Logical diagram of the configurationThis gallery is also available as a TechRepublic article.
The Cisco 851W router is a relatively low cost multipurpose device ($292 is the lowest price), which can support virtual wireless LANs separated by firewalls. Although the Cisco 871W can do more things, it is in the $500 to $700 range, depending on the software feature set you want--and that may be a little too expensive for a home router or small business.
Even the $500 version of the 871W doesn't offer a whole lot more than the 851W, other than its external antenna connectors that allow you to connect larger antennas. Only when you get up to the $700 871W do you get additional feature sets, like BGP routing, VLAN support, and QoS traffic prioritization.
Last time, I explained how to configure the more expensive version of the 871W. Unfortunately, many of you couldn't use it because you didn't have the Advanced IP IOS feature set. This tutorial is made for you and for anyone who has or is planning to buy the cheaper 851W.
Advanced SOHO dual network architecture
I'm going to show you how to set up a Cisco 851W or 871W router with the standard "advanced security" IOS in an advanced SOHO (small office/home office) configuration that offers:
- Stateful packet inspection firewall
- Two virtual wireless LANs (max 10)
- One virtual LAN bridged to one wireless LAN
- Both wireless LANs configured for WPA-PSK security
- One wireless LAN serving as a guest network with restricted access
- DSL PPPoE client
- DHCP server
Above shows a logical diagram of the configuration. The orange represents the guest network and the green represents the internal network. The entire switch is configured for VLAN1 because the 851W and 871 Standard IOS (Standard is actually called the "advanced security" IOS) doesn't support VLANs. Only the 871W running "Advanced IP" IOS can do VLANs. This means only the "InternalWLAN" wireless network can bridge to the switch using BVI (Bridge Virtual Interface) 1.
Port F4 is the WAN interface configured to dial PPPoE to an ADSL modem. The "GuestWLAN" wireless network colored orange will have full access to the Internet but no access to the internal network colored green. The internal network will have full access to the orange guest network and the Internet. The guest wireless LAN will have an SSID of GuestWLAN, and the internal wireless LAN will have an SSID of InternalWLAN. For now, the Cisco 851W and 871W is capable of broadcasting only one SSID, so GuestWLAN will be the only SSID being broadcast. Future firmwares will fix this shortcoming.
For anyone wondering whether SSID hiding is good for security, SSID hiding is a worthless security feature, along with MAC filtering and some of the other common myths.