• Considerations in building a Wireless network
• Wireless Router Sample Configuration
• Various sample configuration using Wireless as backbone network
• Creating multiple wireless networks: configuring AP to trunk to switch
• Upgrading the CISCO AIRONET MODEL AIR-AP-1220B-x-K9 VXWorks OS to IOS
• Cisco AP with authentication server
• Manage Wireless LAN Controller

Wireless Forum FAQ
»Wireless Networking Forum FAQ

Some discussions

»Networking between buildings
»how to properly do a wireless survey
»Block MAC Address on 3560 or 2960
»[Info] 1252 APs
»getting started with cisco
»[Info] Deploying wireless
»[H/W] Used cisco access point
»[H/W] Wireless recommendations with 802.1x VLAN Assignment
»Upgrading from 871w..Need suggestions for new router..

Sample Configurations

1. One integrated fixed AP/router with wired backbone network

»Cisco Forum FAQ »Wireless Router Sample Configuration

2. Three fixed AP as Wireless Backbone network for wired hosts

»Cisco Forum FAQ »Various sample configuration using Wireless as backbone network

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2013-01-22 10:41:03

Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business

1. Router with integrated ADSL module running PPPoE

As illustration, the router used is Cisco 1841 router with wireless module. This sample configuration assumes the followings

* The Qwest uses 0/32 as the VPI/VCI which may not reflect your ISP VPI/VCI value. Confirm with your ISP regarding the value.
* ISP connection is DSL with PPPoE
* The router receives static IP address from ISP
* Default gateway is received from the ISP PPP negotiation
* There is a public server sitting behind the router, open to any inbound and outbound traffic
* There is NAT/PAT on the router between local subnet of 10.10.0.0/22 (behind the BVI, FA0/0, and FA0/1) and the ISP Public IP address (in front of the Dialer0 interface)
* Router is in IRB (Integrated Routing Bridging) mode
* The Wired LAN interfaces (FA0/0 and FA0/1) are Layer 3 interfaces, where the FA0/0 is the Inside (Trusted) and FA0/1 is the DMZ
* There is one "dumb switch" behind each one of the Wired LAN interfaces
* DMZ interface is set for servers
* Inside interface is set for local users' workstation and printers
* Workstations and printers receive dynamic IP address via DHCP within 10.10.1.0/24 subnet
* Wireless users receive dynamic IP address via DHCP within 10.10.3.0/24 subnet
* The Radio and BVI interfaces are within the same broadcast domain, where the BVI is the Layer 3 interface
* No layer 2 trunking to external network device
* Wireless encryption type is WPA

Sample Configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone Arizona -7
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp excluded-address 10.10.1.1
ip dhcp excluded-address 10.10.3.1
!
ip dhcp pool Inside
network 10.10.1.0 255.255.255.0
dns-server 205.171.3.65 4.2.2.1
default-router 10.10.1.1
!
ip dhcp pool Wireless
import all
network 10.10.3.0 255.255.255.0
dns-server 205.171.3.65 4.2.2.1
default-router 10.10.3.1
lease 3
!
!
multilink bundle-name authenticated
!
!
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxx
!
bridge irb
!
!
!
interface Loopback0
ip address 10.10.0.1 255.255.255.255
!
interface FastEthernet0/0
description Inside LAN
ip address 10.10.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description DMZ
ip address 10.10.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL WAN port
no ip address
no snmp trap link-status
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dot11Radio0/1/0
description Wireless interface
no ip address
no ip redirects
ip local-proxy-arp
ip virtual-reassembly
!
encryption vlan 1 mode ciphers tkip
!
ssid azwinters
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 xxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no cdp enable
!
interface Dot11Radio0/1/0.1
description Wireless VLAN 1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dialer0
description ADSL WAN Dialer
ip address 71.216.xxx.xxx 255.255.255.0
ip mtu 1492
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxx@qwest.net
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxxxxxx@qwest.net password 0 xxxxx
ppp ipcp route default
!
!
interface BVI1
description Wireless LAN
ip address 10.10.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 10.10.2.254 71.xxx.xxx.xxx
!
access-list 1 permit 10.10.0.0 0.0.3.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
!
no scheduler allocate
ntp clock-period 17175169
ntp server 132.163.4.101 source Dialer0 prefer
ntp server 148.167.132.200 source Dialer0 prefer
ntp server 207.10.214.111 source Dialer0 prefer
end

2. Router with integrated ADSL module running PPPoA

This sample configuration assumes the followings

* The Qwest uses 0/32 as the VPI/VCI which may not reflect your ISP VPI/VCI value. Confirm with your ISP regarding the value.
* ISP connection is DSL with PPPoA
* The router receives static IP address from ISP
* Default gateway is received from the ISP PPP negotiation
* There is a public server sitting behind the router, open to any inbound and outbound traffic
* There is NAT/PAT on the router between local subnet of 192.168.2.0/24 (behind the BVI as the Layer-3 interface and FA0/0 - FA0/3 as the Layer-2 interfaces; and Radio interface) and the ISP Public IP address (in front of the Dialer0 interface)
* Router is in IRB (Integrated Routing Bridging) mode
* The Radio and BVI interfaces are within the same broadcast domain, where the BVI is the Layer 3 interface
* No layer 2 trunking to external network device
* The router is running CBAC as IOS-based Firewall

Sample Configuration

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
!
crypto pki trustpoint TP-self-signed-3720820174
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3720820174
revocation-check none
rsakeypair TP-self-signed-3720820174
!
!
crypto pki certificate chain TP-self-signed-3720820174
certificate self-signed 01

!KEY GOES HERE

quit
!
dot11 ssid Es38ufd
authentication open
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.21 192.168.2.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 205.171.3.65 205.171.2.65
!

!************Various DHCP Bindings were here*****************

!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 imap
ip inspect name sdm_ins_in_100 pop3
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 esmtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
no ip bootp server
ip domain lookup source-interface Dialer0
ip name-server 205.171.3.65
ip name-server 205.171.2.65
!
!
!
file verify auto
username xxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxx
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no snmp trap link-status
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode ansi-dmt
dsl enable-training-log
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid Es38ufd
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect sdm_ins_in_100 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxx password 7 xxxxxxxxxxxxxxxxxxx
ppp ipcp route default
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 205.171.2.65 eq domain any
access-list 103 permit udp host 205.171.3.65 eq domain any
access-list 103 remark Auto generated by SDM for NTP (123) 132.163.4.101
access-list 103 permit udp host 132.163.4.101 eq ntp any eq ntp
access-list 103 remark Auto generated by SDM for NTP (123) 128.138.140.44
access-list 103 permit udp host 128.138.140.44 eq ntp any eq ntp
access-list 103 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 103 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 2 in
privilege level 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 132.163.4.101
sntp server 128.138.140.44
sntp server 192.43.244.18
end


3. Router receiving Ethernet hand-off of external modem running DHCP

Following is another wireless router sample configuration with assumptions of

* ISP connection is Cable Internet or DSL with DHCP
* The router receives dynamic IP address from ISP
* Default gateway is received from the ISP DHCP negotiation
* There is NAT/PAT on the router between local subnet of 10.10.10.0/24 (behind the BVI, FA0-3, and Dot11Radio0) and the ISP Public IP address (in front of the FA4 interface)
* Router is in IRB (Integrated Routing Bridging) mode
* FA4 is Layer 3 WAN interface
* The Wired LAN interfaces (FA1, FA2 and FA3) are Layer 2 interfaces (integrated switch) that are members of VLAN 10
* The Wireless LAN interfaces (Dot11Radio0.10) is also a member of VLAN 10
* The Layer-3 interface BVI10 is to "integrate" between Wired and Wireless LAN
* All Wired and Wireless LAN machines receive dynamic IP address via DHCP within 10.10.10.0/24 subnet (exclude 10.10.10.1 - 10.10.10.10)
* No layer 2 trunking to external network device
* Wireless encryption type is WPA
* The router is running CBAC as IOS-based Firewall

Sample Configuration

Current configuration : 5572 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cloud
!
boot-start-marker
boot-end-marker
!
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone CST -6
clock summer-time CDT recurring
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool VLAN10
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name att.net
lease 4
!
!
ip domain lookup
ip domain name att.net
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name MYFW tcp
ip inspect name MYFW udp
!
!
!
crypto pki trustpoint TP-self-signed-1295877613
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1295877613
revocation-check none
rsakeypair TP-self-signed-1295877613
!
!
crypto pki certificate chain TP-self-signed-1295877613
certificate self-signed 01

quit
username morphius privilege 15 password 7
!
!
!
bridge irb
!
!
!
interface FastEthernet0
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
description WAN interface
ip address dhcp
ip access-group Internet-inbound-ACL in
ip nat outside
ip inspect MYFW out
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers tkip
!
ssid bennachie
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no snmp trap link-status
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan10
description Internal network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface BVI10
description Layer-3 LAN interface to bridge FA1-3 ports
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
!
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
password 7
no modem enable
line aux 0
line vty 0 4
password 7
!
scheduler max-task-time 5000
ntp authenticate
ntp source FastEthernet4
ntp server 70.85.188.218
ntp server 67.10.89.177
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Cisco Wireless Router New Product Lines

1. 881-W model

The 881-W introduces a concept where there is an integrated AP that is running dedicated IOS image file separated from the router's IOS image file. In this sample configuration, the integrated AP runs ap801-k9w7-mx.124-25d.JA1 IOS image while the router runs c880data-universalk9-mz.150-1.M8.bin IOS image.

Since the 881-W model supports wireless N, the Ethernet port is now in a form of Gigabit Ethernet instead of Fast Ethernet. This Gigabit Ethernet ports show on both the AP configuration and router configuration where a GigabitEthernet0 interface resides in the AP and a Wlan-GigabitEthernet0 interface resides in the router. The two Gigabit Ethernet ports are internally interconnected, similar to a setup where there is an external AP 1200 Fast Ethernet port is interconnected using a physical Ethernet cable to a 871 non-wireless router's Fast Ethernet port.

Such internal interconnectivity between the two Gigabit Ethernet ports can be seen as a regular switch access or trunk port. Similar to a regular switch port that by default both Gigabit Ethernet ports are set as access port passing only default VLAN which is VLAN 1. Should you plan to create multiple SSID over the same dot11radio interface, then the Gigabit Ethernet ports must be set as trunk ports.

Following is the sample configuration.

Router

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname diablo-office
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default line enable
aaa authorization exec default local
aaa authorization commands 15 default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
ip source-route
!
!
ip dhcp excluded-address 10.0.1.145
ip dhcp excluded-address 10.0.1.129 10.0.1.130
ip dhcp excluded-address 10.0.1.153
!
ip dhcp pool Office-Pool
import all
network 10.0.1.128 255.255.255.240
default-router 10.0.1.129
dns-server 4.2.2.2 8.8.8.8
domain-name diablo.com
!
ip dhcp pool Office_Wireless-Pool
import all
network 10.0.1.144 255.255.255.248
default-router 10.0.1.145
dns-server 4.2.2.2 8.8.8.8
domain-name restricted
!
ip dhcp pool Guest_Wireless-Pool
import all
network 10.0.1.152 255.255.255.248
default-router 10.0.1.153
dns-server 4.2.2.2 8.8.8.8
domain-name unknown
!
!
ip cef
no ip domain lookup
ip domain name diablo.com
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn *******
!
!
!
spanning-tree portfast bpduguard
username admin secret 5 *******
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Office Internet Modem
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk allowed vlan 1-3,1002-1005
switchport mode trunk
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.0.1.129 255.255.255.240
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description Wireless office
ip address 10.0.1.145 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description Wireless guest
ip address 10.0.1.153 255.255.255.248
ip access-group 120 in
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface FastEthernet4 overload
!
access-list 10 permit 10.0.1.128 0.0.0.15
access-list 110 permit ip 10.0.1.0 0.0.0.255 any
access-list 120 remark Wireless Guest Restriction
access-list 120 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 120 deny ip 10.0.1.152 0.0.0.7 10.0.0.0 0.255.255.255
access-list 120 deny ip 10.0.1.152 0.0.0.7 172.16.0.0 0.15.255.255
access-list 120 deny ip 10.0.1.152 0.0.0.7 192.168.0.0 0.0.255.255
access-list 120 permit ip 10.0.1.152 0.0.0.7 any
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C
-----------------------------------------------------------------------
This is a proprietary system only for those who are authorized.
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 10 in
transport input telnet ssh
!
scheduler max-task-time 5000
end

AP

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname office-ap
!
logging rate-limit console 9
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default line enable
aaa authorization exec default local
aaa authorization commands 15 default local
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name guest vlan 3
dot11 vlan-name office vlan 2
!
dot11 ssid guest
vlan 3
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 *****
!
dot11 ssid office
vlan 2
authentication open
authentication key-management wpa
wpa-psk ascii 7 *****
!
!
!
username admin secret 5 *****
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid guest
!
ssid office
!
vocera
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface BVI1
ip address 10.0.1.130 255.255.255.240
no ip route-cache
!
no ip http server
no ip http secure-server
ip http help-path »www.cisco.com/warp/public/779/sm···help/eag
bridge 1 route ip
!
access-list 10 permit 10.0.1.128 0.0.0.15
!
banner exec ^C
-----------------------------------------------------------------------
This is a proprietary system only for those who are authorized.
-----------------------------------------------------------------------
^C
!
line con 0
privilege level 15
no activation-character
line vty 0 4
access-class 10 in
transport input ssh
!
cns dhcp
end

Note:

* As you may see that AP and router maintains its own configuration and its own IOS file
* To console into the AP, simply issue service-module wlan-ap 0 session from the router's CLI prompt. If you rather telnet or ssh into the AP, simply use the AP's BVI1 IP address to connect to
* The AP's BVI1 and the router's VLAN1 interfaces share the same broadcast domain
* The router's FA4 interface is the Outside interface where the FA0 to FA3 interfaces are the Inside interfaces
* There are two SSID; one is office with unrestricted access and another is guest with restricted access only to the Internet

More Sample Configurations
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco

Discussions>/b>
»[Config] Cisco 877W authenticated through radius but no traffic

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-10-15 12:05:20

Various sample configuration using Wireless as backbone network

Two ISP using OSPF to find best default route

Example #1

Equipments used
* Two routers running IOS 12.3
* One PIX Firewall running OS 6.3(5)
* One Layer-3 Switch
* Three Access Points

Network Diagram

                                Wireless Backbone
ISP 1 --- Router 1 ---- AP 1  o o o o o o o o o o o  AP 2 --- Layer-3 Switch --- Router 2  --- ISP 2
             |                          o                       |        |      
           Room 1                       o                     Room 2   Room 2
           Users                        o                     Users   Servers
                                        o
                                       AP 3
                                        |
                                   PIX Firewall
                                        |
                                   Room 3 Users

Notes:
* All routers, Layer-3 switch, and PIX Firewall run OSPF
* The purpose of using dynamic routing protocol such OSPF is to dynamically find the best default gateway of specific subnet
* You can use any other dynamic routing protocol such as RIP or EIGRP if it is supported on all equipments
* From routing perspectives, all AP (Access Points) are seen as Layer-2 switches with no knowledge of dynamic routing protocol at all
* In this sample configuration, wireless G (54 Mbps) is used although you can use wireless N (300 Mbps) whenever available

Objectives
* AP (Access Points) 1, 2, and 3 are fixed and establish Wireless connection
* All communication between rooms go over the Wireless connection
* Since no communication between rooms is in place without the Wireless connection, the Wireless connection is assumed or called as Wireless Backbone
* The three AP, the Layer-3 switch, Router 1, and PIX Firewall devices are part of and make up the Wireless Backbone infrastructure
* The Router 2 is solely for ISP-2 connection and providing ISP-2 default route to all LAN machines
* No wireless hosts such as laptop, PC, printers, or servers
* All hosts are wired and connect to switch at either Room 1, 2, or 3
* The wireless connection is solely used as Wireless Backbone with no wireless hosts
* AP 1 acts as Root Bridge, AP 2 acts as Workgroup Bridge, and AP 3 acts as Non-Root Bridge
* SSID is used as infrastructure SSID
* SSID is invisible to any wireless hosts or other AP (invisible during SSID scan)
* SSID is only visible and usable by AP 1, 2, and 3
* Encryption used is WPA Temporal Key Integrity Protocol (TKIP) over open authentication with PSK (pre-shared key)
* No DCHP pool over wireless since the wireless connection is solely used as Wireless Backbone with no wireless hosts
* The Wireless Backbone serves one subnet of 10.0.0.0/29; no VLAN, no trunking, and no other SSID use the radio
* All inter-room communication must go through 10.0.0.0/29 subnet
* All Wireless Backbone devices (the three AP, the Layer-3 switch, Router 1, and PIX Firewall) use up available IP address within the 10.0.0.0/29 subnet. In addition, all of these Wireless Backbone devices are always up and running 24/7. These measures are required to minimize possibility of unknown or unauthorized wireless device to become part of Wireless Backbone infrastructure
* All Room 1 and 3 users should use ISP 1 as default gateway and only use ISP 2 when ISP 1 is unavailable
* Similarly, all Room 2 users and servers use ISP 2 as default gateway and only use ISP 1 when ISP 2 is unavailable
* Only machines within 172.16.0.0/12 subnet are able to go out to the Internet. Other devices such as AP that use IP address outside 172.16.0.0/12 subnet are unable to go out to the Internet due to security
* There is only DHCP pool from the PIX Firewall for wired machines that connect to switch at Room 3. No DHCP pool for wired machines that connect to switch at Room 1 or 2.

Sample Configuration

Router 1

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname ISP-1
!
boot-start-marker
boot-end-marker
!
interface FastEthernet0/0
 description AP 1
 bandwidth 54000
 ip address 10.0.0.3 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip ospf cost 4
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description Room 1 Users
 ip address 172.16.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface ATM0/0
 no ip address
 ip route-cache flow
 atm restart timer 300
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.35 point-to-point
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer1
 description To ISP 1
 ip address 1.1.1.10 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *****
 ppp chap password 7 *******
 ppp pap sent-username ***** password 7 *****
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
router ospf 10
 router-id 172.16.1.2
 log-adjacency-changes
 passive-interface Dialer1
 network 10.0.0.0 0.0.0.7 area 0
 network 1.1.1.1 0.0.0.255 area 0
 network 172.16.0.253 0.0.0.0 area 0
 network 172.16.1.0 0.0.0.255 area 0
 default-information originate metric-type 1
!
ip nat inside source list 110 interface Dialer1 overload
!
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
dialer-list 2 protocol ip permit
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 length 0
 transport input ssh
!
end
 

AP 1

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
dot11 syslog
!
dot11 ssid myplace
   authentication open
   authentication key-management wpa
   infrastructure-ssid
   wpa-psk ascii 7 **************************************************
!
bridge irb
!
!
interface Dot11Radio0
 description Wireless Backbone G 54 Mbps
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 !
 ssid myplace
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root bridge
 rts threshold 2312
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 description Router 1 FA0/0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.0.0.4 255.255.255.248
 no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
!
!
line con 0
 logging synchronous
line vty 0 4
 logging synchronous
line vty 5 15
 logging synchronous
!
end
 

Router 2

version 12.3
no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname ISP-2
!
boot-start-marker
boot-end-marker
!
bridge irb
!
interface FastEthernet0/0
 description Layer-3 Switch port 2
 ip address 10.0.1.4 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface ATM0/0
 no ip address
 ip route-cache flow
 atm restart timer 300
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.35 point-to-point
 bridge-group 1
 pvc 0/35
 !
!
interface BVI1
 description To ISP 2
 ip address 2.2.2.10 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
!
router ospf 10
 router-id 10.0.1.4
 log-adjacency-changes
 passive-interface BVI1
 network 10.0.1.0 0.0.0.255 area 0
 network 2.2.2.0 0.0.0.255 area 0
 network 172.16.0.254 0.0.0.0 area 0
 default-information originate metric-type 1
!
ip nat inside source list 110 interface BVI1 overload
!
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 120 0
 logging synchronous
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 120 0
 logging synchronous
 length 0
 transport input ssh
!
end
 

Layer-3 Switch

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch-A
!
ip subnet-zero
ip routing
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport access vlan 3
 switchport mode access
!
interface FastEthernet0/2
 description Router 2 FA0/0
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/3
 description AP 2
 switchport access vlan 4
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 5
 switchport mode access
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 description Management
 ip address 10.0.1.2 255.255.255.0
 ip ospf priority 10
!
interface Vlan3
 description Room 2 Servers
 ip address 172.16.0.2 255.255.255.240
 standby 3 ip 172.16.0.1
 standby 3 priority 105
 standby 3 preempt
!
interface Vlan4
 description Wireless Backbone
 bandwidth 54000
 ip address 10.0.0.1 255.255.255.248
 ip ospf cost 5
 ip ospf priority 10
 delay 100
!
interface Vlan5
 description Room 2 Users
 ip address 172.16.0.18 255.255.255.240
 standby 5 ip 172.16.0.17
 standby 5 priority 105
 standby 5 preempt
!
router ospf 10
 router-id 10.0.0.2
 log-adjacency-changes
 network 10.0.0.0 0.0.0.7 area 0
 network 10.0.1.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.0.31 area 0
!
ip classless
!
line con 0
line vty 0 4
!
end
 

AP 2

version 12.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname ap2
!
dot11 syslog
!
dot11 ssid myplace
   authentication open
   authentication key-management wpa
   infrastructure-ssid
   wpa-psk ascii 7 ************************************************
!
bridge irb
!
!
interface Dot11Radio0
 description Wireless Backbone G 54 Mbps
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 !
 ssid myplace
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role workgroup-bridge
 rts threshold 2312
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 description Layer-3 Switch port 3
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.0.0.2 255.255.255.248
 no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
!
!
line con 0
 logging synchronous
line vty 0 4
 logging synchronous
line vty 5 15
 logging synchronous
!
end
 

PIX Firewall

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd **** encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network Room3
  network-object 172.16.2.0 255.255.255.0
access-list nonat remark No NAT for any traffic
access-list nonat permit ip object-group Room3 any
pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered errors
logging trap notifications
logging history errors
logging facility 19
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.5 255.255.255.248
ip address inside 172.16.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
router ospf 10
  router-id 10.0.0.6
  network 10.0.0.0 255.255.255.248 area 0
  network 172.16.2.0 255.255.255.0 area 0 
  log-adj-changes
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
isakmp enable outside
isakmp identity address
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.2.100-172.16.2.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
: end
 

AP 3

version 12.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname ap3
!
dot11 syslog
!
dot11 ssid myplace
   authentication open
   authentication key-management wpa
   infrastructure-ssid
   wpa-psk ascii 7 ************************************************
!
bridge irb
!
!
interface Dot11Radio0
 description Wireless Backbone G 54 Mbps
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 !
 ssid myplace
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role non-root bridge
 rts threshold 2312
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 description PIX Firewall Outside
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.0.0.6 255.255.255.248
 no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
!
!
line con 0
 logging synchronous
line vty 0 4
 logging synchronous
line vty 5 15
 logging synchronous
!
end
 

Notes:

* If both AP 2 and AP 3 station roles are set as Workgroup Bridge, then the AP 1 station role is not necessarily to be Root Bridge since to be Root is enough.
* When an AP is set as Workgroup Bridge, the AP is still IP-reachable via the radio assuming the dot11radio interface is up/up and the Dot11Radio-FastEthernet interfaces are in the same broadcast domain even though the FastEthernet interface port is up/down. In other words, the radio association is still intact during FastEthernet interface port cable disconnection.
* When an AP is set as Non-Root Bridge, the AP is not IP-reachable via the radio when the FastEthernet interface port is up/down assuming the Dot11Radio interface is up/up and the dot11radio-FastEthernet interfaces are in the same broadcast domain. In other words, the radio association is lost when the FastEthernet interface port cable disconnects.

Some discussion
»Cisco Aironet 1231 AP - POS!!!

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-07-27 09:16:44

Creating multiple wireless networks: configuring AP to trunk to switch

Switch: Catalyst 3550
AP: 1130

Objective:
You need to dedicate subnet for specific wireless users. Each user has its own SSID to specify which wireless network to join.

Assumptions

Authentication used: open
Authentication key: WPA
SSID: not broadcasted --> this means that you have to manually enter SSID and key on your wireless laptop (or any wireless machines) to be on specific wireless network
SSID encryption: AES 128-bit key

Wired Native VLAN 2

Wireless Native VLAN 10

AP Management: 10.10.10.0/29 VLAN 1
Gateway: 10.10.10.4

Wired Internal: 10.10.10.8/29 VLAN 2
Gateway: 10.10.10.9

Wireless Guest: 192.168.100.0/24 VLAN 202
SSID: 230Guest
Gateway: 192.168.100.1

Wireless Internal: 192.168.10.0/24 VLAN 203
SSID: internal
Gateway: 192.168.10.4

Background

There is a need to setup two different wireless network where one is for internal use and another is for guest. The internal wireless network has the same access privilege as the internal office wired network while the guest network only has Internet access and has no access to internal network whatsoever.

With this requirement, you need to have multiple SSID where one SSID is for the internal wireless network and another SSID is for guest network. All of the SSID exist on each AP, meaning there must be multiple VLAN to support the multiple SSID. Dedicate one VLAN for each SSID and run Layer-2 trunk between the AP and the switch the AP connects to. The trunk encapsulation protocol should be the .1Q which may be the only encapsulation protocol supported on AP.

In this FAQ, the switch used is a Layer-3 switch for configuration simplification. However you could use Layer-2 switch for trunking purposes between the AP and the switch. Should you use Layer-2 switch for such purpose, then you will need a Layer-3 device to do the routing which could be a Layer-3 switch, a router, or a firewall.

When we assume we use Layer-3 switch to connect to the AP and use the Layer-3 switch to terminate all AP VLAN, then we need the Layer-3 switch to have some kind of rules permitting which traffic are allowed from wireless Guest network to flow through the network. In this FAQ, such rules are set by ACL 202. If the AP connects to Layer-2 switch instead, then such ACL 202 rule should be at the terminating Layer-3 device you use (Layer-3 switch, router, or firewall).

In addition, you need to create DHCP environment to support the Guest network so that any guest wireless laptop will receive IP address, default gateway, and DNS IP addresses automatically. You can set the Layer-3 switch as DHCP server, as this FAQ shows. You can also have dedicated DHCP server somewhere on your wired network at different VLAN, which requires DHCP ip helper-address command on the Layer-3 switch and to active the DHCP UDP broadcast to go beyond the Guest VLAN 202.

Typically for security and reliability purposes, you may want to use different Native VLAN for different network. In this FAQ, it is assumed that you use VLAN 10 for wireless Native VLAN and use different VLAN for wired Native VLAN.

You should create sub interfaces on both radio and wired port for wireless VLAN on the AP as you see in this FAQ, however there should be no need to create SSID for all of those VLAN. SSID is only needed for the actual wireless network which in this FAQ, only for VLANs 202 (Guest network) and 203 (wireless Internal network).

Also for security purposes, any SSID should not be broadcasted. This way, you can avoid a situation that any wireless machine simply connects to the wireless network without your knowing or without approval at all. When SSID is not broadcasted, the SSID name will not show on wireless machine SSID scan, hence require manual entry of the SSID name and key. In case you are unaware, the SSID name is the one stated in dot11 ssid command and the associated SSID key is the one stated in wpa-psk command.

Note that for the wireless internal network connectivity, you may want to set your wireless laptop (or any wireless machine) to automatically connect to the internal SSID even though the SSID name is not broadcasted. This way, you don't have to manually enter the SSID name and key every time you need to connect to internal network wirelessly.

In some AP, you can only use VLAN 1 for AP management. You cannot remove VLAN 1 or the BVI1 interface of such AP. Therefore you have no choice but to use Layer-3 SVI VLAN 1 on the Layer-3 switch for the AP management. This requirement may seem a downside where your network policy may not prefer to use VLAN 1 for anything. Should this requirement raise a concern, you then need to use different AP that support non-VLAN 1 for management, upgrade the AP code to support non-VLAN 1 as management VLAN, or implement dedicated Layer-3 switch that is only for AP while the rest of your network resources connect to different switch.

Configurations

Switch Configuration

ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool 230Guest
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 4.4.4.4 8.8.8.8
!
interface FastEthernet0/1
description Trunk to Layer-2 switch
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0/8
description Trunk to AP
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 1,10,202-203
switchport mode trunk
!
interface Vlan1
description AP Management
ip address 10.10.10.4 255.255.255.248
!
interface Vlan2
description Wired Management
ip address 10.10.10.9 255.255.255.248
!
interface Vlan202
description Guest Internet VLAN
ip address 192.168.100.1 255.255.255.0
ip access-group 202 in
!
interface Vlan203
description Private VLAN
ip address 192.168.10.4 255.255.255.0
!
access-list 202 remark Permitted traffic for Guest network
access-list 202 deny ip any 10.0.0.0 0.255.255.255
access-list 202 deny ip any 172.16.0.0 0.15.255.255
access-list 202 deny ip any 192.168.0.0 0.0.255.255
access-list 202 permit ip 192.168.100.0 0.0.0.255 any
!

AP Configuration

dot11 vlan-name Management_VLAN vlan 1
dot11 vlan-name Native_VLAN vlan 10
dot11 vlan-name Guest_VLAN vlan 202
dot11 vlan-name Private_WIFI_VLAN vlan 203
!
dot11 ssid 230Guest
vlan 202
authentication open
authentication key-management wpa
wpa-psk ascii 0 230Guest202
!
dot11 ssid internal
vlan 203
authentication open
authentication key-management wpa
wpa-psk ascii 0 internal203
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 202 mode ciphers aes-ccm
!
encryption vlan 203 mode ciphers aes-ccm
!
ssid 230Guest
!
ssid internal
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.10.10.3 255.255.255.248
no ip route-cache
!
ip default-gateway 10.10.10.4
!
bridge 1 route ip

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2011-08-11 12:27:26

Upgrading the CISCO AIRONET MODEL AIR-AP-1220B-x-K9 VXWorks OS to IOS

You will need to download from CCO an UPGRADE IOS IMAGE, not the general IOS image. The name of the image is AIR-AP1220-IOS-UPGRD.

A link to explain the IOS Upgrade Image.

I would read the page linked above as there are minimum requirements to change your OS to IOS.

Below is a link outlining the method to upgrade the CISCO AIRONET MODEL AIR-AP-1220B-x-K9 Access Point from VXWorks to IOS after downloading the IOS Upgrade Image.

Click me.

Here is the URL for the root page which leads to it:

Cisco Aironet Conversion Tool for Cisco IOS Software, 1.0 Administrator Guide for Windows

NOTE: The upgrade is PERMANENT and cannot be undone. Once the AP is running IOS, there is no way of reverting back to VXWorks as the bootloader is overwritten

After loading the upgrade image, you can then download ANY IOS (not only the aforementioned upgrade image) to the AP.

---

Covenant

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Covenant edited by aryoba
last modified: 2006-09-12 05:51:49

Cisco AP with authentication server

»[HELP] ap 1200 RADIUS auth
»[Info] How to configure PEAP to authenticate against Windows Dom
»Wireless 881 user Authentication via Radius
Connecting with WPA to Cisco Aironet 1200 based on IAS Radius on Windows 2003 Server

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-11-20 13:06:56

Manage Wireless LAN Controller

Some Discussions

»[HELP] How to check the AP usage connected to WLC?
»[Config] Cisco 2112 WALN Controller unable to detect Aironet 125
»[Config] Cisco 2504 WLC help, long!!!
»Difference between Wireless LAP images?
»Cisco WLC 2106 AP compatability

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2013-04-30 08:57:44