04-13-2011 01:04 AM - edited 11-18-2020 02:53 AM
Introduction:-
This is a configuration example for 861W/881W/891W series ISRs. It has 2 vlans, vlan 1 for wired users and vlan 4 for wireless users. Each vlan has its dedicated DHCP pool.
Configuration Steps:-
Before we could access the AP module, we need to configure the router to open a session between the AP module and the router module.
NOTE:-
1. Define the router’s console interface to the wireless device. The interface is used for communication between the router’s console and the wireless device. Always use port 0.
Router(config)# interface wlan-ap0
Router(config-if)#
The following message appears:-
"The wlan-ap 0 interface is used for managing the embedded AP. Please use the service-module wlan-ap 0 session command to console into the embedded AP".
2. Specify the IP address and subnet mask
Router(config-if)#ip unnumbered vlan 4
Router(config-if)#no shut
Router(config-if)#end
Router#
The IP address can be shared with the IP address assigned to the Cisco Integrated Services Router by using the ip unnumbered vlan4 command.
3. Open the connection between the wireless device and the router’s console.
Router#service-module wlan-ap 0 session
Example:-
Router# service-module wlan-ap0 session
Trying 10.0.0.1, 2002 ... Open
ap>
4. Afterwards, to close the session between the wireless device and the router’s console, perform the following steps:
Wireless Device
A. Control-Shift-6 x
Router
B. Disconnect
C. Press Enter twice.
5. Configure AP module for wireless functionality with one SSID. Example given below.
6. Configure router module for the desired vlans. Example given below.
ROUTER MODULE
Version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 800-12
!
boot-start-marker
boot system flash
boot-end-marker
!
no logging on
!
no aaa new-model
!
ip source-route
ip dhcp excluded-address 10.10.10.1 <<<exclude IP addresses that need not be leased out
ip dhcp excluded-address 10.0.0.1 <<<exclude IP addresses that need not be leased out
!
ip dhcp pool Wireless <<<<DHCP pool for wireless users
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1 <<<<default gateway will be the wireless vlan IP ( vlan 4 )address
!
ip dhcp pool TEST <<<DHCP pool for other wired users
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1 <<default gateway for wired users is the wired vlan IP (vlan 1 )
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
!
!
username cisco secret 5 $1$D.C.$gY/Pz9EJKgnfGYISyU4NR0
!
!
archive
log config
hidekeys
!
bridge irb
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface wlan-ap0 <<<<<<<<<<<<<Service module interface to manage the embedded AP
description Service module interface to manage the embedded AP
ip unnumbered Vlan4 <<<This interface will use vlan 4 IP to manage the embedded AP
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4 <<<Specifying the native vlan as 4
switchport mode trunk
!
interface Vlan1 <<<<VLAN 1 for wired users
ip address 10.10.10.1 255.255.255.0
!
interface Vlan4 <<<<VLAN4 network for wireless users
ip address 10.0.0.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.76.75.65
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
AP MODULE:-
hostname ap
!
enable secret 5 $1$uoRD$Mz7Q8NVh9L0PYSoIKxghH/
!
no aaa new-model
!
dot11 ssid TEST <<<TEST SSID
vlan 4 <<<TEST SSID mapped to vlan 4
authentication open
authentication key-management wpa
guest-mode <<<<To broadcast the SSID
wpa-psk ascii 0 cisco123 <<<Preshared key is used
!
username cisco privilege 15 secret 5 $1$JbKq$341Z9uDAkeHKcMTO6/WI00
!
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers tkip <<<<<Specifying TKIP cipher for the SSID
!
ssid TEST
!
station-role root
!
interface Dot11Radio0.4 <<<<<<<Create sub interface for vlan 4 and specify it as native vlan
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.4 <<<<<<<Create sub interface for vlan 4 and specify it as native vlan
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp
no ip route-cache
!
ip default-gateway 10.0.0.1 <<<<IP address of vlan 4 is the default gateway
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 protocol ieee
bridge 1 route ip
!
Related Document:-
thanks Ritika for sharing this configuration example.
Thanks a lot, very useful !
This is what I got and it has been working for me. From my modem to my RV016 to my 871w. Once I figure out the PPPOE the 871w will be my only router running, and figure out the port forwarding, but most important I need to configure PPPOE.
mr-r1#sh star
Using 3825 out of 131072 bytes
!
! Last configuration change at 08:10:30 PCTime Sun Oct 28 2012 by ramosm
! NVRAM config last updated at 08:10:33 PCTime Sun Oct 28 2012 by ramosm
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname mr-r1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 64000
logging rate-limit 20
enable secret 5 $1$PDK9$YSz8GsnVsDYevR1hVGMG70
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3978252741
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3978252741
revocation-check none
rsakeypair TP-self-signed-3978252741
!
!
crypto pki certificate chain TP-self-signed-3978252741
certificate self-signed 01 nvram:IOS-Self-Sig#B.cer
dot11 syslog
!
dot11 ssid ramfam
vlan 55
authentication open
mbssid guest-mode
!
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.25.55.1 10.25.55.49
ip dhcp excluded-address 10.25.55.76 10.25.55.254
ip dhcp excluded-address 10.25.50.1 10.25.50.49
ip dhcp excluded-address 10.25.50.76 10.25.50.254
!
ip dhcp pool Data
import all
network 10.25.50.0 255.255.255.0
dns-server 10.55.55.1 4.2.2.1
domain-name MR-Lab1
default-router 10.25.50.1
lease 25
!
ip dhcp pool Wireless
import all
network 10.25.55.0 255.255.255.0
default-router 10.25.55.1
dns-server 10.55.55.1 4.2.2.2
lease 25
!
!
ip cef
ip domain name MR-Lab1.com
ip name-server 10.55.55.1
!
!
!
!
username ramosm privilege 15 secret 5 $1$J2cq$abQJlRlZgmIlEDPX/jd8A1
!
!
!
archive
log config
hidekeys
!
!
no ip ftp passive
!
bridge irb
!
!
interface FastEthernet0
description AirNet 1100
speed 100
spanning-tree portfast
!
interface FastEthernet1
description Extra cat5
spanning-tree portfast
!
interface FastEthernet2
description Ubuntu PC
spanning-tree portfast
!
interface FastEthernet3
description PS3
speed 100
spanning-tree portfast
!
interface FastEthernet4
description Internet Wan Port
ip address 10.55.55.105 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface Dot11Radio0
no ip address
!
encryption vlan 55 key 1 size 128bit 0 AB2081CA12B126DD2F95ABCF32 transmit-key
encryption vlan 55 mode wep mandatory
!
broadcast-key vlan 55 change 30
!
!
ssid ramfam
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
station-role root
!
interface Dot11Radio0.55
encapsulation dot1Q 55 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
ip address 10.25.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan55
no ip address
bridge-group 1
!
interface BVI1
ip address 10.25.55.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.55.55.1
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.25.50.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.25.55.0 0.0.0.255
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 30 0
password Cisco
logging synchronous
no modem enable
line aux 0
line vty 0 4
exec-timeout 20 0
password Cisco
logging synchronous
!
scheduler max-task-time 5000
end
mr-r1#
Let me know what you think? or what I can add or remove, but this is wahts working.
I am unable to set my 891w router up. I really need assistance. I dont mind wiping and starting over I have multiple times.
Here is link from another post I have that nobody has answered or said anthing about yet.
https://supportforums.cisco.com/thread/2241210
I tried to use the example above in my router but vlan4 is down/down for some reason I went through copying pasting not sure what happened.
Basically I just want my router setup to broadcast wireless and have wpa pka protection, then I want to plug in my home lab with about 4 servers and routhers and such.
I dont need dhcp or dns as I will set that up on my servers soon as I can get this router to work.
Any help would be great.
Below is my config. I cannot setup the wap because it says
-----------------------------
891W#service-module wlan-ap 0 session
Trying 10.0.0.1, 2002 ...
% Destination unreachable; gateway or host down
891W#
------------------------------
guessing something is wrong with vlan 4
------------------------------
891W#show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
Async1 unassigned YES unset down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 unassigned YES unset down down
FastEthernet5 unassigned YES unset down down
FastEthernet6 unassigned YES unset down down
FastEthernet7 unassigned YES unset down down
FastEthernet8 unassigned YES unset administratively down down
GigabitEthernet0 unassigned YES unset administratively down down
Vlan1 10.10.10.1 YES manual up up
Vlan4 10.0.0.1 YES manual down down
Wlan-GigabitEthernet0 unassigned YES unset up up
wlan-ap0 10.0.0.1 YES unset up up
891W#
------------------------------------------------
I checked for vlans and got this:
891W#show vlans
No Virtual LANs configured.
891W#
--------------------------------------------
below is the full config:
===========================
891W#show running-config
Building configuration...
Current configuration : 4262 bytes
!
! Last configuration change at 17:16:36 UTC Sat Sep 21 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 891W
!
boot-start-marker
boot system flash
boot-end-marker
!
!
no logging on
!
no aaa new-model
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1959322904
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1959322904
revocation-check none
rsakeypair TP-self-signed-1959322904
!
!
crypto pki certificate chain TP-self-signed-1959322904
certificate self-signed 01
(removed to save space)
quit
ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool Wireless
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
!
ip dhcp pool TEST
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
!
ip cef
no ip domain lookup
ip domain name BWCAT.com
ip inspect log drop-pkt
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn FTX1423818V
!
!
archive
log config
hidekeys
username myname secret 5 xxxxxxx
!
!
!
!
!
!
!
bridge irb
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4
switchport mode trunk
no ip address
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
!
interface Vlan4
ip address 10.0.0.1 255.255.255.0
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 10.76.75.65
!
logging esm config
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
mgcp profile default
!
!
!
!
banner exec ^CC
DO NOT ACCESS WITHOUT PERMISSION
^C
!
line con 0
exec-timeout 0 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
login
transport input all
!
end
891W#
========================================
Not sure what happened but it just came up out of the blue...
===================
891W#show vlans
No Virtual LANs configured.
891W#conf t
Enter configuration commands, one per line. End with CNTL/Z.
891W(config)#vlan 4
891W(config-vlan)#name wireless
891W(config-vlan)#exit
891W(config)#end
%SYS-5-CONFIG_I: Configured from console by console891W#show vlans
No Virtual LANs configured.
891W#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan4, changed state to up
891W#show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
Async1 unassigned YES unset down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 unassigned YES unset down down
FastEthernet5 unassigned YES unset down down
FastEthernet6 unassigned YES unset down down
FastEthernet7 unassigned YES unset down down
FastEthernet8 unassigned YES unset administratively down down
GigabitEthernet0 unassigned YES unset administratively down down
Vlan1 10.10.10.1 YES manual up up
Vlan4 10.0.0.1 YES manual up up
Wlan-GigabitEthernet0 unassigned YES unset up up
wlan-ap0 10.0.0.1 YES unset up up
891W#show vlans
891W#show vlans
No Virtual LANs configured.
891W#service
891W#service-module wlan
891W#service-module wlan-ap 0
891W#service-module wlan-ap 0 se
891W#service-module wlan-ap 0 session
Trying 10.0.0.1, 2002 ... Open
Connecting to AP console, enter Ctrl-^ followed by x,
then "disconnect" to return to router prompt
C
% Password change notice.
-------------------------------------------------------
I didnt do anyuthing but the vlan 4 and name thingie and then about 1 minute later it popped on. I will try to use the second part for the WPA configuration now and see if that works.
Please check below and help me with resolving Vlan issue with cisco 881 ROuter and Cisco SG500-52 siwtch
Thanks a lot really you helped me so much , but now i can ping from local computer to wireless devices but the wireless devices cant ping the local computers
thanks if anybody can suggest me what to do !
Thank you! Worked in a pinch!
Hello
I hope you could help me.
I have the Cisco 891FW box running IOS Version 15.4(1r)T1. I cannot find the encryption command to execute encryption vlan 4 mode ciphers tkip line.
I am doing the exact example of Richauh
Thank you
Post your show run.
The encryption vlan 4 mode ciphers tkip is post under interface Dot11RadioX
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: