Discussion on:
View:
Show:
Do you have experience with the Cisco 871 router? If so, what were your impressions? Share your feedback about the information in this article as well as your opinion of the CLI Configuration Worksheet, which you can download from http://downloads.techrepublic.com.com/abstract.aspx?docid=243375.
Because of my inexperience, I used the GUI. I love the router and
was looking to upgrade the 831 that I currently have. The Cisco
SDM is a pretty nice interface for configuring the router (for a
newbie) and it served me well in all tasks, including digital
certificates. I was somewhat disappointed in not getting my Mac
laptop to work with the wireless portion, but the other machines
had no problem. The wireless portion of SDM was a little
confusing (version I used) and that may have thrown me. Had I
access to the router now I would certainly try again with what
you have posted here. I'm still looking to upgrade and have the
1811W in my sights. I certainly like to see more articles on this
router. Thanks!
-Edd
was looking to upgrade the 831 that I currently have. The Cisco
SDM is a pretty nice interface for configuring the router (for a
newbie) and it served me well in all tasks, including digital
certificates. I was somewhat disappointed in not getting my Mac
laptop to work with the wireless portion, but the other machines
had no problem. The wireless portion of SDM was a little
confusing (version I used) and that may have thrown me. Had I
access to the router now I would certainly try again with what
you have posted here. I'm still looking to upgrade and have the
1811W in my sights. I certainly like to see more articles on this
router. Thanks!
-Edd
While I can't verify this, it's likely that the 1811W will work with this 871W configuration. The only thing different would be the Interface names. I'll ask Cisco for an 1811W and get a template for that as well.
The SDM is really slow (Java Run Time Engine) and confusing for certain tasks. But compared to working with the CLI from scratch, it's a lot easier for a newbie. But if you have this simple CLI template to fill out and you have detailed explainations of the commands, I believe it's even easier than the SDM.
I haven't implemented certificates in this template yet but I'll try to add that in the next version. For now you can use the SDM just to do the certificate portion.
The SDM is really slow (Java Run Time Engine) and confusing for certain tasks. But compared to working with the CLI from scratch, it's a lot easier for a newbie. But if you have this simple CLI template to fill out and you have detailed explainations of the commands, I believe it's even easier than the SDM.
I haven't implemented certificates in this template yet but I'll try to add that in the next version. For now you can use the SDM just to do the certificate portion.
I bought this product back in December, This is a great product for the price. I have Verizon FIOS and this product works great with it, extremely fast, easy to setup if you use the Cisco SDM program that comes with it.
Did you need to do any special configuration other than what has been specified in this article? I am considering purchasing the 871W for my home office and i have a 10mb FIOS connection. Thanks in advance.
I have fios here in Portland Oregon - it comes right into my house as an ethernet connection.
You have to bind the mac address of the actiontech to your cisco eth04 interface.
Then it will work as long as you have dhcp enabled on the eth04 interface.
There are other posts that discuss this on dslbroadband newsgroups....google...cisco 870w +fios and you will find the answer.
You have to bind the mac address of the actiontech to your cisco eth04 interface.
Then it will work as long as you have dhcp enabled on the eth04 interface.
There are other posts that discuss this on dslbroadband newsgroups....google...cisco 870w +fios and you will find the answer.
You have to bind the mac address of your actiontech bridge ip interface to your fa4 interface. And, you have to release the ip address on the actiontech device BEFORE plugging in your cisco 870w.
There are two interfaces at the actiontech, but the bridge mac-address is what matters.
And the fa4 interface needs to be set to get an IP address from Verizon.
There are two interfaces at the actiontech, but the bridge mac-address is what matters.
And the fa4 interface needs to be set to get an IP address from Verizon.
I was on the phone with Verizon last night and have the following to share. Whenever you have a DHCP FIOS connection you no longer have to clone the mac-address of the actiontech. What you do have to do for the 871w: unplug the cable going into the actiontech, call verizion and have them release your ip stack. Plug in your wan cable in port fa4 with the interface set to "ip address dhcp".
You will then get an ip address and everything will work until you decide to change hardware again. The 871w is incredibly fast compared to the actiontech, which died after only 1.4 years of use. The built in switch went bad on mine and I had a 871w laying around ready to go to work.
You will then get an ip address and everything will work until you decide to change hardware again. The 871w is incredibly fast compared to the actiontech, which died after only 1.4 years of use. The built in switch went bad on mine and I had a 871w laying around ready to go to work.
And now all I have is the 871w - actiontech is crap compared to what I can do with the 871w and after adding a fifty dollar per year smartnet subscription I can now say I'm a happy camper!
I am new to the whole Cisco environment but thought I would erase my working configuration and try your template. I was very successful at the erasing part...but in step one of creating the two VLANs I was stopped dead in my tracks by the router stating only 1 VLAN can be created in the database. I realize the documentation says 4 but I can't get past that step and now even the SDM won't connect to the router so it is a big paper weight. Can you help?
851 only allows 1 VLAN. 871W allows 2 VLANs, but it's possible you may need the Advanced IP IOS. It might also be an issue with the version of the IOS you have. Cisco does offer the latest Advanced IP IOS for download if you have any kind of smartnet contract and a CCO account but you'll need to purchase the proper license to remain compliant.
You might need the Advanced IP IOS upgrade. You can download that from your CCO account to try it out and then pay them for the license if you wish to keep it.
Yeah, I have the 871w as well, and I can only create one VLAN...so no go on this config for now.
Version 12.3(8)YI2, RELEASE SOFTWARE
How can I recreate an address that would allow me to go back to use the SDM for now? I didn't save that config file, and I'd like to mess with the SDM a little bit more...suggestions would be great, thanks!
I am just trying to setup a basic wired/wireless LAN environment and can't seem to get everything going all together. I actually did some cut and paste of parts of your config here, and got an addy from my ISP (SBC/Yahoo). The Dialer1 negotiated an address, but internally, no ip addresses are distributed via NAT and DHCP...I noticed that 'services dhcp' was not included in my config, but it didn't seem to matter.
I need to create a BVI to my wired network so I can get everything rolling, still trying...
-Eric
Version 12.3(8)YI2, RELEASE SOFTWARE
How can I recreate an address that would allow me to go back to use the SDM for now? I didn't save that config file, and I'd like to mess with the SDM a little bit more...suggestions would be great, thanks!
I am just trying to setup a basic wired/wireless LAN environment and can't seem to get everything going all together. I actually did some cut and paste of parts of your config here, and got an addy from my ISP (SBC/Yahoo). The Dialer1 negotiated an address, but internally, no ip addresses are distributed via NAT and DHCP...I noticed that 'services dhcp' was not included in my config, but it didn't seem to matter.
I need to create a BVI to my wired network so I can get everything rolling, still trying...
-Eric
You can still create everything except for the guest VLAN portion. You can edit out all the VLAN20 and BVI20 and Dot0.20 interface sections. This will still let you set up the DSL, LAN, and WPA-PSK security WLANs.
I'm going to check with Cisco if you're allowed to have multiple WLANs even if you're not able to create VLANs. "Routed" WLANs don't have to be associated with VLANs so the possibility still remains that we can still create multiple guest WLANs without the Advanced IP IOS.
If you had smartnet, you can download the Advanced IP IOS to try out but you will need to purchase a license to remain legal.
I'm going to check with Cisco if you're allowed to have multiple WLANs even if you're not able to create VLANs. "Routed" WLANs don't have to be associated with VLANs so the possibility still remains that we can still create multiple guest WLANs without the Advanced IP IOS.
If you had smartnet, you can download the Advanced IP IOS to try out but you will need to purchase a license to remain legal.
I got an error message about can't create vlans when using the instructions at the start of the "how to"
just did the cut and paste from the template of the section that creates the vlans and it worked
just did the cut and paste from the template of the section that creates the vlans and it worked
OK, I have the new IOS and somehow got it onto the router using the copy command. I was then able to create the two vlans 10 and 20. I copied the configuration after completing the spreadsheet (a small group at a time) and when I was all done there were no IP address for BVI10 or BVI20 so I manually assigned them. At that point I was able to ping 192.168.1.1 and 2.1 as well as my DNS server...my PC came up and I was able to get to the internet....but my laptop (wireless) is showing an IP address of 169.x.x.x ...now I am lost again. also the Name appearing is not what I entered into the spreadsheet as the SSID..suggestions? Please?
I would recommend telneting to the router and then pasting the configuration again. Console sometimes misses things especially if you're pasting it quickly.
Email me the variables you entered without the passwords and I'll check to see if you're doing things right.
It sounds like you're close but the DHCP is not working. Are you trying to wirelessly connect to the guest or internal WLAN?
Email me the variables you entered without the passwords and I'll check to see if you're doing things right.
It sounds like you're close but the DHCP is not working. Are you trying to wirelessly connect to the guest or internal WLAN?
I am having this problem as well. The DHCP server doesn't seem to be giving out an address, I have the internal WLAN configured. Help please
Thanks for the guide, that is great! I need to authenticate to my ISP via PPoE and Im not sure where I should inject those instructions? Any ideas? Thanks
All you need to do is fill out the variable page which includes the PPPoE username/password. Once you click the "replace" button it will generate the configuration for you.
George,
how do you post the config into the 871w? I don't recall reading in the article the technique used to get the spreadsheet onto the router.
I tried to email you directly, but I didn't see the address anywhere.
Jay
how do you post the config into the 871w? I don't recall reading in the article the technique used to get the spreadsheet onto the router.
I tried to email you directly, but I didn't see the address anywhere.
Jay
Windows will exclude all of the formatting and cell data and paste the proper text.
Someone else in this talkback suggested using the "service dhcp" command in config t mode. See if that fixes it.
I finally got it setup with everyones help.. however 1 last problem... Ive confirmed im getting an address, can get out on the net once connected wirelessly, however 1 or 2 mins later the dot11 interface goes down... anyone else had this problem? I was not changing the config at all when it goes down
*edit*
got it to work, it was the bug in the IOS I was using =)
*edit*
got it to work, it was the bug in the IOS I was using =)
Locate a copy of this IOS
c870-advipservicesk9-mz.123-8.YI3.bin
The one which came with the 871 is limited. You may have to contact Cisco and whine to get it free.
Mike
c870-advipservicesk9-mz.123-8.YI3.bin
The one which came with the 871 is limited. You may have to contact Cisco and whine to get it free.
Mike
Not sure if you have already figured this out - but I took a look at this article last weekend. I had a customer that wanted this set up... offering 2 separate access points and of course separating the guest network from the internal network. Anyway, after reading this FANTASTIC article that helped so much!!!! -- had to throw this in there. I also noticed that I couldn't create another VLAN. I knew the article had to be correct so I proceeded to Cisco's Website to find out they had an IOS upgrade. After applying the upgrade, everything worked like a champ!!! I know if you include EVERYTHING in this article, it would have been a couple of pages longer. But I think the article should have included the requisites... which should have said the first thing you need to do is upgrade to: c870-advipservicesk9-mz.124-11.T.bin
This article only works on Advanced IP or above, but I have another article that lets you add up to 10 wireless VLANs (not wired) for the standard "advanced security" IOS that comes with the 851W and 871W.
http://articles.techrepublic.com.com/5100-1035_11-6112367.html
You're right I could have mentioned Advanced IP IOS requirements more clearly. We'll have to make a slight edit to point that out and link to the 851/871 article.
http://articles.techrepublic.com.com/5100-1035_11-6112367.html
You're right I could have mentioned Advanced IP IOS requirements more clearly. We'll have to make a slight edit to point that out and link to the 851/871 article.
Hi George,
Just wanted to say very nice job on the multiple wlan config using the advanced security ios.
-damoy
Just wanted to say very nice job on the multiple wlan config using the advanced security ios.
-damoy
We'll be putting out more templates for everything and not just Cisco. Do you have any requests?
First, I tried both of your configs about a year ago, got
completely lost, but did manage to use some of the
templates for the 851w static config and then the sdm
tool to get a working device. Then we had a friend move
into the house, and well, I had the need for a guest
network that was isolated from my personal internal
network. I reloaded up the configs only to remember that
even though I paid 800 bucks, for some reason I cant use
the multiple vlan configuration (guess I dont have
advanced ios, I really dont remember). Anyways, I
followed the confguraton templates and was acutally able
to get a internal wlan, and a guest wlan. The internal wlan
doenst announce itself (I didnt tell it not to, but it doesnt
which is fine with me) and the guest lan gets ip space
completely diffrent and cant hit my internal devices. Now
is where my lack of understanding scares me, my sdm
says I have no firewall configured, which is true as I didnt
run the wizards (when starting to run them, they complain
about the inside/outside rules set via your template.)
I managed to extract some commands from a previous
configuration that was working with port forwarding (only
1 wlan though)
they are
ip nat inside source static tcp 192.168.0.240 5001
interface FastEthernet4 5001
ip nat inside source static tcp 192.168.0.200 3389
interface FastEthernet4 3389
ip nat inside source static udp 192.168.0.200 3389
interface FastEthernet4 3389
Any idea why port forwarding on the two simple ports isnt
working? Thanks
completely lost, but did manage to use some of the
templates for the 851w static config and then the sdm
tool to get a working device. Then we had a friend move
into the house, and well, I had the need for a guest
network that was isolated from my personal internal
network. I reloaded up the configs only to remember that
even though I paid 800 bucks, for some reason I cant use
the multiple vlan configuration (guess I dont have
advanced ios, I really dont remember). Anyways, I
followed the confguraton templates and was acutally able
to get a internal wlan, and a guest wlan. The internal wlan
doenst announce itself (I didnt tell it not to, but it doesnt
which is fine with me) and the guest lan gets ip space
completely diffrent and cant hit my internal devices. Now
is where my lack of understanding scares me, my sdm
says I have no firewall configured, which is true as I didnt
run the wizards (when starting to run them, they complain
about the inside/outside rules set via your template.)
I managed to extract some commands from a previous
configuration that was working with port forwarding (only
1 wlan though)
they are
ip nat inside source static tcp 192.168.0.240 5001
interface FastEthernet4 5001
ip nat inside source static tcp 192.168.0.200 3389
interface FastEthernet4 3389
ip nat inside source static udp 192.168.0.200 3389
interface FastEthernet4 3389
Any idea why port forwarding on the two simple ports isnt
working? Thanks
I had the same problem. I entered the command 'service dhcp' at the global config level and it activates the service:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm#wp1018944
I have an unsupported IOS for the configuration in this article, but I used their excel template to create my own network setup...I had to activate the dhcp service -is this a forgotten command?
-Eric
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm#wp1018944
I have an unsupported IOS for the configuration in this article, but I used their excel template to create my own network setup...I had to activate the dhcp service -is this a forgotten command?
-Eric
New config works without VLANs! You can still have 10 routed WLANs that aren't bridged to a wired network on the standard Cisco 871W and even the $300 851W! I'm going to have a new template posted next week.
I am a newbee to working with CLI and figured out that I had screwed up the IP addressing on the router. I went back and fixed that and everything is working great using the configuration you provided.
It does require the Advanced IP services software to create the two VLANs. Without that software the router is limited to one VLAN (built in).
I look forward to the next "installment" of your configuration.
It does require the Advanced IP services software to create the two VLANs. Without that software the router is limited to one VLAN (built in).
I look forward to the next "installment" of your configuration.
I have a new config works without wired VLANs! You can still have 10 routed WLANs that aren't bridged to a wired network on the standard Cisco 871W and even the $300 851W! I'm going to have a new template posted next week.
This article has some good troubleshooting tips.
http://www.cisco.com/warp/public/109/router_behind_cm_19268.shtml
http://www.cisco.com/warp/public/109/router_behind_cm_19268.shtml
I hope I'm not the only one excited about this article and waiting for the next installment of the tutorial.
David Davis is going to address both methods.
He's already posted something on Auto.
http://articles.techrepublic.com.com/5100-1035_11-6134065.html?tag=sc
David has already submitted something using the same kind of configuration template I'm using here. It's being edited and will be posted soon.
He's already posted something on Auto.
http://articles.techrepublic.com.com/5100-1035_11-6134065.html?tag=sc
David has already submitted something using the same kind of configuration template I'm using here. It's being edited and will be posted soon.
Hi George, What is the best way to allow my guest on the Guest-WLAN to only have access to the printer on the Internal-WLAN. Should I move the printer to the guest LAN since the Internal-WLAN has access to the Guest-WLAN already?
You need to edit the ACL I named "Guest-ACL".
You need to run the following sets of commands.
no ip access-list extended Guest-ACL
ip access-list extended Guest-ACL
permit ip any {printer} any
deny ip any [Network1-ID] [Reverse-mask-1]
permit ip any any
That first line deletes the ACL since we can't just add a line to the top of an ACL which is precisely what we need to do. Note that you need to put in the IP of the printer in place of the string {printer} without the {}. Also note I opened ANY which is everything. If you want it even more locked down, you'll have to figure out what ports the printer uses and only allow those ports.
You need to run the following sets of commands.
no ip access-list extended Guest-ACL
ip access-list extended Guest-ACL
permit ip any {printer} any
deny ip any [Network1-ID] [Reverse-mask-1]
permit ip any any
That first line deletes the ACL since we can't just add a line to the top of an ACL which is precisely what we need to do. Note that you need to put in the IP of the printer in place of the string {printer} without the {}. Also note I opened ANY which is everything. If you want it even more locked down, you'll have to figure out what ports the printer uses and only allow those ports.
871w(config-ext-nacl)#no ip access-list extended Guest-ACL
871w(config)#ip access-list extended Guest-ACL
871w(config-ext-nacl)#permit ip any 192.168.123.10 any
^
% Invalid input detected at '^' marker.
871w(config-ext-nacl)#deny ip any 192.168.123.0 0.0.0.255
871w(config-ext-nacl)#permit ip any any
871w(config-ext-nacl)#
The printer has an hp Jetdirect Card
Port TCP 9100 and I think Port 9100 UDP
871w(config)#ip access-list extended Guest-ACL
871w(config-ext-nacl)#permit ip any 192.168.123.10 any
^
% Invalid input detected at '^' marker.
871w(config-ext-nacl)#deny ip any 192.168.123.0 0.0.0.255
871w(config-ext-nacl)#permit ip any any
871w(config-ext-nacl)#
The printer has an hp Jetdirect Card
Port TCP 9100 and I think Port 9100 UDP
permit ip any host 192.168.123.10 any
or
permit ip any 192.168.123.10 255.255.255.255 any
Both mean same thing.
If it's TCP and UDP 9100, try this to lock it down more.
permit TCP any host 192.168.123.10 eq 9100
permit UDP any host 192.168.123.10 eq 9100
That will prevent people from messing around with other ports like HTTP (which you should turn off on your printer) or Telnet.
or
permit ip any 192.168.123.10 255.255.255.255 any
Both mean same thing.
If it's TCP and UDP 9100, try this to lock it down more.
permit TCP any host 192.168.123.10 eq 9100
permit UDP any host 192.168.123.10 eq 9100
That will prevent people from messing around with other ports like HTTP (which you should turn off on your printer) or Telnet.
I'm in the process of upgrading my flash memory to 32 meg and I keep getting the following error when the router loads:
C870 series (Board ID: 3-148) platform with 262144 Kbytes of main memory
No bootable image file: flash:/
Unable to open boot file
C870 series (Board ID: 3-148) platform with 262144 Kbytes of main memory
No bootable image file: flash:/
Unable to open boot file
I used following command and it worked.
no ip access-list extended Guest-ACL
ip access-list extended Guest-ACL
permit TCP any host 192.168.123.10 eq 9100
deny ip any 192.168.123.0 0.0.0.255
permit ip any any
Enabled passwd for telnet but I did not see a option to turn off the HTTP.
Thanks for the help & support.
no ip access-list extended Guest-ACL
ip access-list extended Guest-ACL
permit TCP any host 192.168.123.10 eq 9100
deny ip any 192.168.123.0 0.0.0.255
permit ip any any
Enabled passwd for telnet but I did not see a option to turn off the HTTP.
Thanks for the help & support.
http://articles.techrepublic.com.com/5100-1035_11-6112644.html
The fonts are messed up since the site redesign. Just copy paste the commands on to a notepad file and it will be clear what it is.
The fonts are messed up since the site redesign. Just copy paste the commands on to a notepad file and it will be clear what it is.
Does IPS have a big impact on the 871w's performance? Would you recommend upgrading flash and system memory?
From what I understand, Cisco won't sell it if it can't handle it. So for a 3 mbps broadband connection it should work.
We'll have to look in to getting an IDS module for the router so we can do a tutorial on it.
We'll have to look in to getting an IDS module for the router so we can do a tutorial on it.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
