wireless Point-to-Point Bridge


it normal that you only see with "sh dot11 ass .." the native vlan. On this vlan (infratstructure) will be realize the authentication and encryption. That means not,

all other vlan,s are not encrypted !! Of course they are, because the vlan,s will be "transport" sequential in the AES encrypted connection. You can by the way see this with a WLAN-ANALYSOR.

The timeouts (reauth-period) not so low I use 10000 sec. It is not mor secure If you so often reauthenticate the session.

A Cisco staff had by my customer configured 40000 sec. A good choice is once per day.

regards Ulrich