• Goal
• Documentation
• Supported Platforms
• Router Configuration
• Setup the WAN (outside) interface
• Setup the LAN interface
• Configure DHCP pool for the wireless clients
• Configure the wlan interface
• Configure NAT
• Add a default route
• Configure the embedded wireless module
• Verification
• Check if the SSID shows up
• Check the DHCP bindings on the router
• Check if the wireless host goes out to the internet
• Accessing the WLC UI
• Step 1
• Step 2
• Step 3
• Step 4

Goal

The goal is to setup an ISR 1K router using command line interface.  Configure the LAN and WAN interface, NAT, embedded wireless module, default route and be able to browse the internet using a wireless device.

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here: https://www.cisco.com/c/en/us/td/docs/routers/access/isr1100/software/configuration/xe-17/isr1100-sw-config-xe-17.html

Supported Platforms

Although one could use this guide to setup other model routers, the router model used in this guide is an ISR 1K series router with WiFi capability.

Router Configuration

Setup the WAN (outside) interface

Configure the interface that faces the internet. It could be a static IP address or DHCP address.

interface GigabitEthernet0/0/0
 description Outside WAN interface
 ip address 10.10.10.10 255.255.255.0
 no shut

Setup the LAN interface

Now setup the LAN side interface. This is the side where the trusted inside hosts live.

interface vlan 2
 description Inside Wireless LAN 
 ip address 192.168.2.1 255.255.255.0
 no shut

Configure DHCP pool for the wireless clients

Configure DHCP pool for all the wireless clients.

ip dhcp pool Wireless
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 ==> GW address for the clients; IP address assigned to vlan2 int
 dns-server 8.8.8.8 4.2.2.2 ==> DNS server IPs provided to the clients as part of DHCP
 lease 0 3

Configure the wlan interface

Next we need to configure the wlan interface so that the embedded wireless controller will associate itself with the wlan 0/1/8 interface and vlan 2 and grab an IP address from the DHCP pool that we configured up above.

Pls. refer this link to identify which wlan interface to configure.

interface Wlan-GigabitEthernet0/1/8                                                                                                 
 switchport access vlan 2                                                                                                           
 switchport mode access
 no shut

Configure NAT

Now let us configure Network Address Translation so the wireless clients will be able to go out to the internet. Configure an ACL first to include the wireless subnet to go out to any destination. Designate the WAN interface as "ip nat outside" interface and vlan 2 interface as "ip nat inside" interface.

ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any
!
interface GigabitEthernet0/0/0
 ip nat outside
!
interface vlan 2
 ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload

Add a default route

Make sure to add a default route and specify a valid next-hop.  Next-hop should be a valid IP/Host or the traffic will be black holed and not go anywhere.

ip route 0.0.0.0 0.0.0.0 10.10.10.1

Configure the embedded wireless module

There are multiple ways in which we can configure the WiFi Module on the router. We will use the following manual CLI method to bring up the Mobility Express controller embedded within the ISR 1K router.

First we need to identify the Wireless AP slot on the router. In order to do that use the "show platform" command.

Router#sh platform 
Chassis type: C1121X-8PLTEPWB

Slot      Type                State                 Insert time (ago) 
--------- ------------------- --------------------- ----------------- 
0         C1121X-8PLTEPWB     ok                    00:27:23      
 0/0      C1121X-2x1GE        ok                    00:25:01      
 0/1      C1121X-ES-8         ok                    00:25:01      
 0/2      P-LTEAP18-GL        ok                    00:25:01      
 0/3      ISR-AP1101AC-B      ok                    00:25:01 ==> Wireless AP slot is 0/3     
R0        C1121X-8PLTEPWB     ok, active            00:27:23      
F0        C1121X-8PLTEPWB     ok, active            00:27:23      
P0        PWR-12V             ok                    00:26:48      

Slot      CPLD Version        Firmware Version                        
--------- ------------------- --------------------------------------- 
0         18103101            16.12(1r)                           
R0        18103101            16.12(1r)                           
F0        18103101            16.12(1r)                           

Open a session to the wireless module using the "hw-module session" command in privileged EXEC mode on the router. Use the slot number for the Wireless AP slot from the previous command and session in.

Router#hw-module session 0/3
Establishing session connect to subslot 0/3
To exit, type ^a^q
picocom v2.2
port is        : /dev/ttyS3
flowcontrol    : none
baudrate is    : 9600
parity is      : none
databits are   : 8
stopbits are   : 1
escape is      : C-a
local echo is  : no
noinit is      : no
noreset is     : no
nolock is      : yes
send_cmd is    : sz -vv
receive_cmd is : rz -vv -E
imap is        : 
omap is        : 
emap is        : crcrlf,delbs,
logfile is     : none
Type [C-a] [C-h] to see available commands
Terminal ready

When prompted to terminate the auto-install process (the CLI Initial Configuration Wizard), wait for 30 seconds. The CLI Initial Configuration Wizard begins after 30 seconds. Enter the Administrative Username and Administrative password to be assigned to this controller :

Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 127 characters): ********
Re-enter Administrative Password                 : ********

Enter the System Name, which is the name that you want to assign to the controller :

System Name [Cisco-4001.7ac0.8ba0] (24 characters max): Cisco-4001.7ac0.8ba0

Enter the code for the country in which the Mobility Express network is located. Refer this link:

In case you are not aware of your country code, you can enter "help" and then type the appropriate country code :

Enter Country Code list (enter 'help' for a list of countries) [US]: help
Enter the country code list (e.g. US,CA,MX) max=30.
Supported Country Codes:
AE, AL, AR, AT, AU, BA, BB, BE, BG, BH, BM, BN, BO, 
BR, BY, CA, CH, CL, CM, CN, CO, CR, CY, CZ, DE, DK, 
DO, DZ, EC, EE, EG, EL, ES, FI, FJ, FR, GB, GH, GI, 
GR, HK, HR, HU, ID, IE, IL, IO, IN, IQ, IS, IT, J4, 
JM, JO, KE, KN, KW, KZ, LB, LI, LK, LT, LU, LV, LY, 
MA, MC, ME, MK, MN, MO, MT, MX, MY, NG, NL, NO, NZ, 
OM, PA, PE, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, 
SA, SE, SG, SI, SK, TH, TI, TN, TR, TW, UA, US, UY, 
VE, VN, ZA
Enter Country Code list (enter 'help' for a list of countries) [US]: US ==> USA

If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it powers up, enter YES to configure an NTP server. For this lab purpose, we would be skipping this step. When you select "No", then it would ask the user to manually enter the date and time. This step can also be skipped :

Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
Note! Default NTP servers will be used

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services. Type dhcp for the Management Interface IP Address Configuration:

Management Interface IP Address Configuration [STATIC][dhcp]: dhcp

Now it will ask if you want to configure the DHCP scope to manage the address allocation for the clients connecting to the SSID (Yet to be configured). 

Create Management DHCP Scope? [yes][NO]: NO

Now it asks to configure the Employee Network ID (SSID) for the wireless controller and its security/authentication type and respective paraphrase:

Employee Network Name (SSID)?: Teleworker
Employee Network Security? [PSK][enterprise]: PSK
Employee PSK Passphrase (8-63 characters)?: ********
Re-enter Employee PSK Passphrase: *********

To enable RF Parameter Optimization, enter YES. Enter the Client Density. You can enter TYPICAL, Low, or High, as per your requirement. Then it will confirm the changes made so far, and would reset the controller with the configured settings:

Enable RF Parameter Optimization? [YES][no]: YES
Client Density [TYPICAL][Low][High]: TYPICAL
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Configuration saved!
Resetting system with new configuration...

After this step, wait till the controller comes back up and the AP is given the management address and the AP comes online. You can verify if the AP is online using the "show ap summary" command from the controller mode:

(Cisco Controller) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. admin
Global AP Dot1x User Name........................ Not Configured
Global AP Dot1x EAP Method....................... EAP-FAST
* prefix indicates Cisco Internal AP
AP Name           Slots    AP Model         Ethernet MAC      IP Address   Clients 
----------------- -----  ---------------  --------------     ----------   ----------- 

*AP4001.7AC0.8BA0   2    ISR-AP1101AC-B   40:01:7a:c0:e9:30  192.168.2.2       1       

Verification

Check if the SSID shows up

Now, you should be able to see this SSID "Teleworker" being advertised by the AP, and using any smart device try to login to the SSID and browse to the internet.

 

Check the DHCP bindings on the router

Router#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address  Client-ID/          Lease expiration   Type      State   Interface
            Hardware address/
            User name
192.168.2.2 0140.017a.c0e9.30 Aug 21 2020 04:49 PM Automatic Active Vlan2 ==> AP
192.168.2.3 0100.005e.0001.01 Aug 21 2020 04:51 PM Automatic Active Vlan2 ==> Controller IP
192.168.2.4 08be.ac0e.8bdb    Aug 21 2020 04:50 PM Automatic Active Vlan2 ==> wireless host

Check if the wireless host goes out to the internet

Do a "show ip nat translation" on the router and see if the wireless host's IP address shows up. Our wireless client's IP address is 192.168.2.4

 

Router#show ip nat translations
Pro     Inside global    Inside local Outside local Outside global
udp 10.215.217.211:5220 192.168.2.4:40051 8.8.8.8:53 8.8.8.8:53 ==> DNS traffic
tcp 10.215.217.211:5357 192.168.2.4:55022 151.101.129.67:443 151.101.129.67:443 => HTTPS traffic
udp 10.215.217.211:5514 192.168.2.4:58804 8.8.8.8:53 8.8.8.8:53
tcp 10.215.217.211:5073 192.168.2.4:35744 172.217.1.238:443 172.217.1.238:443
udp 10.215.217.211:5296 192.168.2.4:48724 8.8.8.8:53 8.8.8.8:53

 

Accessing the WLC UI 

Step 1

Open a web browser. Navigate to the "Check the DHCP bindings on the router" step to find the Controller IP address. In the address bar, type the Controller IP address. For a secure connection, use https (i.e., https://controllerIPAddress). Then click Login.

 

Step 2

When prompted, enter User Name and Password that were configured in the “Configure the embedded wireless module” step. Then click OK.

 

Step 3

The WLC WebUI similar to the image below should appear in your web browser.

 

Step 4

To access Cisco WebUI, open a new tab. In the address bar, type the IP address of the device. For a secure connection, use https (i.e., https://controllerIPAddress). Enter the username and password configure on the device. Click Log In.