Sample configuration example of an 871W ISR

ritchauh · ‎04-12-2011

Introduction
Solution
Reference

Introduction

Solution

This configuration example has 2 vlans, vlan 1 and vlan 2 , each mapped to a different SSID with WPA-PSK security

sh run
Building configuration...

Current configuration : 2452 bytes
!
! Last configuration change at 23:53:27 UTC Wed Mar 27 2002
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.lNK$ellDG1B2CZJnj82Wqn8iL0
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid GUESTRITS
vlan 2 <<<vlan 2 mapped to GUESTRITS SSID...Use the vlan as per the network configuration

authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 cisco123
!
dot11 ssid INTERNAL
vlan 1 <<<<<<<vlan 1 mapped to INTERNAL SSID

authentication open
authentication key-management wpa
wpa-psk ascii 0 cisco123
!
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool GUESTRITS <<<<We have a DHCP pool for GUESTRITS SSID...wireless users connecting to this SSID will get IP from this pool

    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.254
!
ip cef
!
cwmp agent
management server username 00000C-CISCO871W%2dG%2dA%2dK9V05-FHK12502AJ2
!
bridge irb
!
!
interface FastEthernet0
switchport trunk allowed vlan 1,2,1002-1005     <<<We are allowing only the vlans meant for wireless access...Modify this as per the needs

switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip <<<tkip is the cipher
!
encryption vlan 2 mode ciphers tkip
!
ssid GUESTRITS
!
ssid INTERNAL
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native <<<vlan 1 is native

bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1

interface Vlan2
no ip address
bridge-group 2
!
interface BVI1
ip address 10.0.0.2 255.255.255.0
!
interface BVI2
ip address 192.168.1.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
control-plane
!
bridge 1 protocol ieee                            <<<Bridge group 1 is always used for bridging native vlan traffic to the radio interface...
                                                                  <<< bridge group 2 for bridging vlan 2 with radio interface here...
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
login
!
exception data-corruption buffer truncate
scheduler max-task-time 5000
end

Router#

Reference

Cisco 800 Series Routers Wireless Authentication Types on a Fixed ISR Configuration Example

Wireless, LAN (WLAN) Configuration Examples and TechNotes

Troubleshooting TechNotes

Technology White Paper

WLAN Security Introduction

Wireless, LAN (WLAN) Technology Q&A

Cisco 800 Series Routers Configuration Examples and TechNotes

Vinay Sharma · ‎04-12-2011

Hi Ritika,

thanks for sharing the sample configuration example. keep it up . 5+

ramosm1974 · ‎10-29-2012

This is what I got and it has been working for me, and this includes the wireless setup. From my modem to my RV016 to my 871w. Once I figure out the PPPOE the 871w will be my only router running, and figure out the port forwarding, but most important I need to configure PPPOE.

mr-r1#sh star

Using 3825 out of 131072 bytes

!

! Last configuration change at 08:10:30 PCTime Sun Oct 28 2012 by ramosm

! NVRAM config last updated at 08:10:33 PCTime Sun Oct 28 2012 by ramosm

!

version 12.4

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

no service password-encryption

!

hostname mr-r1

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 64000

logging rate-limit 20

enable secret 5 $1$PDK9$YSz8GsnVsDYevR1hVGMG70

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3978252741

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3978252741

revocation-check none

rsakeypair TP-self-signed-3978252741

!

crypto pki certificate chain TP-self-signed-3978252741

certificate self-signed 01 nvram:IOS-Self-Sig#B.cer

dot11 syslog

!

dot11 ssid ramfam

vlan 55

authentication open

mbssid guest-mode

!

ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 10.25.55.1 10.25.55.49

ip dhcp excluded-address 10.25.55.76 10.25.55.254

ip dhcp excluded-address 10.25.50.1 10.25.50.49

ip dhcp excluded-address 10.25.50.76 10.25.50.254

!

ip dhcp pool Data

import all

network 10.25.50.0 255.255.255.0

dns-server 10.55.55.1 4.2.2.1

domain-name MR-Lab1

default-router 10.25.50.1

lease 25

!

ip dhcp pool Wireless

import all

network 10.25.55.0 255.255.255.0

default-router 10.25.55.1

dns-server 10.55.55.1 4.2.2.2

lease 25

!

ip cef

ip domain name MR-Lab1.com

ip name-server 10.55.55.1

!

username ramosm privilege 15 secret 5 $1$J2cq$abQJlRlZgmIlEDPX/jd8A1

!

archive

log config

hidekeys

!

no ip ftp passive

!

bridge irb

!

interface FastEthernet0

description AirNet 1100

speed 100

spanning-tree portfast

!

interface FastEthernet1

description Extra cat5

spanning-tree portfast

!

interface FastEthernet2

description Ubuntu PC

spanning-tree portfast

!

interface FastEthernet3

description PS3

speed 100

spanning-tree portfast

!

interface FastEthernet4

description Internet Wan Port

ip address 10.55.55.105 255.255.255.0

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface Dot11Radio0

no ip address

!

encryption vlan 55 key 1 size 128bit 0 AB2081CA12B126DD2F95ABCF32 transmit-key

encryption vlan 55 mode wep mandatory

!

broadcast-key vlan 55 change 30

!

ssid ramfam

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0

station-role root

!

interface Dot11Radio0.55

encapsulation dot1Q 55 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

ip address 10.25.50.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan55

no ip address

bridge-group 1

!

interface BVI1

ip address 10.25.55.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.55.55.1

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source list 2 interface FastEthernet4 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.25.50.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 10.25.55.0 0.0.0.255

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

exec-timeout 30 0

password Cisco

logging synchronous

no modem enable

line aux 0

line vty 0 4

exec-timeout 20 0

password Cisco

logging synchronous

!

scheduler max-task-time 5000

end

mr-r1#

ramosm1974 · ‎10-29-2012

let me know what I can add or remove.