Cisco

Configuring the Cisco 851W or 871W: Standard IOS

Logical diagram of the configuration

This gallery is also available as a TechRepublic article.

The Cisco 851W router is a relatively low cost multipurpose device ($292 is the lowest price), which can support virtual wireless LANs separated by firewalls. Although the Cisco 871W can do more things, it is in the $500 to $700 range, depending on the software feature set you want--and that may be a little too expensive for a home router or small business.

Even the $500 version of the 871W doesn't offer a whole lot more than the 851W, other than its external antenna connectors that allow you to connect larger antennas. Only when you get up to the $700 871W do you get additional feature sets, like BGP routing, VLAN support, and QoS traffic prioritization.

Last time, I explained how to configure the more expensive version of the 871W. Unfortunately, many of you couldn't use it because you didn't have the Advanced IP IOS feature set. This tutorial is made for you and for anyone who has or is planning to buy the cheaper 851W.

Advanced SOHO dual network architecture

I'm going to show you how to set up a Cisco 851W or 871W router with the standard "advanced security" IOS in an advanced SOHO (small office/home office) configuration that offers:

  • Stateful packet inspection firewall
  • Two virtual wireless LANs (max 10)
  • One virtual LAN bridged to one wireless LAN
  • Both wireless LANs configured for WPA-PSK security
  • One wireless LAN serving as a guest network with restricted access
  • DSL PPPoE client
  • DHCP server


Above shows a logical diagram of the configuration. The orange represents the guest network and the green represents the internal network. The entire switch is configured for VLAN1 because the 851W and 871 Standard IOS (Standard is actually called the "advanced security" IOS) doesn't support VLANs. Only the 871W running "Advanced IP" IOS can do VLANs. This means only the "InternalWLAN" wireless network can bridge to the switch using BVI (Bridge Virtual Interface) 1.

Port F4 is the WAN interface configured to dial PPPoE to an ADSL modem. The "GuestWLAN" wireless network colored orange will have full access to the Internet but no access to the internal network colored green. The internal network will have full access to the orange guest network and the Internet. The guest wireless LAN will have an SSID of GuestWLAN, and the internal wireless LAN will have an SSID of InternalWLAN. For now, the Cisco 851W and 871W is capable of broadcasting only one SSID, so GuestWLAN will be the only SSID being broadcast. Future firmwares will fix this shortcoming.

For anyone wondering whether SSID hiding is good for security, SSID hiding is a worthless security feature, along with MAC filtering and some of the other common myths.

4 comments
ssscud
ssscud

Sounds great - My wireless vlans authenticate great - but I cannot ping the internet .20.x cannot ping the internet, but can ping the internal wireless lan gateway 10.1 - what gives? Also I noticed I didnt setup a BVI for .20 like you did (in your sh ip nt brie output) Should i have to create a seperate bridge group to get my vlan 20 to route ip outside? my access-lists are permit any any basically....help please :)

ediger
ediger

Is there PPPoE template (not DSL)?

eduardo_sz
eduardo_sz

Is that going to be a problem for the Guest wireless lan user because they don't authenticate in Windows 2003 if I skip DHCP from the cisco configuration or the DHCP from server works anyway?

Mark.Hrynkiw
Mark.Hrynkiw

I've tried this template and it will not let me input any of the line commands right from the start with service password-encryption Maybe I am doing something really stupidly wrong but this does not seem to want to work. I am using Hyperterminal to configure my 871w attempting to get my static ip recognized also I was wondering if anyone knew if its possible to load a seperate static ip for the secondary subnet