Cisco 1941w basic configuration

Unanswered Question
Jun 21st, 2010

I've done quite a bit of work with Cisco kit before (it isn't my speciality, however) and am currently working on setting up the embedded Access Point in a Cisco 1941w ISR.

The primary router is working fine, but I'm getting no where with the embedded Access Point. The whole IOS within an IOS just doesn't compute for me.


Our requirements are really simple.

We have a 10.0.0.0/24 internal network. We want users to be able to access this via the 1941w Wireless Access Point, in the same way that wired users access this via the Ethernet port.

The manual re. setting up the AP isn't a lot of help. It gives an example where IP addresses are applied to the AP, which doesn't make sense to me, as we simple want the AP to sit on the same VLAN as the ethernet port.

Could anyone give me some really basic pointers re. how the AP is supposed to interface with the primary router? Or better still, could someone share a sample config with me?

Also, we want to use a WPA secret key to authenticate to AP. Is this possible? The Cisco docs seem to suggest that WPA is only possible through some 3rd party server.

G

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3.8 (4 ratings)
surbg Mon, 06/21/2010 - 09:57

Hi Garreth,

No problem at all... below are the configuration that we wanna configure to ge tthe wireless up and running...


Issue the following commands on the routed CLI..

router(config)# interface wlan-ap0
router(config-if)#ip unnumbered vlan# (# is Vlan number that we are using foor the wired as well as per your problem description that is 10.0.0.0/24)

I hope the Interace Vlan is already present for 10.0.0.0/24

No we need to get into the AP module from the router by issuing the command.

router#service-module wlan-ap 0 session

router# service-module wlan-ap0 session
Trying 10.21.0.20, 2002 ... Open

USERNAME: cisco (to be used to get into the AP module)
PASSWORD: cisco (to be used to get into the AP module)

AP>en
Password: cisco
AP#conf t
AP(config)#inr bvi 1
AP(config-if)#ip address xxx.xxx.xxx.xxx 255.255.255.255.0 (xxx.xxx.xxx.xxx = Ip address in the same range of interface vlan that we have used on the router).
AP(config-if)#no shut.
AP(config-if)#end
AP#wr

>> Now type the IP address of the BVI interafce on the browser, you will be prompted for the username and the password..

Username: "Cisco" or "cisco"
Password: "Cisco" or "cisco"

Now you will be able to see the GUI of the AP..

from the GUI follow the below steps..

>> Setting the SSID.

1. SECURITY >> SSID MANAGER >> NEW >> CHECK THE RADIO INTERFACE >> SCROLL TO THE BOTTOM >> HIT APPLY (for both).

>> Setting the Encryption.

2. SECURITY >> ENCRYPTION MANAGER >> CHECK "CHIPHERS" IN THE DROP DOWN SELECT "TKIP" >> HIT APPLY.

>> Setting WPA-PSK.

3. SECURITY >> SSID MANAGER >> SCROLL DOWN TILL U SEE KEY-MANAGEMENT >> IN THE DROP DOWN SELECT "MANDATORY" >> CHECK "WPA" >> ENTER THE "WPA-PSK" KEY >> SCROL DOWN >> HIT APPLY.

>> Getting the interafce up.

4. INTERFACE CONFIGURATIONS >> G-RADIO >> SETTINGS >> CHECK "ENABLE" >> SCROLL DOWN AND HIT APPLY.

>> we are done we are good to connect to the wireless with G-speeds (54Mbps).

This will resolve the issue..

Regards
Surendra


nightbluefruit Mon, 06/21/2010 - 10:19

OK. Thanks for this. I had been trying to set this up with the CLI interface, but I'll give the GUI a try. Anything for an easy life.

Just one thing:

For the BVI 1 interface, I can give this a 10.0.0.0/24 address, right?

G

surbg Mon, 06/21/2010 - 10:23

10.0.0.0/24 will be the network address right?? what is the interface vlan ip address used on the router??

surbg Mon, 06/21/2010 - 10:25

i mena, if you have given 10.1.1.1 for valn, then you can provide 10.1.1.2 for the bvi

surbg Mon, 06/21/2010 - 10:27

let me know if the above is not clear.. will help u out.

surbg Mon, 06/21/2010 - 10:41

any updates??? are we configuring the device now?

nightbluefruit Mon, 06/21/2010 - 12:17

I haven't given the Vlan on the primary router an ip address yet.

Based on your advice, I can do:

Primary Router ethernet: 10.0.0.1/24

Vlan 1: 10.1.1.1/24

BVI 1: 10.1.1.2/24

wlan-ap0: ip unnumbered Vlan 1

Which will give my wireless clients access to the 10.0.0.0/24 network via the ap.

Right?

I won't actually be configuring the router until 2moro when I am on site.

thx

G

surbg Mon, 06/21/2010 - 23:21

vlan 1 = 10.0.0.1 255.255.255.0

BVI 1 = 10.0.0.2 255.255.255.0

configure the DHCP pool for the same network.. then the clients can access 10.0.0.0/24 network..

nightbluefruit Tue, 06/22/2010 - 02:05

Hmmm....

The LAN interface on my router has the address 10.0.0.1/24

I can't give another interface on the router an address on that network, because then routing won't work.

At the moment, I have:

Primary Router LAN address: 10.0.0.1/24

VLAN 1: 10.1.1.1/24

BVI1: 10.1.1.2/24


This allows me to access http://10.1.1.2, which prompts for a un/pw. I enter Cisco/Cisco and am logged in.

However, all I see is a HTML enter button in the centre of the page which does nothing.

The HTML source for this page shows a garbled HTML form which appears to contain the output of a 'show ip in brief' command.

I've never liked working with Cisco GUIs. They really suck.

nightbluefruit Tue, 06/22/2010 - 11:44

I'm beginning to think that I am the only person in the world who owns one of these routers.

There are no sample configs for this device on the Cisco site.

There are only 2 or 3 threads across the entire Internet that deal with this device.

The documentation provided by Cisco is hopeless.

The CLI for this device has changed from previous Cisco AP devices so they can be used either.

This device is in fact 2 devices:

1 router

1 access point (you access the access point IOS via the router IOS)

The router has 2 standard ethernet ports (GE0/0 GE 0/1), but there are 4 other ports whose function is a complete mystery to me.

Vlan1

wlan-GigabitEthernet0/0

wplan0

Dialer

The access point then has 4 interfaces:

2 x radio interfaces

1 GigabitEthernet Interface

1 BVI interface

So basically we have 10 separate interfaces to deal with to get wireless clients access to a wired ethernet!!!

I've attached my configs here. If anyone could shed any light that would be great. I can't believe that Cisco would issue such a complex product with such flaky documentation. I'm not a Cisco Expert, but I am a CCNA, and it shouldn't take this to allow an end user make a wireless connection to a LAN. I could go down to PC World and buy a €69 wireless router that would have everything up and running within 20 minutes.

Router Config:

############

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mttrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$6.OP$5McpTtj/2w4LYqXB7k4mI.
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp conflict logging
!
!
no ip domain lookup
ip domain name yourdomain.com
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-591225321
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591225321
revocation-check none
rsakeypair TP-self-signed-591225321

!        
username admin privilege 15 secret 5 $1$9MsY$9XepXCWCE.X.0J.yJXW6v.
!        
!        
!        
class-map match-all voice-traffic
match access-group name voip-sip-rtp
class-map match-all voice-signalling
match access-group name voip-sip-signalling
!        
!        
policy-map qos-voice
class voice-traffic
    priority 240
class voice-signalling
    bandwidth 16
    fair-queue
!        
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
!        
interface GigabitEthernet0/0
ip address x.x.x.42 255.255.255.248
ip access-group to-lan in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy output qos-voice
!        
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
no mop enabled
no mop sysid
!        
interface GigabitEthernet0/1
ip address 10.55.55.1 255.255.255.0
ip access-group from-lan in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!        
interface Vlan1
ip address 10.1.1.1 255.255.255.0
!        
interface Dialer1
no ip address
!        
ip forward-protocol nd
!     

AP Config

#########

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$i3vB$1j.itQzxK0z1k8Mvsu5DB.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid MTTWIFI
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 141317080909282E367963
!        
!        
!        
username Cisco password 7 072C285F4D06
!        
!        
bridge irb
!        
!        
interface Dot11Radio0
no ip address
no ip route-cache
!       
encryption vlan 1 mode ciphers tkip
!       
ssid MTTWIFI
!       
antenna gain 0
station-role root
!        
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!        
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!        
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!        
interface BVI1
ip address 10.1.1.2 255.255.255.0
no ip route-cache
!        
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!        
!        
!        
line con 0
no activation-character
line vty 0 4
login local
!        
end   

Leo Laohoo Tue, 06/22/2010 - 15:08

There are no sample configs for this device on the Cisco site.

Alot of people like to complain but doesn't want to take any action.  Either on the left-hand side or the lower-left hand side of the page is a Feedback option.  Cisco prides itself on it's vast array of documentations to support their clients.  Put your feedback in there and Cisco normally gets back to you within 4 hours.
nightbluefruit Tue, 06/22/2010 - 15:53

Did that. Got a 'Page not found' error when I submitted the form.

More:

http://www.cisco.com/cisco/web/psa/default/psasearch.html?q=1941w&task=default

A search of the Cisco Documentation of '1941w' returns 0 results.

This is also the only Cisco device that has ever been delivered to me without a console cable, which required me to drive to another office to pick one up.

Never, ever buying Cisco again.

Like I say, a €69 wifi device from PC World would have done the trick; instead I'm into my 3rd day with this scrap iron.

nightbluefruit Wed, 06/23/2010 - 15:38

4 hours?

24 hours later and no response from Cisco re. absence of documentation.

nightbluefruit Sat, 06/26/2010 - 05:02

So, I came into the office on Saturday morning in order to do all manner of trial and error testing without impacting on

users. After 3 hours I was finally able to come up with the working config given below. This involves 2 ip subnets: 10.55.55.1 for the wired lan, and 192.168.1.0 for the wifi lan. I had wanted to have both the wired and wifi lans use 10.55.55.0, but could get this to work. I'll take what I can at this stage.

Just one other point. A poster at the start of this thread recommended using the GUI to set this up. It appears that the GUI is only availble (or shall I say works) if the router is upgraded to Cisco Unified. Someone else will have to explain the logic of this.

So there you go. 10 Interfaces and about 24 man hours to set up a WIFI network using Cisco hardware.

Never again.


The Config:

*ONLY RELEVANT SECTIONS ARE INCLUDED*

THE PRIMARY ROUTER:

#THIS IS AN INTERNAL INT. NO CONFIG REQUIRED
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
!       

#YOUR MAIN WIRED EXTERNAL WLAN INT
interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.248
ip access-group to-lan in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

#THE FIDDLY INT FOR CONNECTING TO THE AP. THIS CAN HAVE ANY IP ADDRESS YOU WANT        
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.1.1.1 255.255.255.0
arp timeout 0
no mop enabled
no mop sysid
!
#YOUR MAIN WIRED INTERNAL LAN INT        
interface GigabitEthernet0/1
ip address 10.55.55.1 255.255.255.0
ip access-group from-lan in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
#THIS INT ACTS AS 1 END OF THE BRIDGE BETWEEN YOUR PRIMARY ROUTER AND YOUR ACCESS POINT; NOTE NAT CONFIG        
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly

#TELLS YOUR ROUTER THAT IP ADDRESSES FROM BOTH THE WIRED AND WIFI LANS CAN USE NAT
ip access-list extended nat-list
permit ip 10.55.55.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any

#END OF PRIMARY ROUTER CONFIG

#START OF EMBEDDED ACCESS POINT CONFIG

#THE AP IS GOING TO DO DHCP, SO SET IT UP; THE DEFAULT ROUTER IP SHOULD BE THAT OF INT VLAN1 ON THE PRIMARY ROUTER
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool LAN-POOL
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 10.55.55.82
   lease 7


#NEXT YOUR SSID SETUP, CONFIGURED FOR WPA CLIENT KEY AUTHENTICATION. YOU MUST HAVE guest-mode IN HERE FOR THE SSID TO BE VISIBLE TO SCANNING CLIENTS
dot11 ssid wmttdub02
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 143F33203F2C0B00080C1B140937343E3636637875607F2F30303272797B


#THIS IS NEEDED TO BRIDGE THE AP TO THE PRIMARY ROUTER
bridge irb
!        
!
#STARTS GETTING TRICKY NOW
#THIS INT IS THE 2.4MHZ RADIO INTERFACE. YOU HAVE TO SPECIFY THE ENCRYPTION HERE, AND SAY THAT THIS ENCRYPTION RELATES TO VLAN1. YOU ALSO HAVE TO SPECIFY THAT YOU WANT YOUR SSID TO BE AVAILABLE ON THIS INT. FINALLY, YOU NEED TO SAY THAT YOU WANT THIS INT TO BE A ROOT ACCESS POINT FOR CLIENTS        
interface Dot11Radio0
no ip address
no ip route-cache
!       
encryption vlan 1 mode ciphers tkip
!       
ssid wmttdub02
!       
antenna gain 0
speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
!
#NEXT, A SUB INTERFACE, IN WHICH WE SAY WE BRIDGE INTO BRIDGE GROUP 1 WHICH LETS US ACCESS VLAN 1 ON THE WIRED LAN        
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!        
#THE 5.0MHZ RADIO INT. SHUTDOWN.
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
#NOT SURE ABOUT THIS ONE, BUT IT APPEARS TO BE INVOLVED IN BRIDGING        
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!        
#ANOTHER SUB INT REQUIRED HERE, I THINK TO BRIDGE THE RADIO INT BACK TO THE PRIMARY ROUTER
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
#THE OTHER END OF THE BRIDGE BETWEEN YOUR AP AND THE PRIMARY ROUTER        
interface BVI1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
#TELLS THE AP TO DO BRIDGING AND ROUTING, WHICH IS REQUIRED        
bridge 1 route ip

lbromirs Tue, 06/29/2010 - 13:11

OK, it seems the 1941W config is quite complicated at start.

The reality is, it's quite simple:

interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP

This is internal switch that connects all internal components together. In theory it would be able to reconnect the integrated WLAN ISM to any other port, but it seems it is hardcoded to be connected to GE0/0:

edge#sh platform mgf module
Registered Module Information
Code:   NR - Not Registered, TM - Trust Mode, SP - Scheduling Profile
        BL - Buffer Level, TR - Traffic Rate, PT - Pause Threshold

slot    vlan    type/ID         TM      SP      BL      TR      PT
----    ----    ----------      ------- ---     ------  -----   ----
ISM/WLA 1       Switch/4        UP      1       low     1000    high
EHWIC-0 NR
EHWIC-1 NR

While it is not obvious from this printout, it becomes apparent when you check for CDP neighbors:

edge#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
edge             wlan-ap0           144         R S I     CISCO1941 wlan-ap0
edge-ap          Gig 0/0            127          T I      AP801AGN- Gig 0
tor-core         Gig 0/1            130         R S I     WS-C4948  Gig 1/34
tor-core         Gig 0/0            129         R S I     WS-C4948  Gig 1/1

Note that Gig0/0 of 'edge' (which is a router 1941W) seems to be connected both to switch (Catalyst 4948) AND the wlan-ap0 device which is a Aironet 801AGN AP (actually, an ISM module acting as AP).

For integrated WLAN AP to work in autonomous mode, where it uses two radios - dot11radio 0 which is 2.4GHz B/G/N capable, and dot11radio1 which is 5GHz A capable, it's elegant to create two bridge-groups, that are bridged over the Wlan-GigabitEthernet0/0 to GE0/0 to subinterfaces 'terminating' them in layer 3, providing IP via DHCP, etc.

Here's complete config of interesting parts:

router config

! this is DHCP part - the server will reside on router

service dhcp

ip dhcp excluded-address 192.168.20.0 192.168.20.9
ip dhcp excluded-address 192.168.21.0 192.168.21.9
!
ip dhcp pool WLAN_BGN_USERS
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.10.254
!
ip dhcp pool WLAN_A_USERS
   network 192.168.21.0 255.255.255.0
   default-router 192.168.21.1
   dns-server 192.168.10.254

!


! if you wish to transport traffic from both radios separately,

! you will need trunk on the internal intraface - we're using

! VLAN20 (bridge-group 20) and VLAN21 (bridge-group21)

!

! note that by default, all traffic is going over VLAN1

! (bridge-group 1) interface


interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk ! this is the essential command

                                            ! if you wish to transport two VLANs


! this is internal interface - we choose GE0/0 as internal

! to not mess up WLAN traffic with external interface traffic


interface GigabitEthernet0/0

description LAN interface

ip address 192.168.10.1 255.255.255.0

ip nat inside


interface GigabitEthernet0/1
description INTERNET interface
ip address x.x.x.2 255.255.255.252


! this is interface for managing integrated AP - think about it as console

! connection that needs IP layer to function properly - the IP itself may come

! from any location

interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered gigabitethernet0/0


! those are interfaces terminating at L3 the bridge-groups from integrated AP


interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan21
ip address 192.168.21.1 255.255.255.0
ip nat inside


! note, that you need to create them also in local switch

! database to function correctly

! and the config is not visible in running configuration:

!

! edge(config)# vlan 20

! edge(config-vlan)# name WLAN_BGN

! edge(config)# vlan 21

! edge(config-vlan)# name WLAN_A

!

! this will end up in the output of following command:

! edge#sh  vlan-switch

!

! VLAN Name                             Status    Ports
! ---- -------------------------------- --------- -------------------------------
! 1    default                          active
! 20   WLAN_BGN                         active
! 21   WLAN_A                           active

!

! ...and on the flash0: filesystem when you save the config after changes:

!

! edge#dir flash0:
! Directory of flash0:/
!    1  -rw-    44907852  Jun 29 2010 17:09:56 +01:00  c1900-universalk9-mz.SPA.150-1.M2.bin
!    2  -rw-         720  Jun 29 2010 20:14:16 +01:00  vlan.dat

!


ip route 0.0.0.0 0.0.0.0 x.x.x.1

integrated AP config in autonomous mode

After connecting to the AP by doing 'service-module wlan-ap 0 session':

! note that we will use two SSIDs, one per each radio, both using

! WPA2 PSK mode - CHANGE THE PRESHARED KEYS!


dot11 ssid WLANA
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii testkeyA
!
dot11 ssid WLANBGN
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii Bkeytest


! we're doing integrated routing & bridging - where we can we route, else we bridge:


bridge irb


! now for the dot11radio 0, the one working in 2.4GHz frequency (802.11b/g/n)

! it will broadcast  SSID 'WLANBGN'

interface Dot11Radio0
description 802.11bgn radio
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid WLANBGN
!
antenna gain 0
station-role root

no cdp enable
bridge-group 21
bridge-group 21 subscriber-loop-control
bridge-group 21 block-unknown-source
no bridge-group 21 source-learning
no bridge-group 21 unicast-flooding
bridge-group 21 spanning-disabled


! now for the dot11radio 1, the one working in 5GHz frequency (802.11a)

! it will broadcast SSID 'WLANA'


interface Dot11Radio1
description 802.11a radio
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid WLANA
!
antenna gain 0
no dfs band block
channel dfs
station-role root

no cdp enable
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled


! internal GE interface bridging traffic from/to 802.11a radio - we tag it with 802.1Q 20


interface GigabitEthernet0.20
description 802.11a bridge
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled


! internal GE interface bridging traffic from/to 802.11b/g/n radio - we tag  it with 802.1Q 21


interface GigabitEthernet0.21
description 802.11bgn bridge
encapsulation dot1Q 21
no ip route-cache
bridge-group 21
bridge-group 21 subscriber-loop-control
bridge-group 21 block-unknown-source
no bridge-group 21 source-learning
no bridge-group 21 unicast-flooding
bridge-group 21 spanning-disabled
!

greatlakesskipper Sat, 07/31/2010 - 17:47

Good Day All;

Second Step on my upgrade project.

I have been managing a small ecommerce business for the last 5 years on a Linksys home wireless router. Now that I have over 14 office workstations and 6 networked printers, it was time to move a step up.

I purchased a CISCO 1941W ISR to take us into the next decade along with a managed CISCO switch. I presumed the 1941W, although robust with scalability, would provide the same, simple setup process as in the Linksys (Cisco) product or at least a simple 1-2-3 procedure to get the basic connections made. I was incorrect and now I find that I am having some difficulty negotiating to the internet over the new router.

I was able to obtain a base configuration from thread. Thanks to lbromirs for your great comments and simple bridging notes. The wireless is rockin' and reaching all my wireless devices in the house with proper encryptions. Also the DHCP server is humming to my workstations.

Jon Marshall was able to direct me down the right path on the access lists and helped me get a good ping, so I rewrote the access lists to permit any connections and attached that list to the outbound interface. However, something must be missing because now I cannot seem to touch the internet from the router.

Below I have included my config for review. I must have a gap somewhere that is preventing that final connection to the net. I appreciate any advice on this config.


Router setup in TEST
7/31/2010

Goal: Complete conection to the internet
Problem: Unable to conect to internet; Suspect access list or dns; Suspect WAN

subnet mask 255.255.255.0 is not compatible with LAN / WLAN subnet masks

255.240.0.0
Observations: In Process.

TEXT FROM HYPERTERMINAL CONNECTION TO CONSOLE:


User Access Verification

Username: admin
Password:

TESTROUTER>enable
Password:
TESTROUTER#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

TESTROUTER#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (209.18.47.62) (209.18.47.61)

(8.8.8.8) (8.8.4.4)
% Unrecognized host or address, or protocol not running.

TESTROUTER#show ip route
Default gateway is not set

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty


TESTROUTER#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Wlan-GigabitEthernet0/0    unassigned      YES unset  up                    up

GigabitEthernet0/0         10.1.1.1        YES NVRAM  up                    up

wlan-ap0                   10.1.1.1        YES TFTP   up                    up

GigabitEthernet0/1         192.168.1.103   YES NVRAM  up                    up

NVI0                       10.1.1.1        YES unset  up                    up

Vlan1                      unassigned      YES NVRAM  up                    up

Vlan20                     172.16.20.1     YES NVRAM  up                    up

Vlan21                     unassigned      YES NVRAM  up                    up


TESTROUTER#show derived-config
Building configuration...

Derived configuration : 2646 bytes
!
! Last configuration change at 19:12:11 CST Sat Jul 31 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TESTROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxx
!
no aaa new-model
memory-size iomem 10
clock timezone CST -5
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
ip source-route
no ip routing
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip cef
!
!
ip dhcp excluded-address 172.16.20.0 172.16.20.9
ip dhcp excluded-address 172.16.21.0 172.16.21.9
ip dhcp excluded-address 10.1.1.0 10.1.10.255
ip dhcp excluded-address 10.0.0.0 10.1.10.255
!
ip dhcp pool WLAN_BGN_USERS
   network 172.16.0.0 255.240.0.0
   default-router 172.16.20.1
   dns-server 172.16.10.254
!
ip dhcp pool WLAN_A_USERS
   default-router 172.16.21.1
   dns-server 172.16.10.254
!
ip dhcp pool TESTpool
   network 10.0.0.0 255.240.0.0
   domain-name TESTOFFICE.COM
   dns-server 209.18.47.61
   default-router 10.1.1.1
   lease 0 18
!
!
ip name-server 209.18.47.62
ip name-server 209.18.47.61
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941W-A/K9 sn xxxxxxxxxxxxxxxxxxxxxxx
hw-module ism 0
!
!
!

!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface GigabitEthernet0/0
description LAN interface
ip address 10.1.1.1 255.240.0.0
ip access-group 101 in
ip access-group 101 out
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0
no ip route-cache
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
description INTERNET interface
ip address 192.168.1.103 255.255.255.0
ip access-group 101 in
ip access-group 101 out
no ip route-cache
duplex auto
speed auto
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan20
ip address 172.16.20.1 255.240.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan21
no ip address
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password test3
login
!
scheduler allocate 20000 1000
end

Thanks for all the help from the community.

Daniel

csco10865546 Mon, 11/22/2010 - 05:09

Can Someone help have a look at why i cant get on the internet as a wireless user on the 1941W Router while i can from the Wired Lan.

I have configured with the instruction on this post.

I can scan and connect successfully to the Access Point and obtain a dynamic ip address but can t browse the internet.

Below are the configs from the router and the access point.

Regards,

Cole

STV-REMOTE-1941-01#sh run

!

!

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

no ip source-route

ip cef

!

!

ip dhcp excluded-address 10.106.3.1 10.106.3.2

!

ip dhcp pool LAN-USERS

   network 10.106.3.0 255.255.255.0

   dns-server 4.2.2.3

   default-router 10.106.3.1

!

!

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

!

!

interface GigabitEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip address 10.1.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

no mop enabled

no mop sysid

!

!

interface GigabitEthernet0/1

description $ES_LAN$

ip address 10.106.3.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

!

interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

no atm ilmi-keepalive

!

!

!

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

bridge-group 1

!

!

!

!

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat service enable-sym-port

ip nat inside source list 15 interface Dialer2 overload

ip route 0.0.0.0 0.0.0.0 Dialer2

!

logging trap debugging

access-list 2 permit any

access-list 15 permit 10.106.3.0 0.0.0.255

access-list 15 permit 192.168.1.0 0.0.0.255

dialer-list 2 protocol ip permit

!

!

!

!

!

!

control-plane

!

!

!

STV-REMOTE-1941-01#service-module wlan-ap 0 session

Trying 10.1.1.1, 2067 ...

% Connection refused by remote host

STV-REMOTE-1941-01#

[Resuming connection 1 to 10.1.1.1 ... ]

ap#sh run

Building configuration...

Current configuration : 2337 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 xxxxxxxxx

!

no aaa new-model

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool WLAN-USERS

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 4.2.2.3

   lease 7

!

!

dot11 syslog

!

dot11 ssid STV-REMOTE-1941

   vlan 1

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 7 032569333E01714279582B2033021807500F1E

!

!

!

username xxxxx privilege 15 password 7 14201B071F0C793977

!

!

bridge irb

!

!

interface Dot11Radio0

description 802.11bgn radio

no ip address

no ip route-cache

!

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key change 3600

!

!

ssid STV-REMOTE-1941

!

antenna gain 0

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root access-point

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

antenna gain 0

no dfs band block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.1.2 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

no activation-character

line vty 0 4

login local

!

end

ap#

surbg Mon, 11/22/2010 - 07:08

if the clients are getting the IP address and not able to go out to the internet.. then it looks like a routing issue for me... from the client are u able to ping the Default gateway?? and Fro mthe DG are we able to ping the client??  try pinding 4.2.2.2 ?? instead of typing WWW.GOOGLE.COM , try accessing the IP address of website or Google.com..

Looking forward to hear from you!!

Regards

Surendra

csco10865546 Mon, 11/22/2010 - 07:24

It could be a routing issue but dont know how to sort it cos of the embedded access point ,switch and router configs on this 1941.

I am able to ping 192.168.1.2 which is the BVI interface on the Access point but not the 192.168.1.1 which is the inetrface vlan 1 configured on the main router.

So i pretty much think it is a misconfiguration about the access point communicating with the main router which has the internet config.

I can't ping the host name or ip address from the wireless client.

The wired clients can browse well so it is the wireless client being able to get the route to the internet via the main router that is the issue here.

surbg Mon, 11/22/2010 - 07:36

on the router.. under the WLAN-AP 0 interface.. configure it as "ip unnumbered VLAN 1" and see if we are able to go out to the internet..

Regards
Surendra

csco10865546 Mon, 11/22/2010 - 07:41

Yeah thanks ,just tried that but i am still unable to get to the internet from the wireless client.

Cheers,

Cole

surbg Mon, 11/22/2010 - 07:45

on the client manually configure the DNS as 4.2.2.3 and see if we are able to ping..

Regards
Surendra

csco10865546 Mon, 11/22/2010 - 07:48

I have tried that and unable to ping 4.2.2.3 or any other public ip address.

surbg Mon, 11/22/2010 - 07:58

I can see that the DHCP pool is on the AP module.. Point the Default route to BVI 1 Ip.. that is.. default router 192.168.1.2 under the DHCP pool.. on the router, configure wlan-gig 0/0 as a trunk wilth natibe vlan 1 and try once..

Regards

Surendra

csco10865546 Mon, 11/22/2010 - 08:10

Just did that but same thing :

added 192.168.1.2 as the default router  instead of 192.168.1.1 under the dhcp pool

and added switchport mode trunk on the int wlan-g0/0 and vlan-id dot1q 1(native vlan)

I released and renewed the ipconfig on the PC and it acquires 192.168.1.2 as the default router but It still doesn't browse.

Rgds,

Cole

surbg Mon, 11/22/2010 - 08:25

wat about the ping from the DG or the ping to the client from the DG?

Regard

Surendra

surbg Mon, 11/22/2010 - 08:32

oops sorry.. its Default Gateway.. on the AP module.. configure the default gateway to VLAN 1 IP as well..

Regards
Surendra

JohnHeller_2 Wed, 04/13/2011 - 22:55

Hi,

Im no expert but I can usually fix cisco problems.

There is an obvious hint from your printout:-

TESTROUTER#show ip route
Default gateway is not set

Without a default route set to direct traffic out of the port connecting you the the internet, you will not be able to ping or access internet sites from LAN/WLAN connected devices.

Looking at your situation you internet is connected to GigEthernet 0/1

interface GigabitEthernet0/1
description INTERNET interface
ip address 192.168.1.103 255.255.255.0
ip access-group 101 in
ip access-group 101 out
no ip route-cache
duplex auto
speed auto

So you will need a command like

IP Route 0.0.0.0 0.0.0.0 192.168.1.103

to make things work for you.

Also you will need

bridge 1 route IP

All the best and post any updates to your configs that are working.

JohnHeller_2 Wed, 04/13/2011 - 22:25

Thanks for this posting. From the limited number of configs that are on cisco and other websites, its probably the most readable.

I bought a Cisco 1941W for my company several months ago and expected to have it up and running by now.

I usually have little problem setting up Cisco routers, using a combination of the GUI for initial configs and command line for fine tuning.

The 1941W wasn't anywhere near as easy.

Things I found when using this config was that the commands from a running config may need to be manually entered in a diffenent order.

Sometimes you can't define a part of a config ie VLANS without some other commands first.

I think this config you published has been cut and pasted in sections and the the order of the commands is wrong.

The information that you printed regarding setting up the VLAN definitions on the switchport are atually typed into the "interface wlan-gigabitethernet 0/0" part of the config, which was confusing in the attached config.

This is a ciritical part of the config. Before I set this up the SSID's were visable and you could connect to them, but the connecting laptop could not get an IP address from the DHCP service as there was no connectivity between the router and AP for data to flow.

At my site I am using an ADSL module rather than interface gigabit ethernet 0/1 for internet connectivity.

This doesn't affect much except the default route command is now "ip route 0.0.0.0 0.0.0.0 Dialer0"

I would like to have a mixture of public and private SSID definitions on this router.

I would like an "A" and a "BGN" cell for public access, ie no access to the office LAN via gigethernet 0/0", and at least one private cell which would have tighter security and office LAN access.

I will post my config in a week or two when the unit is installed and settled in so that others can benefit from the many frustrating hours I have spent.

I really wish Cisco could have spent $5 more on the design of the unit and provided a seperate serial/usb port that directly connects to the Wireless AP module. Would it really have been that hard?

Another thing that should be published is an exact guide to blow away the config of both the router and the AP module back to factory defaults. After a 2 month break in configuring the unit, i had lost track of the changes I had made and wanted to start from scratch.

The "factory" config and the default config that you get when starting up the unit the the config-register set to 0x2142 are not quite the same. For a start there is no cisco/cisco user in the config, so to be able to talk to the CCP program you will need to take a few extra steps. Also the default (not factory) config has no IP address on any ethernet port.

To be able to view and configure the unit using CCP, take the following steps after setting it back to defaults:-

1)     You will need to set a fixed IP address on gigethernet port 0/0. Don't forget to do a "no shutdown" command on the port to activate it.

2)     You will need to make a level 15 user. ie username admin priv 15 password xxxxxxxx

3)     You will need to turn on either the HTTP or secure HTTP server.

kiandrass Mon, 12/13/2010 - 22:00

I've got a similar issue to what's discussed on here but the solutions don't work or dont' "fit"..

What i want is the wireless clients on the AP to be on the same vlan/subnet as G0/0 (LAN). Lan subnet is 10.0.0.0/24

I'm essentially trying to replicate the config of what we've got at other sites, typically a router and a seperate access point, on the same vlan/subnet/network using a router (say 877, 1841 or 28xx) + access point (say 114x or 124x).

The issue i suspect is the "link" between the AP and the router (the "switch").

Router IP is 10.0.0.1, AP IP is 10.0.0.10. I can't even ping between the router & the AP.....

Here's the parts of the config's that matter.

ROUTER:

ip dhcp pool lan
   network 10.0.0.0 255.255.255.0
   dns-server 8.8.8.8
   default-router 10.0.0.1

interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
!
interface GigabitEthernet0/0
description Physical connection to LAN
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
bridge-group 1
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0

interface Vlan1
ip unnumbered GigabitEthernet0/0
no ip redirects
ip flow ingress
bridge-group 1

ACCESS POINT:

dot11 ssid MYSSID
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii MYKEY

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
ssid MYSSID
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
ssid MYSSID
!
antenna gain 0
no dfs band block
mbssid
channel dfs
station-role root

interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description  the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.1
no ip route-cache
!
interface BVI1
ip address 10.0.0.10 255.255.255.0
no ip route-cache

JohnHeller_2 Wed, 04/13/2011 - 23:06

From what I can see from others configs and the one I have just about finalised on my router, you need to setup the

"switch" that connects between the AP and Router, particularly as the part of the config you have copied has vlan trunking commands.

interface Dot11Radio0.1
encapsulation dot1Q 1 native

Use

interface Wlan-gigabitethernet 0/0

     description Internenal Switch

     switchport mode trunk

     switchport vlan 1

If you don't need both radios, don't want to be able to control traffic individually etc you can make the link between the AP and router a lot simpler.

leciscokid Wed, 08/01/2012 - 17:20

I have configured literally hundreds of these, as well as simple autonomous APs, and Cisco UC520 / 540's

For whatever reason, I just got a new 1941w, running 15.1(T) mainline code, and no matter what, if I shutdown VLAN 1 and attempt to use an alternate VLAN and BVI ID, the device will not work. If I apply the same config, using VLAN 1, as the device is out of the box, it works fine.

Is there some known caveat or bug around using other than VLAN 1 ?

Mary.Ghabrai Wed, 08/22/2012 - 10:02

yes you need to make sure that int Wlan-GigabitEthernet0/0 is added as an access port to that new vlan you are creating. i had the same problem.

Mary.Ghabrai Wed, 08/22/2012 - 10:07

Hi Surendra,

I have a question for you.

using this forum i could configure the wireless router. i can connect and get to the outside world but when i try using the vpn to connect to work network, the vpn fails. what am i missing. is there any vpn-pass through i have to configure?

Do you have any suggestions for me?

Thanks,

Mary

leciscokid Mon, 09/17/2012 - 15:53

Mary, did you get this working ?

I'm not sure about your whole config but are you originating a client to lan session or a lan to lan or easy-VPN from the 1941 ? Your post isn't clear. I assume since you asked about pass-thru that you're dealing with a client to a remote VPN termination.

If you're doing NAT by default on the 1941 you'll need to enable NAT-Traversal on the VPN server end. If the 1941 is your edge device, you'll need to support NAT-T in order to do IPSEC through a NAT device.

The other option is to create a static NAT entry in the config, for the host you're going to be VPN from, and create a DHCP exclusion for that address so no other host gets that IP.

You should be able to go to the other end of the tunnel, and debug ISAKMP to see if Phase-1 or Phase-2 is the issue. Usually, the issue with NAT will show up in the log or debug "host is behind NAT". . .  etc.

Mary.Ghabrai Tue, 09/18/2012 - 11:14

leciscokid,

Thank you for your reply. No I'm still dealing with this issue and I could not get it to work which is really embarrassing.

Yes the wireless router is on edge. connects to the ISP on one interface (external ip and next hop is the ISP) and does not connect to any internal lan devices.

as a wireless client when i connect to it i'd get to a private ip using nat i'd get translated to the external ip of that external interface. so i can reach outside fine. i can see the nat translations and everything.

we want to be able to connect to our vpn which is another external address but it times out.

i have an access list which allows everything from wireless range

access-list 101 permit ip 172.16.80.0 0.0.0.255 any

and this is the nat i use

ip nat inside source list 101 interface GigabitEthernet0/0 overload

the vpn is a pptp vpn to another vpn router (cisco 2851), as this router is doing a lot more vpn already debuging ISAKMP shows a lot of logs, not sure how to grep what im looking for.

could u explain how do i check for nat-traversal on the vpn router? or the other option u suggested for me to be able to have a static nat for just one ip'? how would that help?

again thanks for the help and please let me know if u wanted me to post any parts of my configuration. i have three of these wireelss routers with the same issue on all three.

Thanks,

Mary

Actions

Login or Register to take actions

This Discussion

Posted June 21, 2010 at 7:04 AM
Stats:
Replies:40 Avg. Rating:3.83333
Views:37946 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard