cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8587
Views
50
Helpful
28
Replies

Cisco 1921 Router LAN config

johnny_5
Level 1
Level 1

Hi there - I have been asked to configure a new out of the box 1921 series Router for internet access.Basically our company has to provide Internet access to an office area with 8-10 IP Phones,Wireless & Internet set up. I have configured the Router to what I think would work best. . I have a Cisco E1200 ready to go for the Wifi side of things. This office area is not part of our network.

Bottom line is that they need their IP phones  and Wifi

to work

My question is...Is there anything else I would need to add to the config for the phones to work better(no drops). Any help would be appreciated.

ISP > Router WAN > Router LAN > Cisco 2900XL Switch

ISP: 12.16.xxx.xx 255.255.255.248

LAN: 192.168.1.0 255.255.255.0

Building configuration...

Current configuration : 1648 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname NEX_Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 wv8gUHK2fGNWeZuTKMRv7NWW3pQQ/a3WIwDP/OW0WIY

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

clock timezone CDT -6 0

clock summer-time CDT recurring

!

ip cef

!

!

!

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool Nexxxxx

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 208.67.222.222

lease 7

!

!

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1921/K9 sn FTX17318328

!

!

username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Nexxxx LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN side of Router

ip address 12.16.xxx.xx 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 12.16.xxx.xx

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 240 0

password 7 0010160709480A1200

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 7 051F030E2C5F4F1D16

logging synchronous

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

28 Replies 28

Hi,

if wired clients and wireless clients are on different VLANs( different subnets) then you'll have to issue another DHCP pool for the corresponding subnet on the router.if you are using L2 ports( switchports) on the router and you have multiple VLANs from the switch to the router then you should configure your port as a trunk, you'll also need to have a vlan interface which is up/up in this wireless subnet.For Internet connectivity you should enable NAT on the wireless vlan interface and modify your dynamic PAT ACL to permit this subnet too.

Post your router config as well as a quick diagram showing your topology so we can tell you the commands if you got any problem.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you - The wired and wirelss client should all be on the one VLAN. There are two 2 VLANS on the switch which should not be communicating to each other. One goes to our company and the other VLAN is for this new branch. We created the second VLAN on the switch just for this reason. The branch will not have any access to our network - just internet access through its own separte router as well. Could I exclude a range of IPS on the Router just for Wireless? I will post a config ASAP.

Thank you again!

Hi,

if wired and wireless are on same VLAN(subnet) then you only have one pool to configure indeed.

It is not possible to have 2 pools with same subnet on a router as far as I know and one way to set aside IPs for the wireless would be to use static bindings for ethernet clients(or wireless) by using the origin file:http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpsv.html#wp1074511

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

I have included the router config. You will have to excuse my cisco knowledge - only getting started! As you can see I have a dhcp pool defined in the config- my previous posts had me getting a IP address from this range when hard wired. I am thinking I have to define the VLAN within the router for AP to give out IPs.

NEX_Router#show ip int brief

Interface                  IP-Address      OK? Method Status                Prot                                    ocol

Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down                                   

GigabitEthernet0/0         10.25.131.1     YES NVRAM  down                  down                                   

GigabitEthernet0/1         12.16.xxx.xx    YES NVRAM  down                  down                                   

NVI0                       unassigned      YES unset  administratively down down                                   

NEX_Router#

NEX_Router#show run

Building configuration...

Current configuration : 1911 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname NEX_Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 Jtja31O3DL3dFoer5Ui/.9yk3wKk08Sz.d/IwZb/FLA

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

clock timezone CDT -6 0

clock summer-time CDT recurring

!

ip cef

!

!

!

ip dhcp excluded-address 10.25.131.1

ip dhcp excluded-address 10.25.131.10 <<<<-------------------------------------IP of AP

!

ip dhcp pool Nex

import all

network 10.25.131.0 255.255.255.0

default-router 10.25.131.1

dns-server 208.67.222.222

lease 7

!

!

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1921/K9 sn FTX17318328

!

!

username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Nex LAN

ip address 10.25.131.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN side of Router

ip address 12.16.xxx.xx 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

router rip

network 10.0.0.0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 12.16.xxx.xx

!

access-list 100 permit ip 10.25.131.0 0.0.0.255 any

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 240 0

password 7 0010160709480A1200

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 7 051F030E2C5F4F1D16

logging synchronous

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

AS you can see I have excluded the IP address of the AP in the config. Do I have to define the VLAN within the router config as a sub-interface?

On my AP gui the VLAN 30 (in this case) is already assigned to the AP. On my switch, VLAN 30 takes up 20 ports for its use.

Any help would be great!Thanks

johnny_5
Level 1
Level 1

After doing some research I added a sub interface giga0/0.30 and assigned the VLAN 30 to this. After including this in the config I could not get an IP address been hard wired nor could I get Internet access. I had removed the IP address of the giga0/0 10.25.131.1 and assigned it to the VLAN - the ip on router sub-interface for a particular vlan will work as a default gateway for that vlan. Is there something else I am supposed to add/remove from the config?

Thanks again!

NEX_Router#show run

Building configuration...

Current configuration : 2044 bytes

!

! Last configuration change at 09:53:56 CDT Tue Sep 10 2013

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname NEX_Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 Jtja31O3DL3dFoer5Ui/.9yk3wKk08Sz.d/IwZb/FLA

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

clock timezone CDT -6 0

clock summer-time CDT recurring

!

ip cef

!

!

!

ip dhcp excluded-address 10.25.131.1

ip dhcp excluded-address 10.25.131.10

!

ip dhcp pool Nex

import all

network 10.25.131.0 255.255.255.0

default-router 10.25.131.1

dns-server 208.67.222.222

lease 7ip address

!

!

!

no ipv6 cef

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1921/K9 sn FTX17318328

!

!

username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Nex LAN

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/0.30

encapsulation dot1Q 30

ip address 10.25.131.1 255.255.255.0

!

interface GigabitEthernet0/1

description WAN side of Router

ip address 12.16.xxx.xx 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

router rip

network 10.0.0.0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 12.16.xxx.xx

!

access-list 100 permit ip 10.25.131.0 0.0.0.255 any

!

!

!

!

etc

You've removed the primary address from the parent interface. The primary is always default to vlan 1. Since you've moved the same address to the subinterface and that interface is tagging with vlan 30, the switch expects that port to be trunked with vlan 1 and 30. The easiest thing to do is to remove the subinterface and put everything back the way that it was. If the AP clients need to get an address from the same pool, they should be able to as long as the bvi that you have configured on the AP is in the same range.

For example:

dot11 ssid Test

int d0

ssid Test

bridge-group 1

int fa0

bridge-group 1

int bvi1

ip addres 10.25.131.

ip default-gateway

HTH,

John

HTH, John *** Please rate all useful posts ***

John, I have put the configuration back the way it was. I have the AP confgured through the GUI.

After I get do a show run I can see that the BVI interface has a IP address thats the same as the AP address. So what your saying is that I need to exclude a new IP address on the router and assign it to the BVI interface?

Nex-AP#show run

Building configuration...

Current configuration : 1922 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Nex-AP

!

enable secret 5 $1$8Pxj$fC9vLXLBEcMLD6gr8wBXu/

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

dot11 vlan-name Nex vlan 30

!

dot11 ssid Nex

   authentication open

!

power inline negotiation prestandard source

!

!

username Cisco password 7 072C285F4D06

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

ssid Nex

!

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.30

encapsulation dot1Q 30

no ip route-cache

no snmp trap link-status

bridge-group 30

bridge-group 30 subscriber-loop-control

bridge-group 30 block-unknown-source

no bridge-group 30 source-learning

no bridge-group 30 unicast-flooding

bridge-group 30 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

ssid Nex

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.30

encapsulation dot1Q 30

no ip route-cache

no snmp trap link-status

bridge-group 30

no bridge-group 30 source-learning

bridge-group 30 spanning-disabled

!

interface BVI1

ip address 10.25.131.10 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

Ok. You need to remove the vlan 30 information. I can't help with the gui unfortunately , but I can walk you through the cli.

For the same vlan, same pool as wired/wireless users, etc, you'll need three interfaces on the AP: Do0, Fa0, and BVI. The BVI bridges the wired (Fa0) and wireless (Do0) interfaces together. Currently, you're telling the AP that you want to support tagging, but that's not the case unless you're going to want to run multiple ssids.

For starters, do this from the cli: (copy and paste below)

dot11 vlan-name Nex vlan 30

no int fa0.30

no int d0.30

int d0

no shut

Then try to connect to your ssid and you should get an address in the same pool as your wired clients. Yes, you'll want to exclude the address that you want to assign to the bvi.

Also, if you want to do separate pools at a later date for, say, a guest network, vlans are the way to go on the AP. So, you have a good starting point for that.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John - Thank you for that. I followed your commands. I was able to get a IP address and was able to access the internet successfully! I ended up assigning the BVI a different IP address, as soon as I did copy run star it kicked me off the GUI side and the Telnet side!

The only issue now with the Wifi is that it is unsecured.

Would the following commands set up the security on the SSID? We don't have server based secuirty setup.

Enable

Conf t

Dot11 ssid Nex

Vlan 2

  authentication open

  authentication key-management wpa

  wpa-psk ascii 7

Mbssid Guest-mode

End

Hmmm...I'm not sure where the vlan2 comes in. Normally that's to attach the ssid to a certain vlan. You should be able to remove that. The rest of it looks good for a preshared key for wpa. If you want to use wpa2, you should be able to change '"authentication key-management wpa" to "authentication key-management wpa version 2". Depending on the ciphers that you use on the radio will determine what your encryption methods are:

int d0

encryption mode ciphers aes-ccm (for wpa2)

OR

encryption mode ciphters tkip (for wpa)

aes-ccm enables wpa2. I would recommend wpa2.

Mbssid guest-mode is for when you want to broadcast more than one ssid. Since you only have one on the AP, you can change this to just guest-mode if you want to broadcast the ssid.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John- that VLAN 2 was a typo...sorry it should have been VLAN 30

With the setup I have confiured now using the BVI will all packets coming and going have to go through the BVI interface which is on the AP? The BVI allows this traffic to be bridged between both the fastethernet and radio with 1 the one ip address right?

Are there any drawbacks to using this approach especially when we use IP phones? I may post a final config to verify that everthing is working as it should be!

Thanks again!

Getting into voip is going to probably make you want to move to vlans. Vlan 30 doesn't need to be in the ssid area on the AP since you're not using it any longer.

Fair warning though. Since you have all of this working, it's all going to change when you move to vlans. There are no drawbacks to running it this way because this is the preferred method. I've seen people put addresses on the radio, ethernet, and bvi which isn't necessary. The AP bridges the two interfaces together so you can use one address. Cisco recommends not to put a separate address on each interface.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John,

Thanks for all your help once again - so far so good!

You're welcome!

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: