09-06-2013 08:00 AM - edited 03-03-2019 07:10 AM
Hi there - I have been asked to configure a new out of the box 1921 series Router for internet access.Basically our company has to provide Internet access to an office area with 8-10 IP Phones,Wireless & Internet set up. I have configured the Router to what I think would work best. . I have a Cisco E1200 ready to go for the Wifi side of things. This office area is not part of our network.
Bottom line is that they need their IP phones and Wifi
to work
My question is...Is there anything else I would need to add to the config for the phones to work better(no drops). Any help would be appreciated.
ISP > Router WAN > Router LAN > Cisco 2900XL Switch
ISP: 12.16.xxx.xx 255.255.255.248
LAN: 192.168.1.0 255.255.255.0
Building configuration...
Current configuration : 1648 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NEX_Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 wv8gUHK2fGNWeZuTKMRv7NWW3pQQ/a3WIwDP/OW0WIY
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone CDT -6 0
clock summer-time CDT recurring
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool Nexxxxx
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222
lease 7
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX17318328
!
!
username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Nexxxx LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN side of Router
ip address 12.16.xxx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 12.16.xxx.xx
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 240 0
password 7 0010160709480A1200
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 051F030E2C5F4F1D16
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
09-10-2013 02:54 AM
Hi,
if wired clients and wireless clients are on different VLANs( different subnets) then you'll have to issue another DHCP pool for the corresponding subnet on the router.if you are using L2 ports( switchports) on the router and you have multiple VLANs from the switch to the router then you should configure your port as a trunk, you'll also need to have a vlan interface which is up/up in this wireless subnet.For Internet connectivity you should enable NAT on the wireless vlan interface and modify your dynamic PAT ACL to permit this subnet too.
Post your router config as well as a quick diagram showing your topology so we can tell you the commands if you got any problem.
Regards
Alain
Don't forget to rate helpful posts.
09-10-2013 04:50 AM
Thank you - The wired and wirelss client should all be on the one VLAN. There are two 2 VLANS on the switch which should not be communicating to each other. One goes to our company and the other VLAN is for this new branch. We created the second VLAN on the switch just for this reason. The branch will not have any access to our network - just internet access through its own separte router as well. Could I exclude a range of IPS on the Router just for Wireless? I will post a config ASAP.
Thank you again!
09-10-2013 05:06 AM
Hi,
if wired and wireless are on same VLAN(subnet) then you only have one pool to configure indeed.
It is not possible to have 2 pools with same subnet on a router as far as I know and one way to set aside IPs for the wireless would be to use static bindings for ethernet clients(or wireless) by using the origin file:http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpsv.html#wp1074511
Regards
Alain
Don't forget to rate helpful posts.
09-10-2013 06:30 AM
Hi,
I have included the router config. You will have to excuse my cisco knowledge - only getting started! As you can see I have a dhcp pool defined in the config- my previous posts had me getting a IP address from this range when hard wired. I am thinking I have to define the VLAN within the router for AP to give out IPs.
NEX_Router#show ip int brief
Interface IP-Address OK? Method Status Prot ocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 10.25.131.1 YES NVRAM down down
GigabitEthernet0/1 12.16.xxx.xx YES NVRAM down down
NVI0 unassigned YES unset administratively down down
NEX_Router#
NEX_Router#show run
Building configuration...
Current configuration : 1911 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NEX_Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 Jtja31O3DL3dFoer5Ui/.9yk3wKk08Sz.d/IwZb/FLA
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone CDT -6 0
clock summer-time CDT recurring
!
ip cef
!
!
!
ip dhcp excluded-address 10.25.131.1
ip dhcp excluded-address 10.25.131.10 <<<<-------------------------------------IP of AP
!
ip dhcp pool Nex
import all
network 10.25.131.0 255.255.255.0
default-router 10.25.131.1
dns-server 208.67.222.222
lease 7
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX17318328
!
!
username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Nex LAN
ip address 10.25.131.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN side of Router
ip address 12.16.xxx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router rip
network 10.0.0.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 12.16.xxx.xx
!
access-list 100 permit ip 10.25.131.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 240 0
password 7 0010160709480A1200
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 051F030E2C5F4F1D16
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
AS you can see I have excluded the IP address of the AP in the config. Do I have to define the VLAN within the router config as a sub-interface?
On my AP gui the VLAN 30 (in this case) is already assigned to the AP. On my switch, VLAN 30 takes up 20 ports for its use.
Any help would be great!Thanks
09-10-2013 08:50 AM
After doing some research I added a sub interface giga0/0.30 and assigned the VLAN 30 to this. After including this in the config I could not get an IP address been hard wired nor could I get Internet access. I had removed the IP address of the giga0/0 10.25.131.1 and assigned it to the VLAN - the ip on router sub-interface for a particular vlan will work as a default gateway for that vlan. Is there something else I am supposed to add/remove from the config?
Thanks again!
NEX_Router#show run
Building configuration...
Current configuration : 2044 bytes
!
! Last configuration change at 09:53:56 CDT Tue Sep 10 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NEX_Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 Jtja31O3DL3dFoer5Ui/.9yk3wKk08Sz.d/IwZb/FLA
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone CDT -6 0
clock summer-time CDT recurring
!
ip cef
!
!
!
ip dhcp excluded-address 10.25.131.1
ip dhcp excluded-address 10.25.131.10
!
ip dhcp pool Nex
import all
network 10.25.131.0 255.255.255.0
default-router 10.25.131.1
dns-server 208.67.222.222
lease 7ip address
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX17318328
!
!
username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Nex LAN
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.25.131.1 255.255.255.0
!
interface GigabitEthernet0/1
description WAN side of Router
ip address 12.16.xxx.xx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router rip
network 10.0.0.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 12.16.xxx.xx
!
access-list 100 permit ip 10.25.131.0 0.0.0.255 any
!
!
!
!
etc
09-10-2013 11:07 AM
You've removed the primary address from the parent interface. The primary is always default to vlan 1. Since you've moved the same address to the subinterface and that interface is tagging with vlan 30, the switch expects that port to be trunked with vlan 1 and 30. The easiest thing to do is to remove the subinterface and put everything back the way that it was. If the AP clients need to get an address from the same pool, they should be able to as long as the bvi that you have configured on the AP is in the same range.
For example:
dot11 ssid Test
int d0
ssid Test
bridge-group 1
int fa0
bridge-group 1
int bvi1
ip addres 10.25.131.
ip default-gateway
HTH,
John
09-10-2013 11:24 AM
John, I have put the configuration back the way it was. I have the AP confgured through the GUI.
After I get do a show run I can see that the BVI interface has a IP address thats the same as the AP address. So what your saying is that I need to exclude a new IP address on the router and assign it to the BVI interface?
Nex-AP#show run
Building configuration...
Current configuration : 1922 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Nex-AP
!
enable secret 5 $1$8Pxj$fC9vLXLBEcMLD6gr8wBXu/
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
dot11 vlan-name Nex vlan 30
!
dot11 ssid Nex
authentication open
!
power inline negotiation prestandard source
!
!
username Cisco password 7 072C285F4D06
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
!
ssid Nex
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
no snmp trap link-status
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
ssid Nex
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.30
encapsulation dot1Q 30
no ip route-cache
no snmp trap link-status
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
!
interface BVI1
ip address 10.25.131.10 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
09-10-2013 11:29 AM
Ok. You need to remove the vlan 30 information. I can't help with the gui unfortunately , but I can walk you through the cli.
For the same vlan, same pool as wired/wireless users, etc, you'll need three interfaces on the AP: Do0, Fa0, and BVI. The BVI bridges the wired (Fa0) and wireless (Do0) interfaces together. Currently, you're telling the AP that you want to support tagging, but that's not the case unless you're going to want to run multiple ssids.
For starters, do this from the cli: (copy and paste below)
dot11 vlan-name Nex vlan 30
no int fa0.30
no int d0.30
int d0
no shut
Then try to connect to your ssid and you should get an address in the same pool as your wired clients. Yes, you'll want to exclude the address that you want to assign to the bvi.
Also, if you want to do separate pools at a later date for, say, a guest network, vlans are the way to go on the AP. So, you have a good starting point for that.
HTH,
John
*** Please rate all useful posts ***
09-10-2013 12:16 PM
John - Thank you for that. I followed your commands. I was able to get a IP address and was able to access the internet successfully! I ended up assigning the BVI a different IP address, as soon as I did copy run star it kicked me off the GUI side and the Telnet side!
The only issue now with the Wifi is that it is unsecured.
Would the following commands set up the security on the SSID? We don't have server based secuirty setup.
Enable
Conf t
Dot11 ssid Nex
Vlan 2
authentication open
authentication key-management wpa
wpa-psk ascii 7
Mbssid Guest-mode
End
09-10-2013 12:40 PM
Hmmm...I'm not sure where the vlan2 comes in. Normally that's to attach the ssid to a certain vlan. You should be able to remove that. The rest of it looks good for a preshared key for wpa. If you want to use wpa2, you should be able to change '"authentication key-management wpa" to "authentication key-management wpa version 2". Depending on the ciphers that you use on the radio will determine what your encryption methods are:
int d0
encryption mode ciphers aes-ccm (for wpa2)
OR
encryption mode ciphters tkip (for wpa)
aes-ccm enables wpa2. I would recommend wpa2.
Mbssid guest-mode is for when you want to broadcast more than one ssid. Since you only have one on the AP, you can change this to just guest-mode if you want to broadcast the ssid.
HTH,
John
*** Please rate all useful posts ***
09-10-2013 12:50 PM
John- that VLAN 2 was a typo...sorry it should have been VLAN 30
With the setup I have confiured now using the BVI will all packets coming and going have to go through the BVI interface which is on the AP? The BVI allows this traffic to be bridged between both the fastethernet and radio with 1 the one ip address right?
Are there any drawbacks to using this approach especially when we use IP phones? I may post a final config to verify that everthing is working as it should be!
Thanks again!
09-10-2013 12:58 PM
Getting into voip is going to probably make you want to move to vlans. Vlan 30 doesn't need to be in the ssid area on the AP since you're not using it any longer.
Fair warning though. Since you have all of this working, it's all going to change when you move to vlans. There are no drawbacks to running it this way because this is the preferred method. I've seen people put addresses on the radio, ethernet, and bvi which isn't necessary. The AP bridges the two interfaces together so you can use one address. Cisco recommends not to put a separate address on each interface.
HTH,
John
*** Please rate all useful posts ***
09-10-2013 01:34 PM
John,
Thanks for all your help once again - so far so good!
09-10-2013 07:43 PM
You're welcome!
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide