Discussion on:
View:
Show:
Do you have experience with the Cisco 851 router? If so, what were your impressions? Share your feedback about the information in this article as well as your opinion of the CLI Configuration Worksheet, which you can download from http://downloads.techrepublic.com.com/abstract.aspx?docid=256394.
My Cisco 871W experience?
Well my experience regarding CISCO was? NONE! Never worked with CLI, but I was adviced to select CISCO to replace some old outdated Routers from Symantec (The could?nt handle the bandwith, and they couldn?t handle all the special wishes to VLAN, WiFi ect..)
Our Compnay have a central site connected to the internet though a 8 Mb/s (actually a 10 Mb/s, but the other 2 Mbit are separated into a dedicated 2 Mb/s VoIP MPLS VPN) though the 8 mbit connection a Cisco 1812W maintains connection to 12 Cisco 871W working as Department / ConstructionSite - Routers.
At every Site there is 2 LAN ports Bridged with a Wireless LAN wich are VPN site-2-site conneted to the central LAN. And 2 other Ports on a different Local LAN segment deperated from the ?Corporate LAN? for guest Access ect. The Guest Lan is likewise bridged with at Guest Wifi LAN. ? So customers can revice a WPA PassCode to access the Internet at our sites.
Basically I would say that I?ll take some time for a Cisco-CLI-Virgin, despite the comfort of Cisco SDM (Secure Device Manager ? A GUI to visually configure the router.). Regardless of the SDM, its almost 100% sure that you have to examine the CLI, to locate bugs that the SDM doesn?t catch.
All of my external sites have Static IP delivered by DHCP, and I only jyst recently discovered that the ?reset configuration? could be altered the meet My needs. Wich means that if the router needs to be reset, If I accedenly locks my self out (Router management access restriction) the Local Users can be instructed to insert paperclip in reset hole, and restart Router holding the clip inserted in 10 seconds. It also means that when a worksite changes, and the router goes to another site, I only have to change the IP adresse in my central Router (1812W) and Its up-and running again.
Generaly I like them. But the manuals located on the web and the internal webserver are a bit limited, and are mainly concentrated on the CLI and to explain
?what-am-I-looking-at, not ?how-can-I-use-it?..
The SDM needs to be praised!! ? the SDM v. 2.3.1 have section enabling the ability to cut and paste parts of the configuration directly in-to a window? Pretty Cool when you need to restore a previously saved backup. Just Paste the Backup Config to a window and hit the ?Replace? button, and the Router replaces the Config, and reboots (well ? once every 3 or 4 times you have to make sure I actually does so, and if not: repeat. - Just make a ping for the router and If it disapears, it booting!!
Now I only have one major problem the GuestWiFi authentication is done by inserting a WPA code in the router, (which mean that I have to be contacted to make it happened) but I would really LOVE it, if I had a central Website where my coworkers could click on a button and recive a timelimited code for Wireless Access on specific Routers. Or maybye a local Website running on the ROuter where an account could login an open an guest account for 2 days or 1 week ect...
The access to the Corporate VPN-LAN ssid (VPN-Site2Site) is made in such a way tha the individual Routers makes a RADIUS Authorization request to my AD, and thereby allows users having ?Dial-In? enabled in my AD, access to WiFI. (that took time to make!!)
Im running the IOS : advipservices9-mz.123-8YI2.bin image on the 871W boxes, and the c181x-advipservicesk9-mz.124-2.T2.bin on my 1812..
I would recommend the 871W, but do spend some time to play with router before hooking up the business though it.
For testing I had the 871W running the central site (10 Site-2-Site), with out any problems for 2 days.
Other great tools for Cisco Backups for a lot of boxes at he same time, which are a must-have is Kiwi CatTool: It will perform configuration backups of many devices at the same time, issue commands via Telnet or SSH to many devices at once, change all your network device passwords in one go. And a whole lot more.. go grab a freewarecopy at http://www.kiwisyslog.com/products.php (limited 2 1 thread, the ?Engineer Single install? version have 10 threads, and can only be running in one instance on the local LAN segment (broadcast Range). But it just what you need If you need the roll back the box to an old configuration.
Well my experience regarding CISCO was? NONE! Never worked with CLI, but I was adviced to select CISCO to replace some old outdated Routers from Symantec (The could?nt handle the bandwith, and they couldn?t handle all the special wishes to VLAN, WiFi ect..)
Our Compnay have a central site connected to the internet though a 8 Mb/s (actually a 10 Mb/s, but the other 2 Mbit are separated into a dedicated 2 Mb/s VoIP MPLS VPN) though the 8 mbit connection a Cisco 1812W maintains connection to 12 Cisco 871W working as Department / ConstructionSite - Routers.
At every Site there is 2 LAN ports Bridged with a Wireless LAN wich are VPN site-2-site conneted to the central LAN. And 2 other Ports on a different Local LAN segment deperated from the ?Corporate LAN? for guest Access ect. The Guest Lan is likewise bridged with at Guest Wifi LAN. ? So customers can revice a WPA PassCode to access the Internet at our sites.
Basically I would say that I?ll take some time for a Cisco-CLI-Virgin, despite the comfort of Cisco SDM (Secure Device Manager ? A GUI to visually configure the router.). Regardless of the SDM, its almost 100% sure that you have to examine the CLI, to locate bugs that the SDM doesn?t catch.
All of my external sites have Static IP delivered by DHCP, and I only jyst recently discovered that the ?reset configuration? could be altered the meet My needs. Wich means that if the router needs to be reset, If I accedenly locks my self out (Router management access restriction) the Local Users can be instructed to insert paperclip in reset hole, and restart Router holding the clip inserted in 10 seconds. It also means that when a worksite changes, and the router goes to another site, I only have to change the IP adresse in my central Router (1812W) and Its up-and running again.
Generaly I like them. But the manuals located on the web and the internal webserver are a bit limited, and are mainly concentrated on the CLI and to explain
?what-am-I-looking-at, not ?how-can-I-use-it?..
The SDM needs to be praised!! ? the SDM v. 2.3.1 have section enabling the ability to cut and paste parts of the configuration directly in-to a window? Pretty Cool when you need to restore a previously saved backup. Just Paste the Backup Config to a window and hit the ?Replace? button, and the Router replaces the Config, and reboots (well ? once every 3 or 4 times you have to make sure I actually does so, and if not: repeat. - Just make a ping for the router and If it disapears, it booting!!
Now I only have one major problem the GuestWiFi authentication is done by inserting a WPA code in the router, (which mean that I have to be contacted to make it happened) but I would really LOVE it, if I had a central Website where my coworkers could click on a button and recive a timelimited code for Wireless Access on specific Routers. Or maybye a local Website running on the ROuter where an account could login an open an guest account for 2 days or 1 week ect...
The access to the Corporate VPN-LAN ssid (VPN-Site2Site) is made in such a way tha the individual Routers makes a RADIUS Authorization request to my AD, and thereby allows users having ?Dial-In? enabled in my AD, access to WiFI. (that took time to make!!)
Im running the IOS : advipservices9-mz.123-8YI2.bin image on the 871W boxes, and the c181x-advipservicesk9-mz.124-2.T2.bin on my 1812..
I would recommend the 871W, but do spend some time to play with router before hooking up the business though it.
For testing I had the 871W running the central site (10 Site-2-Site), with out any problems for 2 days.
Other great tools for Cisco Backups for a lot of boxes at he same time, which are a must-have is Kiwi CatTool: It will perform configuration backups of many devices at the same time, issue commands via Telnet or SSH to many devices at once, change all your network device passwords in one go. And a whole lot more.. go grab a freewarecopy at http://www.kiwisyslog.com/products.php (limited 2 1 thread, the ?Engineer Single install? version have 10 threads, and can only be running in one instance on the local LAN segment (broadcast Range). But it just what you need If you need the roll back the box to an old configuration.
anyone have a good config that will allow port forwarding to lan ip server, std stuff, dns, smtp, http, etc on a Cisco 851W?
haven't seen any that work.
Thanks
haven't seen any that work.
Thanks
Hope this is in an acceptable forum, this is my current experience with the router.
Admin, if this is in the wrong place could you move it please?
Router is a 871w purchased a while back. Calling Cisco for help is akin to pulling your own teeth with rusty pliers. They are almost Microsoft! >:-(
The reason this all started is that I had had the box sitting around for a while without using it, mainly because I had had headaches with the pervious SDM and couldn't get the box to ping or much of anything else. I couldn't load the sdm because it didn't have enough memory (so the error message said). I got a memory stick to try and alleviate this problem and I decided to work on it again since there was a newer SDM out there. I booted the box and it said that there was no bootable image in flash:/ like I have read about here. I have tried to deal with this with the memory installed and removed with the same results.
With the stick installed it shows 196608 for the memory.
I have tried two different IOS levels:
c870-advsecurityk9-mz.123-14.YT1.bin
and
c870-advsecurityk9-mz.124-11.T1.bin
On each I have gone through the configuration template. On each I have tried to save at Router# using copy run start and also write and write memory. It thinks for a second then shows OK. No error messages. if I do a reload it seems to hold the configuration. If I do a power down restart the system is back to the starting point with nothing that I configured saved.
the and... part
Do I need to upgrade the ROMmon from the 12.3(8)YI to get this to work or would it matter?
Which IOS should I be using? I'm pretty sure I can get one from the guys I bought the box from.
How do I get back to being able to use the SDM since I can't get an IP configured on the switch because it is a L2? I do want to try using the SDM first so I can determine that it was my ignorance and not something physically wrong with the box.
Anybody else had this happen?
I didn't post the configuration because until I can get it to save it doesn't matter.
I have been reading these articles and pouding on this box for 3 or 4 days with no results except frustration with Cisco (the Microsoft of the router hardware world).
If there is an answer here I have not found it. I apologize if this ends up being redundant in some manner.
And one more thing. When I look at the nvram directory I get this:
Directory of nvram:/
120 -rw- 3956 startup-config
121 ---- 1920 private-config
122 -rw- 3956 underlying-config
1 ---- 34 persistent-data
2 -rw- 580 IOS-Self-Sig#3701.cer
3 -rw- 0 ifIndex-table
4 -rw- 580 IOS-Self-Sig#3702.cer
5 -rw- 580 IOS-Self-Sig#3703.cer
6 -rw- 590 IOS-Self-Sig#3704.cer
7 -rw- 580 IOS-Self-Sig#3705.cer
8 -rw- 580 IOS-Self-Sig#3706.cer
9 -rw- 580 IOS-Self-Sig#3707.cer
10 -rw- 579 IOS-Self-Sig#1.cer
11 -rw- 579 IOS-Self-Sig#2.cer
12 -rw- 579 IOS-Self-Sig#3.cer
13 -rw- 579 IOS-Self-Sig#4.cer
131072 bytes total (111832 bytes free)
Shouldn't the startup-config be marked as executable? as in rwx?
I'm losing hair fast here.
TIA for your help,
rlj
Admin, if this is in the wrong place could you move it please?
Router is a 871w purchased a while back. Calling Cisco for help is akin to pulling your own teeth with rusty pliers. They are almost Microsoft! >:-(
The reason this all started is that I had had the box sitting around for a while without using it, mainly because I had had headaches with the pervious SDM and couldn't get the box to ping or much of anything else. I couldn't load the sdm because it didn't have enough memory (so the error message said). I got a memory stick to try and alleviate this problem and I decided to work on it again since there was a newer SDM out there. I booted the box and it said that there was no bootable image in flash:/ like I have read about here. I have tried to deal with this with the memory installed and removed with the same results.
With the stick installed it shows 196608 for the memory.
I have tried two different IOS levels:
c870-advsecurityk9-mz.123-14.YT1.bin
and
c870-advsecurityk9-mz.124-11.T1.bin
On each I have gone through the configuration template. On each I have tried to save at Router# using copy run start and also write and write memory. It thinks for a second then shows OK. No error messages. if I do a reload it seems to hold the configuration. If I do a power down restart the system is back to the starting point with nothing that I configured saved.
the and... part
Do I need to upgrade the ROMmon from the 12.3(8)YI to get this to work or would it matter?
Which IOS should I be using? I'm pretty sure I can get one from the guys I bought the box from.
How do I get back to being able to use the SDM since I can't get an IP configured on the switch because it is a L2? I do want to try using the SDM first so I can determine that it was my ignorance and not something physically wrong with the box.
Anybody else had this happen?
I didn't post the configuration because until I can get it to save it doesn't matter.
I have been reading these articles and pouding on this box for 3 or 4 days with no results except frustration with Cisco (the Microsoft of the router hardware world).
If there is an answer here I have not found it. I apologize if this ends up being redundant in some manner.
And one more thing. When I look at the nvram directory I get this:
Directory of nvram:/
120 -rw- 3956 startup-config
121 ---- 1920 private-config
122 -rw- 3956 underlying-config
1 ---- 34 persistent-data
2 -rw- 580 IOS-Self-Sig#3701.cer
3 -rw- 0 ifIndex-table
4 -rw- 580 IOS-Self-Sig#3702.cer
5 -rw- 580 IOS-Self-Sig#3703.cer
6 -rw- 590 IOS-Self-Sig#3704.cer
7 -rw- 580 IOS-Self-Sig#3705.cer
8 -rw- 580 IOS-Self-Sig#3706.cer
9 -rw- 580 IOS-Self-Sig#3707.cer
10 -rw- 579 IOS-Self-Sig#1.cer
11 -rw- 579 IOS-Self-Sig#2.cer
12 -rw- 579 IOS-Self-Sig#3.cer
13 -rw- 579 IOS-Self-Sig#4.cer
131072 bytes total (111832 bytes free)
Shouldn't the startup-config be marked as executable? as in rwx?
I'm losing hair fast here.
TIA for your help,
rlj
it was indeed waving to nvram, however, in rommon it was set to boot to image 2 (default)and for what ever reason that didn't work. I changed it to 3 and it worked.
Now back the configuration battle.
Thanks for your help.
Now back the configuration battle.
Thanks for your help.
I have teh non wireless version 871. I should be able to simple delete the wireless portions and use the rest of the configs correct?
secondly do you have one of these templates for an aironet 1200's?
secondly do you have one of these templates for an aironet 1200's?
Yes, you can just strip the radio interface portion.
Read this guide. Aironet 1200 template included.
http://blogs.techrepublic.com.com/Ou/?p=404
Read this guide. Aironet 1200 template included.
http://blogs.techrepublic.com.com/Ou/?p=404
Can point me in the right direction to setup 857w with pppoe ?
I have followed your tutorial to the letter, I believe, and my Wireless Client is dropping 50% of all packets. The Router can ping externally w/o packet loss. I am using the Guest Vlan, but dhcp is assigning address from the Internal Vlan..? Any ideas? Any Help... anyone.
Thanks in advance
Scott B.
Thanks in advance
Scott B.
Is there a way to configure the Cisco 851W as an access point
only. I have 1 sitting around, and I want to create a small
wireless LAN at our site. My thought was to set up the 851W
as an access point and connect to one of our switches.
Thanks,
Greg
only. I have 1 sitting around, and I want to create a small
wireless LAN at our site. My thought was to set up the 851W
as an access point and connect to one of our switches.
Thanks,
Greg
I have configured my 851w exactly according to the template provided and most of the functionality seems to be great. I am, however having a small problem with my Guest WLAN.
It seems that while one computer can connect wirelessly to this interface, if a 2nd computer attempts to establish a wireless connection, that computer will continuously drop the connection to the wireless network.
I'm not seeing anything in either the template or either computer's wireless NIC settings/config that might indicate why this would be occurring. any thoughts or suggestions would be much appreciated.Thanks!
It seems that while one computer can connect wirelessly to this interface, if a 2nd computer attempts to establish a wireless connection, that computer will continuously drop the connection to the wireless network.
I'm not seeing anything in either the template or either computer's wireless NIC settings/config that might indicate why this would be occurring. any thoughts or suggestions would be much appreciated.Thanks!
how would this be configured to run on ipv6? i think Cisco specks the 871 to operate with it.
You could configure the LAN to use IPv6 and then translate it to IPv4. Are you actually trying to do this? It isn't easy to do on the client side.
I work for a value added reseller and most of the routers I have been involved with are the older 800 series and the SOHO routers. With those I just needed to work with physical interfaces, or, with the SOHOs interface E0 which was the virtual interface for the physical interfaces on the back.
I just got in my first 857W last week and it is a whole new world. I had your 871 article which was a great help, but, as you mentioned, things do not quite work the same. It took me the better part of three days working out how to get the wired and wireless lans to talk to each other and to the dialer. I would probably would not have made it without the help of your template or a call to Cisco. I was only comfortable using one wireless lan; had I read this article the open and private wireless lans might have been a better solution. To late now the router is at a customer across the state.
I like the new virtual interface setups, but they are very different from the old SOHOs.
I just got in my first 857W last week and it is a whole new world. I had your 871 article which was a great help, but, as you mentioned, things do not quite work the same. It took me the better part of three days working out how to get the wired and wireless lans to talk to each other and to the dialer. I would probably would not have made it without the help of your template or a call to Cisco. I was only comfortable using one wireless lan; had I read this article the open and private wireless lans might have been a better solution. To late now the router is at a customer across the state.
I like the new virtual interface setups, but they are very different from the old SOHOs.
I made a mistake on the original 871W template and we've posted a new version of it. Please download it again. Sorry about that.
I'm glad this is helping you.
I'm glad this is helping you.
So if I'm a total Cisco newb, and want a router for my home to interface with the cable modem, would I benefit at all from the 871W versus the 851W?
Thanks,
B
Thanks,
B
If you want to run VLANs on the switch or QoS, you'll need the 871.
This is a great article, however, it doesn't explain how to do a setup for any type of broadband connection except for PPPoE. I have a cable modem. How would I configure that?
DHCP and Static IP template due next week. I have the templates but I haven't tested them in the field yet. If you send me a private message, I can email you the template if you want to beta test it.
I'm converting my SOHO (4 workstations) from a workgroup to a domain with a dedicated file/print sever running Windows SBS 2003. I currently run the CLI template for a cable modem. My question is: How do I adjust my router configuration to allow a static IP for my server? Any suggestions or comments are apprciated.
I don't know what I am doing wrong but when I press the relace button I can't find the info I entered in the variables sheet. So if I can not see it how can I copy/paste it.
You don't look for the output in the variable's tab/sheet. A brand new sheet is created every time you press the replace button.
I have had my router for over a year and the support with Cisco has expired. I just picked up a new laptop for my wife for Xmas and now I need to enable the wireless on the router. I entered almost all the commands pertaining to the Dot11Radio from the excel work sheet. I can connect to the SSID but I do not get an IP address assigned to me and then Windows XP says I have limited connectivity to the network and I have internet access.
Here is a copy of my config (minus the passwords) I couldn't get it all to copy into notepad, but I think all the important stuff is there. Also if there are any other reccomendations you would make please let me know I will be happy to consider implementing them.
Building configuration...
Current configuration : 5356 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname $A\/aGe_|)r@G0/\/
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$S/
!
username Moonspell privilege 15 secret 5 $1$a.n/
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.10.0.1 10.10.2.0
ip dhcp excluded-address 10.10.3.101 10.10.255.254
!
ip dhcp pool sdm-pool
import all
network 10.10.0.0 255.255.0.0
default-router 10.10.1.1
lease 10 2
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name darksun.wrld
no ftp-server write-enable
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
interface Null0
no ip unreachables
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
encryption vlan 1 mode ciphers tkip
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.1.1 255.255.0.0
Here is a copy of my config (minus the passwords) I couldn't get it all to copy into notepad, but I think all the important stuff is there. Also if there are any other reccomendations you would make please let me know I will be happy to consider implementing them.
Building configuration...
Current configuration : 5356 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname $A\/aGe_|)r@G0/\/
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$S/
!
username Moonspell privilege 15 secret 5 $1$a.n/
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.10.0.1 10.10.2.0
ip dhcp excluded-address 10.10.3.101 10.10.255.254
!
ip dhcp pool sdm-pool
import all
network 10.10.0.0 255.255.0.0
default-router 10.10.1.1
lease 10 2
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name darksun.wrld
no ftp-server write-enable
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
interface Null0
no ip unreachables
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
encryption vlan 1 mode ciphers tkip
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.1.1 255.255.0.0
You can't just take some components and not others without understanding how the CLI configuration works.
You have a situation where your Wireless LAN is bridged to VLAN1 which is a completely different subnet than the IPs you're handing out with your DHCP pool.
ip dhcp pool sdm-pool
network 10.10.0.0 255.255.0.0
interface Vlan1
ip address 10.10.1.1 255.255.0.0
See how these don't match?
I would highly recommend that you copy the entire configuration and not just bits and pieces of it. Then you can modify the configuration from there after you get the network working.
You have a situation where your Wireless LAN is bridged to VLAN1 which is a completely different subnet than the IPs you're handing out with your DHCP pool.
ip dhcp pool sdm-pool
network 10.10.0.0 255.255.0.0
interface Vlan1
ip address 10.10.1.1 255.255.0.0
See how these don't match?
I would highly recommend that you copy the entire configuration and not just bits and pieces of it. Then you can modify the configuration from there after you get the network working.
I configured 851w with your template, connecting to GuestWlan but no IP given. Any ideas? The other vlan works great.
I am trying to get something very similar set up as your config here. The problem I am having is that the internal network (InternalWLAN in your example) is WPA and the GuestNet is WEP (this is so that older devices I have can have a seperate VLAN for their use of WEP). I want all my PC's etc to use the WPA WLAN, and my Tivo, Game adapter, etc to use the WEP WLAN, and create the necessary ACL's to secure the WEP net from the WPA and internal.
That being said, the problem I have is that I CAN connect to the WPA network with no problems, even with the SSID not being broadcast. When I pull up NetStumbler, it works (although until I associate, the SSID is hidden). The WEP network is not being shown, though, and the MAC of that interface is showing up as 00000000, no SSID, and I cannot connect to it at all.
Here is my config, if you could take a look, it would be a huge help, thanks! (there are other smatterings in the config that are works in progress, so bear with me)
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sun 19-Nov-06 03:57 by prod_rel_team
Config:
[snip]
interface FastEthernet4
description WAN port
ip address dhcp
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers tkip
!
encryption vlan 20 mode ciphers wep128
!
encryption mode ciphers tkip wep128
!
ssid ferrari
vlan 20
authentication open
guest-mode
!
ssid flashpoint
vlan 10
authentication open
authentication key-management wpa
wpa-psk ascii 7 01120A01430A080B725E
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan10
description Trusted LAN segment
no ip address
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Untrused Wireless Segment
no ip address
ip virtual-reassembly
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Dialer0
no ip address
!
interface BVI20
description Bridge to Guest Network
ip address 10.10.3.1 255.255.255.0
ip virtual-reassembly
!
interface BVI10
description Bridge to Trusted Wireless Network
ip address 10.10.2.1 255.255.255.0
ip virtual-reassembly
!
[snip]
Any and all help would be appreciated!
Thanks,
Bob
That being said, the problem I have is that I CAN connect to the WPA network with no problems, even with the SSID not being broadcast. When I pull up NetStumbler, it works (although until I associate, the SSID is hidden). The WEP network is not being shown, though, and the MAC of that interface is showing up as 00000000, no SSID, and I cannot connect to it at all.
Here is my config, if you could take a look, it would be a huge help, thanks! (there are other smatterings in the config that are works in progress, so bear with me)
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sun 19-Nov-06 03:57 by prod_rel_team
Config:
[snip]
interface FastEthernet4
description WAN port
ip address dhcp
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers tkip
!
encryption vlan 20 mode ciphers wep128
!
encryption mode ciphers tkip wep128
!
ssid ferrari
vlan 20
authentication open
guest-mode
!
ssid flashpoint
vlan 10
authentication open
authentication key-management wpa
wpa-psk ascii 7 01120A01430A080B725E
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan10
description Trusted LAN segment
no ip address
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Untrused Wireless Segment
no ip address
ip virtual-reassembly
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Dialer0
no ip address
!
interface BVI20
description Bridge to Guest Network
ip address 10.10.3.1 255.255.255.0
ip virtual-reassembly
!
interface BVI10
description Bridge to Trusted Wireless Network
ip address 10.10.2.1 255.255.255.0
ip virtual-reassembly
!
[snip]
Any and all help would be appreciated!
Thanks,
Bob
Cisco Aironet APs already support multi-broadcast SSIDs and they've done so for a year now or more. You'll have wait till the 800 series supports multi-broadcast SSIDs.
This is why I get so irritated by people who keep suggesting that hidden SSIDs are more secure when they're not more secure. You'll just cause a lot of problems and not get any more security.
I would suggest that you make your WEP network the broadcast SSID since most WPA devices can at least tolerate hidden SSIDs. The fact that devices are still being sold with WEP only is a crying shame.
This is why I get so irritated by people who keep suggesting that hidden SSIDs are more secure when they're not more secure. You'll just cause a lot of problems and not get any more security.
I would suggest that you make your WEP network the broadcast SSID since most WPA devices can at least tolerate hidden SSIDs. The fact that devices are still being sold with WEP only is a crying shame.
I only need one to broadcast, and the WEP ssid is the one that is set to guest-mode (see the posted config). The problem is in the WEP configuration, and the assignment of IP's. So, I have been working on this, and can use the non-broadcast WPA network with no problems at all. I cannot associate with and cannot get an IP on the second VLAN.
That being said, I have a few questions (sorry!)
1) Does the ISR platform support multiple DHCP servers running, one for each VLAN? I added Fa3 to the same VLAN as the WEP SSID BVI20, and neither can get an address, but VLAN10 can get an address no problem.
2) I absolutely agree it is a shame that stuff sells as WEP only, but I am stuck with what I am stuck with, unless I run a physical port to the third floor from the basement - a MAJOR feat.
3) I just upgraded to c870-advipservicesk9-mz.124-11.T1.bin to enable the IPS support... but the latest SDM won't configure the IPS (LOL!). Guess I will have to do all that from the CLI.
Comments are appreciated!
Thanks,
Bob
That being said, I have a few questions (sorry!)
1) Does the ISR platform support multiple DHCP servers running, one for each VLAN? I added Fa3 to the same VLAN as the WEP SSID BVI20, and neither can get an address, but VLAN10 can get an address no problem.
2) I absolutely agree it is a shame that stuff sells as WEP only, but I am stuck with what I am stuck with, unless I run a physical port to the third floor from the basement - a MAJOR feat.
3) I just upgraded to c870-advipservicesk9-mz.124-11.T1.bin to enable the IPS support... but the latest SDM won't configure the IPS (LOL!). Guess I will have to do all that from the CLI.
Comments are appreciated!
Thanks,
Bob
Just create a new scope for it with a subnet that matches the Interface.
The 871W template for static IP configures the router to ask the ISP for the DNS Server Addresses. How would I change the template to set 2 static DNS Servers?
Edit...forget I asked the question. I just read the post on configuring DHCP and it explained what to do. Thanks anyway.
Edit...forget I asked the question. I just read the post on configuring DHCP and it explained what to do. Thanks anyway.
I am able to connect through interface ports and through internal wlan, but am unable to retieve an address from guest wlan. I followed the dhcp template and am able to ping guest gateway
The ACL blocks it from pinging the Internal LAN but should allow it to ping the Internet. You might need to save the config and reload the router.
Have you resolved your issue yet? If so I am interested in the resolution. I have the same problem, configured 851w with template, connecting to GuestWlan but no IP given.
I can ping my desktop from my wireless laptop but i cant ping the laptop from the desktop or the router, laptop wont even ping its own ip. Everything else works fine
ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Kaine#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Kaine#ping 192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Kaine#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
I am using the dhcp template
ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Kaine#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Kaine#ping 192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Kaine#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
I am using the dhcp template
krmaxwell81@.., have you resolved your issue yet. I have a 851w and followed the template, I connect and get authenticated but no IP is given? Anyone have this issue resolved?
Hi, Thanks for the top quality article. Having just received a Cisco 857W from Telstra (Australia) for broadband this tutorial is fantastic!
I have a very similar setup already running on my 857W, but I can't get the wireless computers to ping or connect to any other wireless computers. Wireless to wired connections are okay (and vice-versa), as are wireless to the router and internet.
My question is - will implementing this config allow wireless hosts to ping each other, and see each other in the network neighborhood (XP and Vista machines).
Many thanks!
Trav
I have a very similar setup already running on my 857W, but I can't get the wireless computers to ping or connect to any other wireless computers. Wireless to wired connections are okay (and vice-versa), as are wireless to the router and internet.
My question is - will implementing this config allow wireless hosts to ping each other, and see each other in the network neighborhood (XP and Vista machines).
Many thanks!
Trav
It should work if you follow it exactly or only make changes you understand.
Before you do this though, make sure you backup your current configuation.
Before you do this though, make sure you backup your current configuation.
Were you able to get this issue resolved??
I have the exact same issue, being that any wireless device on the internal network cannot ping/browse any other wireless device on the internal network..
Any suggestions???
I have the exact same issue, being that any wireless device on the internal network cannot ping/browse any other wireless device on the internal network..
Any suggestions???
Tried this on the 877W with no joy, stripped out additional VLAN as it doesn't support it, anyone else got this working on this router?
Thanx for the config, works flawlessly. The only thing that i am curois about is that, just for kicks I went to the web config page and noticed that under firewall, it says that it is disabled. I tried running the Cisco SDM and it also shows the firewall as not configured. However when I try to configure it or turn it on, it doesn't quite work.
I was wondering if this is because it's already setup tru CLI and therefore the web based config is just not seeing it...or is the firewall really not setup with this config?
I was wondering if this is because it's already setup tru CLI and therefore the web based config is just not seeing it...or is the firewall really not setup with this config?
I've been asking for months for some assistance on
getting NAT and firewall working with this configuration.
Once you fire off the auto configuration of the firewall or
try to turn on the nat forwarding, the rest of the
configuration breaks. I know its because I dont know what
I am doing, but I thought that was why I was here. I found
that you can do this, goto SDM and do a audit, it will try
to turn on all kinds of protection (I find most will mess the
configuration up making it useless), however, dont
activate any of the features that it suggests, but at the
end, there is a add firewall to outside interface. Click on
activate this, that will turn your firewall on the outside
interface, doing 2 things. The most important being that
you can actually look at the firewall and make changes
(before doing this, SDM reports the firewall isn't on and
starts flipping EVERYthing into a default, which destroys
the rest of the config you did with this excel sheet), but
after you turn just the firewall on the outside interface,
you can now click on the firewall icon in SDM and start to
try to add rules, and mess around.
I unfortunately tried to add port forwarding NAT entries
via IOS command line, and for the life of my cant get it
working. Maybe some one who already has worked with
this configuration and learned how to add NAT and
firewall can help, but I haven't found them. I've posted this
config all over and haven't gotten much in the last 4
months or so..
good luck
getting NAT and firewall working with this configuration.
Once you fire off the auto configuration of the firewall or
try to turn on the nat forwarding, the rest of the
configuration breaks. I know its because I dont know what
I am doing, but I thought that was why I was here. I found
that you can do this, goto SDM and do a audit, it will try
to turn on all kinds of protection (I find most will mess the
configuration up making it useless), however, dont
activate any of the features that it suggests, but at the
end, there is a add firewall to outside interface. Click on
activate this, that will turn your firewall on the outside
interface, doing 2 things. The most important being that
you can actually look at the firewall and make changes
(before doing this, SDM reports the firewall isn't on and
starts flipping EVERYthing into a default, which destroys
the rest of the config you did with this excel sheet), but
after you turn just the firewall on the outside interface,
you can now click on the firewall icon in SDM and start to
try to add rules, and mess around.
I unfortunately tried to add port forwarding NAT entries
via IOS command line, and for the life of my cant get it
working. Maybe some one who already has worked with
this configuration and learned how to add NAT and
firewall can help, but I haven't found them. I've posted this
config all over and haven't gotten much in the last 4
months or so..
good luck
The template works great!!
What is the best setup to decrease the Signal Strength of 851W? If I set the CCK and OFDM transmitter power to 7 dBm, is that considered lowest signal strength or is there a recommended setting?
What is the best setup to decrease the Signal Strength of 851W? If I set the CCK and OFDM transmitter power to 7 dBm, is that considered lowest signal strength or is there a recommended setting?
I have been using the spreadsheet to setup my Cisco 851W. The only difference is I want 1 wireless LAN instead of 2 so I have made the needed changes (I think). Also I havnt got to the Firewall part yet.
My wired connectivity works great! The problem is when I use my laptop to connect to the Wireless LAN I am unable to pull an IP address. I turned on "debug ip dhcp server events" and there doesn't even seem to be any kind of a request for an IP coming in. I tried statically assigning an IP to my laptop but I was unable to ping the default gateway. Does anybody have any ideas?
Here is my running config:
Current configuration : 3606 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LM-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 --[OMITTED]--
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.10
!
ip dhcp pool internal-pool
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 68.2.16.25
lease 7
!
!
ip cef
no ip domain lookup
!
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid LM-WLAN
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 --[OMITTED]--
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
redistribute connected
redistribute static
network 192.168.100.0
!
ip classless
!
no ip http server
no ip http secure-server
ip nat pool PAT 68.228.199.228 68.228.199.228 netmask 255.255.255.0
ip nat inside source list 20 pool PAT overload
!
access-list 20 permit 192.168.100.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
banner motd ^C
Lord Mueller's Personal Router/Network
^C
!
line con 0
password 7 --[OMITTED]--
login
no modem enable
line aux 0
password 7 --[OMITTED]--
line vty 0 4
password 7 --[OMITTED]--
login
!
scheduler max-task-time 5000
ntp server 64.254.132.24
end
My wired connectivity works great! The problem is when I use my laptop to connect to the Wireless LAN I am unable to pull an IP address. I turned on "debug ip dhcp server events" and there doesn't even seem to be any kind of a request for an IP coming in. I tried statically assigning an IP to my laptop but I was unable to ping the default gateway. Does anybody have any ideas?
Here is my running config:
Current configuration : 3606 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LM-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 --[OMITTED]--
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.10
!
ip dhcp pool internal-pool
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 68.2.16.25
lease 7
!
!
ip cef
no ip domain lookup
!
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid LM-WLAN
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 --[OMITTED]--
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
redistribute connected
redistribute static
network 192.168.100.0
!
ip classless
!
no ip http server
no ip http secure-server
ip nat pool PAT 68.228.199.228 68.228.199.228 netmask 255.255.255.0
ip nat inside source list 20 pool PAT overload
!
access-list 20 permit 192.168.100.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
banner motd ^C
Lord Mueller's Personal Router/Network
^C
!
line con 0
password 7 --[OMITTED]--
login
no modem enable
line aux 0
password 7 --[OMITTED]--
line vty 0 4
password 7 --[OMITTED]--
login
!
scheduler max-task-time 5000
ntp server 64.254.132.24
end
How do you configure a subinterface? I'm got a 2924 switch (fa 0/1) connected to fa1 on my 871; I can see each device if I do a "sh cdp neighbors/detail" but I can't ping either device...
Jay
Jay
I'd like to use the same config except with a free hotspot.
Any chance of getting this config?
Any chance of getting this config?
I've got an 871w with the latest adv. IP svcs IOS.
I changed the primary IP range to 192.168.0/24 and the guest-net to 192.168.1/24. I don't know if that makes a difference.
My router gives me an IP address and things appear to be working OK, but I can't ssh or http to 192.168.0.1. I can ping it.
Any ideas?
Thanks!
I changed the primary IP range to 192.168.0/24 and the guest-net to 192.168.1/24. I don't know if that makes a difference.
My router gives me an IP address and things appear to be working OK, but I can't ssh or http to 192.168.0.1. I can ping it.
Any ideas?
Thanks!
Thank you for this information. I was able to get my 851W up and running using the Static template.
Once I installed the template generated config, I still had to use the Cisco SDM webpage utility to add the Route and the WAN ip. I didn't know how to do this via CLI. For some reason it did not install using the template.
Then, I had to add my own DNS servers to the ip dhcp pool VlAN20 by using the DNS-Server x.x.x.x x.x.x.x command in the CLI. Because, when I would connect with a wireless laptop, it flat out would not find google until I added the DHCP DNS-SERVER to the config.
I struggled for two days trying to get this to work until I found this template and it really helped, even though it was not a cut and paste solution for me.
Once I installed the template generated config, I still had to use the Cisco SDM webpage utility to add the Route and the WAN ip. I didn't know how to do this via CLI. For some reason it did not install using the template.
Then, I had to add my own DNS servers to the ip dhcp pool VlAN20 by using the DNS-Server x.x.x.x x.x.x.x command in the CLI. Because, when I would connect with a wireless laptop, it flat out would not find google until I added the DHCP DNS-SERVER to the config.
I struggled for two days trying to get this to work until I found this template and it really helped, even though it was not a cut and paste solution for me.
And use my internal DHCP server on the Internal LAN (both LAN and WAN) by just deleting the DHCP portion related to the Internal NET?
George, Justin,
thanks, this guide was tremendously helpful. The setup is working nicely with my 851W. Could not have figured that out on my own, Cisco's website is just.. uhm... overwhelming.
A few remarks:
- the Excel macro button doesn't work on Excel for Mac 2004, but no big deal as one can just use the reference page manually and fill in the values
- command: "ip route 0.0.0.0 0.0.0.0 [WAN-GW ip number]" was entered as "ip route 0.0.0.0 0.0.0.0 FastEthernet4" in my existing config, and I left it that way. Dunno if it really makes a difference.
- I added the "dns-server" command under 'ip dhcp pool VLAN20" as well, seems to miss (although maybe that's fine?)
- DHCP for Guest VLAN20 hands out IP numbers 2.2, 2.3, 2.4 etc. although those are registered as reserved - a very minor issue, but looks like an IOS bug - not sure
Field report:
I'm using my Cisco with Mac computers, and they have a little issue when re-attaching themselves to the internal VLAN with the hidden SSID. Most often one has to manually choose the network again after restarting or waking the computer from sleep. Same issue with my iPod touch. So I just use "guest-mode" under VLAN1 now, which makes everything work perfectly, and I'll let my potential guests deal with the hidden SSID.
In case some guru can help me with another setup question:
- how can I set up a dedicated DMZ computer inside my LAN?
- is it possible to assign a 2nd static WAN IP to that DMZ?
I can't the heck find any documentation on those questions.
Thanks again,
Regards
The Deranged Chef
thanks, this guide was tremendously helpful. The setup is working nicely with my 851W. Could not have figured that out on my own, Cisco's website is just.. uhm... overwhelming.
A few remarks:
- the Excel macro button doesn't work on Excel for Mac 2004, but no big deal as one can just use the reference page manually and fill in the values
- command: "ip route 0.0.0.0 0.0.0.0 [WAN-GW ip number]" was entered as "ip route 0.0.0.0 0.0.0.0 FastEthernet4" in my existing config, and I left it that way. Dunno if it really makes a difference.
- I added the "dns-server" command under 'ip dhcp pool VLAN20" as well, seems to miss (although maybe that's fine?)
- DHCP for Guest VLAN20 hands out IP numbers 2.2, 2.3, 2.4 etc. although those are registered as reserved - a very minor issue, but looks like an IOS bug - not sure
Field report:
I'm using my Cisco with Mac computers, and they have a little issue when re-attaching themselves to the internal VLAN with the hidden SSID. Most often one has to manually choose the network again after restarting or waking the computer from sleep. Same issue with my iPod touch. So I just use "guest-mode" under VLAN1 now, which makes everything work perfectly, and I'll let my potential guests deal with the hidden SSID.
In case some guru can help me with another setup question:
- how can I set up a dedicated DMZ computer inside my LAN?
- is it possible to assign a 2nd static WAN IP to that DMZ?
I can't the heck find any documentation on those questions.
Thanks again,
Regards
The Deranged Chef
Ok I've have this a 871w for about 2 months now. Finally got it setup. I'm having one small problem I can't seem to trouble shoot. The Router can ping out to anywhere I want. But its not passing that to any computer wireless or hard lined. Below is my setup does anyone see what I'm missing I figure its gotta be something small That i just don't see.
Building configuration...
Current configuration : 8019 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *****
enable password 7 ******
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name None.com
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name None.com
lease 4
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip tcp synwait-time 10
no ip bootp server
ip domain name None.com
ip name-server 216.83.236.227
ip name-server 216.83.237.238
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-784456476
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-784456476
revocation-check none
rsakeypair TP-self-signed-784456476
!
!
crypto pki certificate chain TP-self-signed-784456476
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37383434 35363437 36301E17 0D303230 33303130 33353130
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3738 34343536
34373630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AAF59BDC 6E56DD32 817797C1 7388D69B A46698B7 1A578962 C8C61E6D AF436C53
759C40B8 0B34A021 35985A44 E3E2BD08 02E777F2 C704FBB3 24FCD641 28F9F99A
86E36FF7 7E46FDD4 D8A0664B 25D64ED3 DF535CE4 BC59CEDD C5F7F53D D05D9F36
39936BB2 B729211F CADB86C6 BCC49B19 44874B83 2B41C5F1 8A08B304 05CDE6CB
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 312E796F 756E6772 656E7461 6C2E636F 6D301F06
03551D23 04183016 8014CDBE F678FA46 4A2FBE5F 8F17E07A 5A53D910 525A301D
0603551D 0E041604 14CDBEF6 78FA464A 2FBE5F8F 17E07A5A 53D91052 5A300D06
092A8648 86F70D01 01040500 03818100 33A664F6 813142CE 538202BC AD092619
D7036E4D 1A17223E B250EA67 4D7CB096 67FEB0D1 A30CDAC3 EE80C47D ACED31F2
8F8B285A 182B5BC3 B2BA6C25 50A04A9F B1643191 5632FE1A 57BFF6B5 FB75094A
363703D0 2AE2D31A 69659915 7762E4CD 036FDBFA EFD74AB7 B84F98C0 9F52723A
B529D8C7 477C11C9 AEDFB15B FB2ADF08
quit
username neworleansevent privilege 15 secret 5 *****
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 208.115.6.170 255.255.255.252
ip access-group Internet-inbound-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid EROFFICE
authentication open
!
ssid EROFFICE1
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 135445415F59527D737D78
!
ssid EROFFICE2
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 055A545C7519185E415C47
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.115.6.169
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit udp host 216.83.237.238 eq domain any
permit udp host 216.83.236.227 eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
password 7 0822424D0E0B1C
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
password 7 1511050F033832
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Building configuration...
Current configuration : 8019 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *****
enable password 7 ******
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name None.com
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name None.com
lease 4
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip tcp synwait-time 10
no ip bootp server
ip domain name None.com
ip name-server 216.83.236.227
ip name-server 216.83.237.238
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-784456476
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-784456476
revocation-check none
rsakeypair TP-self-signed-784456476
!
!
crypto pki certificate chain TP-self-signed-784456476
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37383434 35363437 36301E17 0D303230 33303130 33353130
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3738 34343536
34373630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AAF59BDC 6E56DD32 817797C1 7388D69B A46698B7 1A578962 C8C61E6D AF436C53
759C40B8 0B34A021 35985A44 E3E2BD08 02E777F2 C704FBB3 24FCD641 28F9F99A
86E36FF7 7E46FDD4 D8A0664B 25D64ED3 DF535CE4 BC59CEDD C5F7F53D D05D9F36
39936BB2 B729211F CADB86C6 BCC49B19 44874B83 2B41C5F1 8A08B304 05CDE6CB
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 312E796F 756E6772 656E7461 6C2E636F 6D301F06
03551D23 04183016 8014CDBE F678FA46 4A2FBE5F 8F17E07A 5A53D910 525A301D
0603551D 0E041604 14CDBEF6 78FA464A 2FBE5F8F 17E07A5A 53D91052 5A300D06
092A8648 86F70D01 01040500 03818100 33A664F6 813142CE 538202BC AD092619
D7036E4D 1A17223E B250EA67 4D7CB096 67FEB0D1 A30CDAC3 EE80C47D ACED31F2
8F8B285A 182B5BC3 B2BA6C25 50A04A9F B1643191 5632FE1A 57BFF6B5 FB75094A
363703D0 2AE2D31A 69659915 7762E4CD 036FDBFA EFD74AB7 B84F98C0 9F52723A
B529D8C7 477C11C9 AEDFB15B FB2ADF08
quit
username neworleansevent privilege 15 secret 5 *****
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 208.115.6.170 255.255.255.252
ip access-group Internet-inbound-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid EROFFICE
authentication open
!
ssid EROFFICE1
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 135445415F59527D737D78
!
ssid EROFFICE2
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 055A545C7519185E415C47
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.115.6.169
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit udp host 216.83.237.238 eq domain any
permit udp host 216.83.236.227 eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
password 7 0822424D0E0B1C
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
password 7 1511050F033832
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
I currently own a 871W router. No matter what I set, I just cannot ping any host in the WLAN except the default gateway and the host that plug in physically to the router. I have been searching for solution since day one I received the router. Please help?
Were you able to get this issue resolved??
I have a very simular issue, mine being that any wireless device on the internal network cannot ping/browse any other wireless device on the internal network..
Any suggestions???
I have a very simular issue, mine being that any wireless device on the internal network cannot ping/browse any other wireless device on the internal network..
Any suggestions???
I've been struggling with my brand new 851w for weeks trying to figure out
why the wireless connection is so slow between clients and the router. Wired
connections were always fine and the router itself could ping out with no
problem, but clients would get a ping of b/t 5 - 30 seconds to the unit itself...
unusable. It would also cause clients to randomly drop and/or stop them from
being able connect at all.
I finally tried turning off the WPA from the guide and that fixed the entire
problem! Ping time to router is now 1.5ms (much more normal).
I'm wondering if the unit is possibly defective or if this is normal. I'm not too
used to working with WPA, so I don't know if it normally adds so much
overhead. Has anyone else had this issue?
why the wireless connection is so slow between clients and the router. Wired
connections were always fine and the router itself could ping out with no
problem, but clients would get a ping of b/t 5 - 30 seconds to the unit itself...
unusable. It would also cause clients to randomly drop and/or stop them from
being able connect at all.
I finally tried turning off the WPA from the guide and that fixed the entire
problem! Ping time to router is now 1.5ms (much more normal).
I'm wondering if the unit is possibly defective or if this is normal. I'm not too
used to working with WPA, so I don't know if it normally adds so much
overhead. Has anyone else had this issue?
I got it to work with the template. I decided to only make an internal vlan and one ssid. i have one interface fa 1 on an internal vlan 1 and the other ports and radio on vlan 10. my fa4 connects out to a linksys DSL gateway. i'm not even sure if my landlord's linksys gw is ADSL or cable.
It'd be nice if we were given an actual howto. Not every shop is a Windows shop and not every version of Office supports these macros.
i can connect to the signal radio but i can't surf the internet from wlan nor lan
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES manual up up
Dialer1 unassigned YES manual up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.1 unassigned YES unset up up
Dot11Radio0.20 192.168.2.1 YES manual up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 69.178.0.0 YES NVRAM up up
NVI0 69.178.0.0 YES unset up up
Vlan1 192.168.0.111 YES NVRAM up up
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES manual up up
Dialer1 unassigned YES manual up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.1 unassigned YES unset up up
Dot11Radio0.20 192.168.2.1 YES manual up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 69.178.0.0 YES NVRAM up up
NVI0 69.178.0.0 YES unset up up
Vlan1 192.168.0.111 YES NVRAM up up
Thanks so much (bow), got it working now. Learned so much from the setup example. U is my cisco guru!
I can't get connected, I get a IP address for my WAN port, but can't get the vlan to to access the internet.
Here is my config
Titanium_Gateway#show running-config
Building configuration...
Current configuration : 4103 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Titanium_Gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$dL02$kQA2YhyStg5Tc2xezKm071
!
username admin privilege 15 password 7 011E07174F0E145C74
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip cef
ip dhcp excluded-address 192.168.24.1
ip dhcp excluded-address 192.168.25.1
!
ip dhcp pool vlan24
import all
network 192.168.24.0 255.255.255.0
default-router 192.168.24.1
domain-name Azone
lease 4
!
ip dhcp pool vlan25
import all
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
domain-name Azone
lease 4
!
!
no ip domain lookup
ip domain name Azone
vpdn enable
!
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 25
no ip address
!
interface FastEthernet1
switchport access vlan 24
no ip address
!
interface FastEthernet2
switchport access vlan 24
no ip address
!
interface FastEthernet3
switchport access vlan 24
no ip address
!
interface FastEthernet4
description WAN port
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 24 mode ciphers tkip
!
encryption vlan 25 mode ciphers tkip
!
ssid Test25
vlan 25
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 000C121614420F0716
!
ssid test 24
vlan 24
authentication open
authentication key-management wpa
wpa-psk ascii 7 0503071F31550E0D181C
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.24
encapsulation dot1Q 24
bridge-group 24
bridge-group 24 subscriber-loop-control
bridge-group 24 spanning-disabled
bridge-group 24 block-unknown-source
--More--
*Mar 2 01:19:55.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to up
*Mar 2 01:19:56.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed sta no bridge-group 24 source-learning
no bridge-group 24 unicast-flooding
!
interface Dot11Radio0.25
encapsulation dot1Q 25
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 spanning-disabled
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan24
description internal network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 24
bridge-group 24 spanning-disabled
!
interface Vlan25
description Guest Network
ip dhcp client update dns
no ip address
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
bridge-group 25
bridge-group 25 spanning-disabled
!
interface Dialer0
ip address dhcp
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp ipcp dns request
ppp ipcp address accept
!
interface BVI24
description internal network
ip address 192.168.24.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI25
description Bridge to Guest Network
ip address 192.168.25.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.24.0 0.0.0.255
permit ip any any
!
access-list 1 permit 192.168.24.0 0.0.0.255
access-list 1 permit 192.168.25.0 0.0.0.255
dialer-list 1 protocol ip list 1
!
control-plane
!
bridge 24 route ip
bridge 25 route ip
!
line con 0
password 7 060B0E32584B1B4A50
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password 7 1043080A1112005859
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
Titanium_Gateway#
*Mar 2 01:23:56.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to up
Titanium_Gateway#
Titanium_Gateway#
Titanium_Gateway#show ip itn
Titanium_Gateway#show ip inter
Titanium_Gateway#show ip interface br
Titanium_Gateway#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI24 192.168.24.1 YES NVRAM up up
BVI25 192.168.25.1 YES NVRAM up up
Dialer0 unassigned YES DHCP up up
Dialer1 unassigned YES NVRAM up up
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.24 unassigned YES unset up up
Dot11Radio0.25 unassigned YES unset up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES DHCP up up
Virtual-Dot11Radio0 unassigned YES TFTP down down
Virtual-Dot11Radio0.24 unassigned YES unset down down
Virtual-Dot11Radio0.25 unassigned YES unset down down
Vlan1 unassigned YES NVRAM up down
Vlan24 unassigned YES NVRAM up down
Vlan25 unassigned YES NVRAM up down
Titanium_Gateway#
*Mar 2 01:25:17.219: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4 assigned DHCP address 192.168.2.3, mask 255.255.255.0, hostname Titanium_Gateway
Titanium_Gateway#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI24 192.168.24.1 YES NVRAM up up
BVI25 192.168.25.1 YES NVRAM up up
Dialer0 unassigned YES DHCP up up
Dialer1 unassigned YES NVRAM up up
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.24 unassigned YES unset up up
Dot11Radio0.25 unassigned YES unset up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 192.168.2.3 YES DHCP up up
Virtual-Dot11Radio0 unassigned YES TFTP down down
Virtual-Dot11Radio0.24 unassigned YES unset down down
Virtual-Dot11Radio0.25 unassigned YES unset down down
Vlan1 unassigned YES NVRAM up down
Vlan24 unassigned YES NVRAM up down
Vlan25 unassigned YES NVRAM up down
Titanium_Gateway#
*Mar 2 01:26:59.979: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0013.0222.85cf Associated KEY_MGMT[WPA PSK]
Titanium_Gateway#
Titanium_Gateway#
Titanium_Gateway#ping yahoo.com
Translating "yahoo.com"
% Unrecognized host or address, or protocol not running.
Titanium_Gateway#show ip routing
^
% Invalid input detected at '^' marker.
Titanium_Gateway#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 192.168.25.0/24 is directly connected, BVI25
C 192.168.24.0/24 is directly connected, BVI24
C 192.168.2.0/24 is directly connected, FastEthernet4
S* 0.0.0.0/0 is directly connected, Dialer1
Titanium_Gateway#
Here is my config
Titanium_Gateway#show running-config
Building configuration...
Current configuration : 4103 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Titanium_Gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$dL02$kQA2YhyStg5Tc2xezKm071
!
username admin privilege 15 password 7 011E07174F0E145C74
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip cef
ip dhcp excluded-address 192.168.24.1
ip dhcp excluded-address 192.168.25.1
!
ip dhcp pool vlan24
import all
network 192.168.24.0 255.255.255.0
default-router 192.168.24.1
domain-name Azone
lease 4
!
ip dhcp pool vlan25
import all
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
domain-name Azone
lease 4
!
!
no ip domain lookup
ip domain name Azone
vpdn enable
!
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 25
no ip address
!
interface FastEthernet1
switchport access vlan 24
no ip address
!
interface FastEthernet2
switchport access vlan 24
no ip address
!
interface FastEthernet3
switchport access vlan 24
no ip address
!
interface FastEthernet4
description WAN port
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 24 mode ciphers tkip
!
encryption vlan 25 mode ciphers tkip
!
ssid Test25
vlan 25
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 000C121614420F0716
!
ssid test 24
vlan 24
authentication open
authentication key-management wpa
wpa-psk ascii 7 0503071F31550E0D181C
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.24
encapsulation dot1Q 24
bridge-group 24
bridge-group 24 subscriber-loop-control
bridge-group 24 spanning-disabled
bridge-group 24 block-unknown-source
--More--
*Mar 2 01:19:55.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to up
*Mar 2 01:19:56.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed sta no bridge-group 24 source-learning
no bridge-group 24 unicast-flooding
!
interface Dot11Radio0.25
encapsulation dot1Q 25
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 spanning-disabled
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan24
description internal network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 24
bridge-group 24 spanning-disabled
!
interface Vlan25
description Guest Network
ip dhcp client update dns
no ip address
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
bridge-group 25
bridge-group 25 spanning-disabled
!
interface Dialer0
ip address dhcp
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp ipcp dns request
ppp ipcp address accept
!
interface BVI24
description internal network
ip address 192.168.24.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI25
description Bridge to Guest Network
ip address 192.168.25.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.24.0 0.0.0.255
permit ip any any
!
access-list 1 permit 192.168.24.0 0.0.0.255
access-list 1 permit 192.168.25.0 0.0.0.255
dialer-list 1 protocol ip list 1
!
control-plane
!
bridge 24 route ip
bridge 25 route ip
!
line con 0
password 7 060B0E32584B1B4A50
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
password 7 1043080A1112005859
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
Titanium_Gateway#
*Mar 2 01:23:56.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to up
Titanium_Gateway#
Titanium_Gateway#
Titanium_Gateway#show ip itn
Titanium_Gateway#show ip inter
Titanium_Gateway#show ip interface br
Titanium_Gateway#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI24 192.168.24.1 YES NVRAM up up
BVI25 192.168.25.1 YES NVRAM up up
Dialer0 unassigned YES DHCP up up
Dialer1 unassigned YES NVRAM up up
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.24 unassigned YES unset up up
Dot11Radio0.25 unassigned YES unset up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES DHCP up up
Virtual-Dot11Radio0 unassigned YES TFTP down down
Virtual-Dot11Radio0.24 unassigned YES unset down down
Virtual-Dot11Radio0.25 unassigned YES unset down down
Vlan1 unassigned YES NVRAM up down
Vlan24 unassigned YES NVRAM up down
Vlan25 unassigned YES NVRAM up down
Titanium_Gateway#
*Mar 2 01:25:17.219: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4 assigned DHCP address 192.168.2.3, mask 255.255.255.0, hostname Titanium_Gateway
Titanium_Gateway#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI24 192.168.24.1 YES NVRAM up up
BVI25 192.168.25.1 YES NVRAM up up
Dialer0 unassigned YES DHCP up up
Dialer1 unassigned YES NVRAM up up
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.24 unassigned YES unset up up
Dot11Radio0.25 unassigned YES unset up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 192.168.2.3 YES DHCP up up
Virtual-Dot11Radio0 unassigned YES TFTP down down
Virtual-Dot11Radio0.24 unassigned YES unset down down
Virtual-Dot11Radio0.25 unassigned YES unset down down
Vlan1 unassigned YES NVRAM up down
Vlan24 unassigned YES NVRAM up down
Vlan25 unassigned YES NVRAM up down
Titanium_Gateway#
*Mar 2 01:26:59.979: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0013.0222.85cf Associated KEY_MGMT[WPA PSK]
Titanium_Gateway#
Titanium_Gateway#
Titanium_Gateway#ping yahoo.com
Translating "yahoo.com"
% Unrecognized host or address, or protocol not running.
Titanium_Gateway#show ip routing
^
% Invalid input detected at '^' marker.
Titanium_Gateway#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 192.168.25.0/24 is directly connected, BVI25
C 192.168.24.0/24 is directly connected, BVI24
C 192.168.2.0/24 is directly connected, FastEthernet4
S* 0.0.0.0/0 is directly connected, Dialer1
Titanium_Gateway#
I cofigured my 851W using the template. I ommited the uest feature as this is for home use only. I can see other computers on my lan but cannot reach the internet. I have a cable modem and have confiured fe4 for dhcp. I do an ipconfig on my computer and it shows all of the proper dns info. I am a nube to the cisco world, so be gentle . Also, my laptop is older and does not support WPA encryption. How do I set it up for WEP?
Here is the running config,. I have edited out encryption and other data for brevity.
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
!
ip access-list extended internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password mmssyp
!
scheduler max-task-time 5000
end
SCONT#
. Also, my laptop is older and does not support WPA encryption. How do I set it up for WEP?Here is the running config,. I have edited out encryption and other data for brevity.
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
!
ip access-list extended internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password mmssyp
!
scheduler max-task-time 5000
end
SCONT#
Oops, edited too much out of running config. Let's try this again:
Building configuration...
Current configuration : 4092 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SCONT
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$xKqs$3yB8bAmWp5FeX.mCRKtHL/
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
dot11 ssid SCONT1
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 mmssyp70
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid SCONT1
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
!
ip access-list extended internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password mmssyp
!
scheduler max-task-time 5000
end
Building configuration...
Current configuration : 4092 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SCONT
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$xKqs$3yB8bAmWp5FeX.mCRKtHL/
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
dot11 ssid SCONT1
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 mmssyp70
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid SCONT1
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
!
ip access-list extended internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password mmssyp
!
scheduler max-task-time 5000
end
GRACIAS MAN TU CONFIGURACION SI FUNCIONA ME AH SERVIDO DE MUCHO, SALUDOS DESDE PERU
I tried the template but it didn't work for me it just kept disconnecting and after a few hours of research I came across the information below taken from: http://www.dslreports.com/faq/8199
Generally you will need to either use CHAP or PAP authentication. In some cases ISP requires both type of authentication. Following is how to set both up.
router(config-if)#ppp authentication chap pap callin
router(config-if)#ppp chap hostname ispusername
You want to make sure that username is whatever your ISP requires. Some ISP like the full e-mail address and some just need the username. You may receive a letter or email regarding this info. Consult your ISP if you are unsure. Following is the setup.
router(config-if)#ppp chap password isppassword
router(config-if)#ppp pap sent-username ispusername password isppassword
As you can see, with PAP as opposed to chap you input your username and password all at once in one command.
In some routers running newer IOS image, you may need to enter the password as it is (clear text) or encrypted. When you need to enter them as clear text, then you need to type in 0 (zero) then the password to indicate the password you are about to enter is in clear-text format. Similarly, you need to type in 7 (seven) followed by the password to indicate the password you are about to enter is in encrypted format.
Generally you will need to either use CHAP or PAP authentication. In some cases ISP requires both type of authentication. Following is how to set both up.
router(config-if)#ppp authentication chap pap callin
router(config-if)#ppp chap hostname ispusername
You want to make sure that username is whatever your ISP requires. Some ISP like the full e-mail address and some just need the username. You may receive a letter or email regarding this info. Consult your ISP if you are unsure. Following is the setup.
router(config-if)#ppp chap password isppassword
router(config-if)#ppp pap sent-username ispusername password isppassword
As you can see, with PAP as opposed to chap you input your username and password all at once in one command.
In some routers running newer IOS image, you may need to enter the password as it is (clear text) or encrypted. When you need to enter them as clear text, then you need to type in 0 (zero) then the password to indicate the password you are about to enter is in clear-text format. Similarly, you need to type in 7 (seven) followed by the password to indicate the password you are about to enter is in encrypted format.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
