dslreports logo


50.8 Wireless

Wireless Forum FAQ
»Wireless Networking Forum FAQ

Discussions

»[Info] Meraki vs. Cisco WLC (Cloud vs. on Prem)
»Guest network best practices
»Features lost with autonomous mode on Cisco AP?
»Networking between buildings
»[Connection Sharing] Need to know best way to get internet 1,000 ft
»Is a WLC worth it?
»Configure Cisco 1811W to receive WI-FI
»how to properly do a wireless survey
»Block MAC Address on 3560 or 2960
»[Info] 1252 APs
»getting started with cisco
»[Info] Deploying wireless
»[H/W] Used cisco access point
»[H/W] Wireless recommendations with 802.1x VLAN Assignment
»Upgrading from 871w..Need suggestions for new router..

Sample Configurations

1. One integrated fixed AP/router with wired backbone network
»Cisco Forum FAQ »Wireless Router Sample Configuration

2. Three fixed AP as Wireless Backbone network for wired hosts
»Cisco Forum FAQ »Various sample configuration using Wireless as backbone network

by aryoba See Profile
last modified: 2017-01-23 11:52:30


Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business

1. Router with integrated ADSL module running PPPoE

As illustration, the router used is Cisco 1841 router with wireless module. This sample configuration assumes the followings

* The Qwest uses 0/32 as the VPI/VCI which may not reflect your ISP VPI/VCI value. Confirm with your ISP regarding the value.
* ISP connection is DSL with PPPoE
* The router receives static IP address from ISP
* Default gateway is received from the ISP PPP negotiation
* There is a public server sitting behind the router, open to any inbound and outbound traffic
* There is NAT/PAT on the router between local subnet of 10.10.0.0/22 (behind the BVI, FA0/0, and FA0/1) and the ISP Public IP address (in front of the Dialer0 interface)
* Router is in IRB (Integrated Routing Bridging) mode
* The Wired LAN interfaces (FA0/0 and FA0/1) are Layer 3 interfaces, where the FA0/0 is the Inside (Trusted) and FA0/1 is the DMZ
* There is one "dumb switch" behind each one of the Wired LAN interfaces
* DMZ interface is set for servers
* Inside interface is set for local users' workstation and printers
* Workstations and printers receive dynamic IP address via DHCP within 10.10.1.0/24 subnet
* Wireless users receive dynamic IP address via DHCP within 10.10.3.0/24 subnet
* The Radio and BVI interfaces are within the same broadcast domain, where the BVI is the Layer 3 interface
* No layer 2 trunking to external network device
* Wireless encryption type is WPA

Sample Configuration



2. Router with integrated ADSL module running PPPoA

This sample configuration assumes the followings

* The Qwest uses 0/32 as the VPI/VCI which may not reflect your ISP VPI/VCI value. Confirm with your ISP regarding the value.
* ISP connection is DSL with PPPoA
* The router receives static IP address from ISP
* Default gateway is received from the ISP PPP negotiation
* There is a public server sitting behind the router, open to any inbound and outbound traffic
* There is NAT/PAT on the router between local subnet of 192.168.2.0/24 (behind the BVI as the Layer-3 interface and FA0/0 - FA0/3 as the Layer-2 interfaces; and Radio interface) and the ISP Public IP address (in front of the Dialer0 interface)
* Router is in IRB (Integrated Routing Bridging) mode
* The Radio and BVI interfaces are within the same broadcast domain, where the BVI is the Layer 3 interface
* No layer 2 trunking to external network device
* The router is running IOS with security feature and has CBAC implemented as IOS-based Firewall

Sample Configuration



3. Router receiving Ethernet hand-off of external modem running DHCP

Following is another wireless router sample configuration with assumptions of

* ISP connection is Cable Internet or DSL with DHCP
* The router receives dynamic IP address from ISP
* Default gateway is received from the ISP DHCP negotiation
* There is NAT/PAT on the router between local subnet of 10.10.10.0/24 (behind the BVI, FA0-3, and Dot11Radio0) and the ISP Public IP address (in front of the FA4 interface)
* Router is in IRB (Integrated Routing Bridging) mode
* FA4 is Layer 3 WAN interface
* The Wired LAN interfaces (FA1, FA2 and FA3) are Layer 2 interfaces (integrated switch) that are members of VLAN 10
* The Wireless LAN interfaces (Dot11Radio0.10) is also a member of VLAN 10
* The Layer-3 interface BVI10 is to "integrate" between Wired and Wireless LAN
* All Wired and Wireless LAN machines receive dynamic IP address via DHCP within 10.10.10.0/24 subnet (exclude 10.10.10.1 - 10.10.10.10)
* No layer 2 trunking to external network device
* Wireless encryption type is WPA
* The router is running IOS with security feature and has CBAC implemented as IOS-based Firewall

Sample Configuration



Cisco Wireless Router New Product Lines

1. 881-W model

The 881-W introduces a concept where there is an integrated AP that is running dedicated IOS image file separated from the router's IOS image file. In this sample configuration, the integrated AP runs ap801-k9w7-mx.124-25d.JA1 IOS image while the router runs c880data-universalk9-mz.150-1.M8.bin IOS image.

Since the 881-W model supports wireless N, the Ethernet port is now in a form of Gigabit Ethernet instead of Fast Ethernet. This Gigabit Ethernet ports show on both the AP configuration and router configuration where a GigabitEthernet0 interface resides in the AP and a Wlan-GigabitEthernet0 interface resides in the router. The two Gigabit Ethernet ports are internally interconnected, similar to a setup where there is an external AP 1200 Fast Ethernet port is interconnected using a physical Ethernet cable to a 871 non-wireless router's Fast Ethernet port.

Such internal interconnectivity between the two Gigabit Ethernet ports can be seen as a regular switch access or trunk port. Similar to a regular switch port that by default both Gigabit Ethernet ports are set as access port passing only default VLAN which is VLAN 1. Should you plan to create multiple SSID over the same dot11radio interface, then the Gigabit Ethernet ports must be set as trunk ports.

Following is the sample configuration.

Router



AP



Note:

* As you may see that AP and router maintains its own configuration and its own IOS file
* To console into the AP, simply issue service-module wlan-ap 0 session from the router's CLI prompt. If you rather telnet or ssh into the AP, simply use the AP's BVI1 IP address to connect to
* The AP's BVI1 and the router's VLAN1 interfaces share the same broadcast domain
* The router's FA4 interface is the Outside interface where the FA0 to FA3 interfaces are the Inside interfaces
* There are two SSID; one is office with unrestricted access and another is guest with restricted access only to the Internet

More Sample Configurations
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco

Discussions

»[Config] Cisco 871W Configuration
»[Config] Cisco 877W authenticated through radius but no traffic
»SSID not visible on Mac, but is on phone

by aryoba See Profile
last modified: 2015-08-21 08:40:16

Two ISP using OSPF to find best default route

Example #1

Equipments used
* Two routers running IOS 12.3
* One PIX Firewall running OS 6.3(5)
* One Layer-3 Switch
* Three Access Points

Network Diagram

Notes:
* All routers, Layer-3 switch, and PIX Firewall run OSPF
* The purpose of using dynamic routing protocol such OSPF is to dynamically find the best default gateway of specific subnet
* You can use any other dynamic routing protocol such as RIP or EIGRP if it is supported on all equipments
* From routing perspectives, all AP (Access Points) are seen as Layer-2 switches with no knowledge of dynamic routing protocol at all
* In this sample configuration, wireless G (54 Mbps) is used although you can use wireless N (300 Mbps) whenever available

Objectives
* AP (Access Points) 1, 2, and 3 are fixed and establish Wireless connection
* All communication between rooms go over the Wireless connection
* Since no communication between rooms is in place without the Wireless connection, the Wireless connection is assumed or called as Wireless Backbone
* The three AP, the Layer-3 switch, Router 1, and PIX Firewall devices are part of and make up the Wireless Backbone infrastructure
* The Router 2 is solely for ISP-2 connection and providing ISP-2 default route to all LAN machines
* No wireless hosts such as laptop, PC, printers, or servers
* All hosts are wired and connect to switch at either Room 1, 2, or 3
* The wireless connection is solely used as Wireless Backbone with no wireless hosts
* AP 1 acts as Root Bridge, AP 2 acts as Workgroup Bridge, and AP 3 acts as Non-Root Bridge
* SSID is used as infrastructure SSID
* SSID is invisible to any wireless hosts or other AP (invisible during SSID scan)
* SSID is only visible and usable by AP 1, 2, and 3
* Encryption used is WPA Temporal Key Integrity Protocol (TKIP) over open authentication with PSK (pre-shared key)
* No DCHP pool over wireless since the wireless connection is solely used as Wireless Backbone with no wireless hosts
* The Wireless Backbone serves one subnet of 10.0.0.0/29; no VLAN, no trunking, and no other SSID use the radio
* All inter-room communication must go through 10.0.0.0/29 subnet
* All Wireless Backbone devices (the three AP, the Layer-3 switch, Router 1, and PIX Firewall) use up available IP address within the 10.0.0.0/29 subnet. In addition, all of these Wireless Backbone devices are always up and running 24/7. These measures are required to minimize possibility of unknown or unauthorized wireless device to become part of Wireless Backbone infrastructure
* All Room 1 and 3 users should use ISP 1 as default gateway and only use ISP 2 when ISP 1 is unavailable
* Similarly, all Room 2 users and servers use ISP 2 as default gateway and only use ISP 1 when ISP 2 is unavailable
* Only machines within 172.16.0.0/12 subnet are able to go out to the Internet. Other devices such as AP that use IP address outside 172.16.0.0/12 subnet are unable to go out to the Internet due to security
* There is only DHCP pool from the PIX Firewall for wired machines that connect to switch at Room 3. No DHCP pool for wired machines that connect to switch at Room 1 or 2.

Sample Configuration

Router 1



AP 1



Router 2



Layer-3 Switch



AP 2



PIX Firewall



AP 3



Notes:

* If both AP 2 and AP 3 station roles are set as Workgroup Bridge, then the AP 1 station role is not necessarily to be Root Bridge since to be Root is enough.
* When an AP is set as Workgroup Bridge, the AP is still IP-reachable via the radio assuming the dot11radio interface is up/up and the Dot11Radio-FastEthernet interfaces are in the same broadcast domain even though the FastEthernet interface port is up/down. In other words, the radio association is still intact during FastEthernet interface port cable disconnection.
* When an AP is set as Non-Root Bridge, the AP is not IP-reachable via the radio when the FastEthernet interface port is up/down assuming the Dot11Radio interface is up/up and the dot11radio-FastEthernet interfaces are in the same broadcast domain. In other words, the radio association is lost when the FastEthernet interface port cable disconnects.

Discussion
»Cisco Aironet 1231 AP - POS!!!

by aryoba See Profile
last modified: 2015-08-17 15:40:21

Switch: Catalyst 3550
AP: 1130

Objective:
You need to dedicate subnet for specific wireless users. Each user has its own SSID to specify which wireless network to join.

Assumptions

Authentication used: open
Authentication key: WPA
SSID: not broadcasted --> this means that you have to manually enter SSID and key on your wireless laptop (or any wireless machines) to be on specific wireless network
SSID encryption: AES 128-bit key

Wired Native VLAN 2

Wireless Native VLAN 10

AP Management: 10.10.10.0/29 VLAN 1
Gateway: 10.10.10.4

Wired Internal: 10.10.10.8/29 VLAN 2
Gateway: 10.10.10.9

Wireless Guest: 192.168.100.0/24 VLAN 202
SSID: 230Guest
Gateway: 192.168.100.1

Wireless Internal: 192.168.10.0/24 VLAN 203
SSID: internal
Gateway: 192.168.10.4

Background

There is a need to setup two different wireless network where one is for internal use and another is for guest. The internal wireless network has the same access privilege as the internal office wired network while the guest network only has Internet access and has no access to internal network whatsoever.

With this requirement, you need to have multiple SSID where one SSID is for the internal wireless network and another SSID is for guest network. All of the SSID exist on each AP, meaning there must be multiple VLAN to support the multiple SSID. Dedicate one VLAN for each SSID and run Layer-2 trunk between the AP and the switch the AP connects to. The trunk encapsulation protocol should be the .1Q which may be the only encapsulation protocol supported on AP.

In this FAQ, the switch used is a Layer-3 switch for configuration simplification. However you could use Layer-2 switch for trunking purposes between the AP and the switch. Should you use Layer-2 switch for such purpose, then you will need a Layer-3 device to do the routing which could be a Layer-3 switch, a router, or a firewall.

When we assume we use Layer-3 switch to connect to the AP and use the Layer-3 switch to terminate all AP VLAN, then we need the Layer-3 switch to have some kind of rules permitting which traffic are allowed from wireless Guest network to flow through the network. In this FAQ, such rules are set by ACL 202. If the AP connects to Layer-2 switch instead, then such ACL 202 rule should be at the terminating Layer-3 device you use (Layer-3 switch, router, or firewall).

In addition, you need to create DHCP environment to support the Guest network so that any guest wireless laptop will receive IP address, default gateway, and DNS IP addresses automatically. You can set the Layer-3 switch as DHCP server, as this FAQ shows. You can also have dedicated DHCP server somewhere on your wired network at different VLAN, which requires DHCP ip helper-address command on the Layer-3 switch and to active the DHCP UDP broadcast to go beyond the Guest VLAN 202.

Typically for security and reliability purposes, you may want to use different Native VLAN for different network. In this FAQ, it is assumed that you use VLAN 10 for wireless Native VLAN and use different VLAN for wired Native VLAN.

You should create sub interfaces on both radio and wired port for wireless VLAN on the AP as you see in this FAQ, however there should be no need to create SSID for all of those VLAN. SSID is only needed for the actual wireless network which in this FAQ, only for VLANs 202 (Guest network) and 203 (wireless Internal network).

Also for security purposes, any SSID should not be broadcasted. This way, you can avoid a situation that any wireless machine simply connects to the wireless network without your knowing or without approval at all. When SSID is not broadcasted, the SSID name will not show on wireless machine SSID scan, hence require manual entry of the SSID name and key. In case you are unaware, the SSID name is the one stated in dot11 ssid command and the associated SSID key is the one stated in wpa-psk command.

Note that for the wireless internal network connectivity, you may want to set your wireless laptop (or any wireless machine) to automatically connect to the internal SSID even though the SSID name is not broadcasted. This way, you don't have to manually enter the SSID name and key every time you need to connect to internal network wirelessly.

In some AP, you can only use VLAN 1 for AP management. You cannot remove VLAN 1 or the BVI1 interface of such AP. Therefore you have no choice but to use Layer-3 SVI VLAN 1 on the Layer-3 switch for the AP management. This requirement may seem a downside where your network policy may not prefer to use VLAN 1 for anything. Should this requirement raise a concern, you then need to use different AP that support non-VLAN 1 for management, upgrade the AP code to support non-VLAN 1 as management VLAN, or implement dedicated Layer-3 switch that is only for AP while the rest of your network resources connect to different switch.

Configurations

Switch Configuration

ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool 230Guest
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 4.4.4.4 8.8.8.8
!
interface FastEthernet0/1
description Trunk to Layer-2 switch
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0/8
description Trunk to AP
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 1,10,202-203
switchport mode trunk
!
interface Vlan1
description AP Management
ip address 10.10.10.4 255.255.255.248
!
interface Vlan2
description Wired Management
ip address 10.10.10.9 255.255.255.248
!
interface Vlan202
description Guest Internet VLAN
ip address 192.168.100.1 255.255.255.0
ip access-group 202 in
!
interface Vlan203
description Private VLAN
ip address 192.168.10.4 255.255.255.0
!
access-list 202 remark Permitted traffic for Guest network
access-list 202 deny ip any 10.0.0.0 0.255.255.255
access-list 202 deny ip any 172.16.0.0 0.15.255.255
access-list 202 deny ip any 192.168.0.0 0.0.255.255
access-list 202 permit ip 192.168.100.0 0.0.0.255 any
!

AP Configuration

dot11 vlan-name Management_VLAN vlan 1
dot11 vlan-name Native_VLAN vlan 10
dot11 vlan-name Guest_VLAN vlan 202
dot11 vlan-name Private_WIFI_VLAN vlan 203
!
dot11 ssid 230Guest
vlan 202
authentication open
authentication key-management wpa
wpa-psk ascii 0 230Guest202
!
dot11 ssid internal
vlan 203
authentication open
authentication key-management wpa
wpa-psk ascii 0 internal203
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 202 mode ciphers aes-ccm
!
encryption vlan 203 mode ciphers aes-ccm
!
ssid 230Guest
!
ssid internal
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.10.10.3 255.255.255.248
no ip route-cache
!
ip default-gateway 10.10.10.4
!
bridge 1 route ip

by aryoba See Profile
last modified: 2011-08-11 12:27:26

You will need to download from CCO an UPGRADE IOS IMAGE, not the general IOS image. The name of the image is AIR-AP1220-IOS-UPGRD.

A link to explain the IOS Upgrade Image.

I would read the page linked above as there are minimum requirements to change your OS to IOS.

Below is a link outlining the method to upgrade the CISCO AIRONET MODEL AIR-AP-1220B-x-K9 Access Point from VXWorks to IOS after downloading the IOS Upgrade Image.

Click me.

Here is the URL for the root page which leads to it:

Cisco Aironet Conversion Tool for Cisco IOS Software, 1.0 Administrator Guide for Windows

NOTE: The upgrade is PERMANENT and cannot be undone. Once the AP is running IOS, there is no way of reverting back to VXWorks as the bootloader is overwritten

After loading the upgrade image, you can then download ANY IOS (not only the aforementioned upgrade image) to the AP.



Covenant

by Covenant See Profile edited by aryoba See Profile
last modified: 2006-09-12 05:51:49

»[HELP] ap 1200 RADIUS auth
»[Info] How to configure PEAP to authenticate against Windows Dom
»Wireless 881 user Authentication via Radius
Connecting with WPA to Cisco Aironet 1200 based on IAS Radius on Windows 2003 Server

by aryoba See Profile
last modified: 2012-11-20 13:06:56

Introduction

Wireless controller (WLC) is not required to have a working AP, even when there are multiple AP present; the consequence is that you have to manually manage each AP including those wireless clients that can only connect to just one AP (no roaming feature).

AP has two modes, Autonomous and Lightweight. Autonomous is basically non-WLC mode, you have to be verse of IOS CLI in order to manage. Lightweight is WLC mode, that you have to use WLC in order to manage the AP.

Joining AP into WLC typically require the following
* AP model compatibility with WLC specification
* AP is setup of having static IP address as the BVI1 interface (management) IP, assuming DHCP services are not in place to assign IP address to the AP in question
Once AP joins the WLC, AP automatically download and install necessary specification; IOS image version, configuration, and of course client connectivity. In other words, you don't need to manually push full-blown setup onto the AP if you plan to join the AP into WLC; WLC takes care of that automatically.

Discussion

Controllers

»AP and wireless controller
»Cisco wireless lan controller help, how do I setup a new ssid with pas
»[HELP] How to check the AP usage connected to WLC?
»[Config] Cisco 2112 WALN Controller unable to detect Aironet 125
»[HELP] AP cannot join WLC
»[Config] Cisco 2504 WLC help, long!!!
»Cisco WLC 2106 AP compatability
»[HELP] SOLVED Help with a WLC firmware upgrade UPDATE.

AP

802.11ac
3702i autonomous - cannot enable >20MHz channels due to isolated channel

Generals
»Cisco AP upgrade tool alternative
»Difference between Wireless LAP images?
»Cisco AIR-CAP2602I

Features

»[Config] autonomous fast roaming?

by aryoba See Profile
last modified: 2016-09-26 17:06:16

»[Info] 802.11AC quick 'n' dirty testing.
»[Info] Convert 1262 to autonomous
»Cisco 1142 access point problems

by aryoba See Profile
last modified: 2015-10-23 12:43:20