Logical diagram of the configuration
- Stateful packet inspection firewall
- Two virtual wireless LANs (max 10)
- One virtual LAN bridged to one wireless LAN
- Both wireless LANs configured for WPA-PSK security
- One wireless LAN serving as a guest network with restricted access
- DSL PPPoE client
- DHCP server
Above shows a logical diagram of the configuration. The orange represents the guest network and the green represents the internal network. The entire switch is configured for VLAN1 because the 851W and 871 Standard IOS (Standard is actually called the "advanced security" IOS) doesn't support VLANs. Only the 871W running "Advanced IP" IOS can do VLANs. This means only the "InternalWLAN" wireless network can bridge to the switch using BVI (Bridge Virtual Interface) 1.
Port F4 is the WAN interface configured to dial PPPoE to an ADSL modem. The "GuestWLAN" wireless network colored orange will have full access to the Internet but no access to the internal network colored green. The internal network will have full access to the orange guest network and the Internet. The guest wireless LAN will have an SSID of GuestWLAN, and the internal wireless LAN will have an SSID of InternalWLAN. For now, the Cisco 851W and 871W is capable of broadcasting only one SSID, so GuestWLAN will be the only SSID being broadcast. Future firmwares will fix this shortcoming.
For anyone wondering whether SSID hiding is good for security, SSID hiding is a worthless security feature, along with MAC filtering and some of the other common myths.
Initial hardware setup
- write erase
- reload (confirm reboot)
Once the router is rebooted, you'll see a "router>" prompt and no passwords will be required. Now, you're starting with a clean slate. Unlike last time, when we had to create some VLANs, the standard "advanced security" IOS feature set on the 871W will not support this and the 851W won't do it at all regardless of the IOS installed. You now need to enter global configuration mode by typing the old "config t" command.
CLI configuration template for Cisco 851W or 871W
I've always thought that the Cisco configuration guides were too difficult to use, with their inline comments and hints, so I've created my own configuration template system in Microsoft Excel. Thanks to our development blogger Justin James, who wrote a quick replacement button that automatically generates a ready-to-use configuration output, we have a truly useful new tool for documenting and creating new CLI configuration files.
For this particular tutorial, I've created three templates for the Cisco 851W or 871W standard "advanced IP" IOS, embedded with Justin's new rapid replace functionality. The first template is for DSL PPPoE implementations. The second template is for DHCP or cable modem Internet connections. (Note that for cable modem implementations, you should reboot the cable modem. It tends to lock itself down to a certain MAC address, which will cause problems for your router unless you reboot.) The third template is for static IP WAN implementations.
How to use CLI template
Reference sheet in the configuration template
Insert configuration on 851W or 871W
How to use CLI template
Sounds great - My wireless vlans authenticate great - but I cannot ping the internet .20.x cannot ping the internet, but can ping the internal wireless lan gateway 10.1 - what gives? Also I noticed I didnt setup a BVI for .20 like you did (in your sh ip nt brie output) Should i have to create a seperate bridge group to get my vlan 20 to route ip outside? my access-lists are permit any any basically....help please :)
Is that going to be a problem for the Guest wireless lan user because they don't authenticate in Windows 2003 if I skip DHCP from the cisco configuration or the DHCP from server works anyway?
I've tried this template and it will not let me input any of the line commands right from the start with service password-encryption Maybe I am doing something really stupidly wrong but this does not seem to want to work. I am using Hyperterminal to configure my 871w attempting to get my static ip recognized also I was wondering if anyone knew if its possible to load a seperate static ip for the secondary subnet