871 wireless setup

Answered Question
May 26th, 2006

I am trying to get an 871 soho router wireless connections to work.

The SDM is useless.

I have tried to find docs on how and why and what to do - but no luck.

Been at the this for a week. Got the DSL and fw parts working, but not

wireless.

I have a Authentication Open setup - guest-mode enabled.

So I should be pretty wide open for connections.

I can see the SSID on a client PC, but cannot connect.

I'm running DHCP to clients

--------------------

config below

--------------------

bridge irb

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dot11Radio0

no ip address

!

ssid 1138

vlan 1

authentication open

guest-mode

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0

48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.0.109 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip access-group 103 in

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxxx@xxxxxx.net password xxx

ppp ipcp dns request accept

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 1 interface Dialer1 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto-generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 192.168.0.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 deny ip 192.168.0.0 0.0.0.255 any

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 deny ip 10.0.0.0 0.255.255.255 any

access-list 103 deny ip 172.16.0.0 0.15.255.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip host 0.0.0.0 any

access-list 103 deny ip any any log

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

I have this problem too.
0 votes
Correct Answer by Stephen Rodriguez about 7 years 10 months ago

interface Dot11Radio0

no ip address

!

ssid 1138

no vlan 1

!

interface Vlan1

no ip address 192.168.0.109 255.255.255.0

no ip nat inside

bridge-group 1

!

interface BVI 1

ip address 192.168.0.109 255.255.255.0

ip nat inside

!

end

Cut these commands in. I'll assume that if you are doing DHCP from a server and not the router. If you wish to use the router, you'll need to configure a DHCP pool.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
a.hajhamad Tue, 05/30/2006 - 08:01

The following commands will config wireless access using pre-shared key:

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip // Encryption mode for WPA since WPA2 is not supported at Cisco 800 integrated routers

!

ssid Free // SSID name

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 Cisco123 // the pre-shared Key that will be used for users whom connect using wireless

!

I hope to be helpful!

Please rate if it does!

Regards

Abd Alqader

frankm@mallardc... Tue, 05/30/2006 - 08:57

Thanks, I'll keep this for when I get to the security part. Right now I am just trying to get a wireless client connected. That's why I left the encryption / auth open, so I can start simple and once I get the connectivity working, I can add things. I can see the ssid broadcast but cannot connect.

frankm@mallardc... Thu, 06/01/2006 - 04:16

Two different machines - one is a usr pcmcia on a dell (winXP) and the other is a broadcom internal on a compaq (winXP)

a-bekerman Thu, 06/01/2006 - 08:33

I have the same problem with connectivity. I can see SSID, but unable to get ip address from DHCP pool.

frankm@mallardc... Fri, 06/02/2006 - 04:42

I think ??? it has something with the bridge-group and the bvi. But I can't get ANY descriptions of what does what and fits where. It seesm that the BVI allows communication between routed (wan) and bridged (internal) topologies. The problem is: what to plug in and where and what else do I hose.

frankm@mallardc... Thu, 06/01/2006 - 04:08

Yep - no BVI - whatever that is. It was there when I called cisco tech support and was gone after he got out. I am finding VERY little info on how to configure this device. I can navigate the cli, but the pieces are greek to me. I see a lot of articles showing the config - but not what should be done and why.

drummond.r Fri, 06/02/2006 - 06:36

i think, if you move the commands from your vlan 1 interface, and put them in a bvi interface, that should take care of it. just do this from the config prompt.

int bvi1

(then just take the commands off of interface vlan 1 and put them in bvi1)

Correct Answer
Stephen Rodriguez Sat, 06/03/2006 - 13:35

interface Dot11Radio0

no ip address

!

ssid 1138

no vlan 1

!

interface Vlan1

no ip address 192.168.0.109 255.255.255.0

no ip nat inside

bridge-group 1

!

interface BVI 1

ip address 192.168.0.109 255.255.255.0

ip nat inside

!

end

Cut these commands in. I'll assume that if you are doing DHCP from a server and not the router. If you wish to use the router, you'll need to configure a DHCP pool.

frankm@mallardc... Sun, 06/04/2006 - 12:44

WOO HOO !!!!!!!!!!!

Thanks to everyone for your help. I have pppoe connection, dns resolution, wireless connectivity, wired lan connectivity and encryption flying. Kinda like pulling teeth from a duck, but works. My last thing is mac filtering, but that should relatively easy.

Hey - again thanks. The config in the replied-to post got me almost all the way there.

Remember - for every item that you learn - it exposes 5 more things you didn't know that you didn't know. Therefore I am getting more and more incompetent.

clausonna Tue, 06/06/2006 - 19:47

You could also just give the radio interface its own IP address and make it a routed subnet. Skip the bvi config entirely. Just make sure to create an appropriate DHCP scope for it, and add subnet to any NAT rules or ACLS. The benefit here is that, among a lot of other things, you could apply QoS differently for wireless, different ACLs, and could even (depending on your setup) create a 'guest' SSID that routes directly out to the Internet.

interface Dot11Radio0

description wireless internal net

ip address 192.168.2.1 255.255.255.0

! ip helper will forward DHCP broadcasts from

! the wireless subnet to a server on the wired subnet

! not necessary if using IOS DHCPD

ip helper-address 192.168.1.2

ip nat inside

ip virtual-reassembly

!

ssid private

authentication open

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan1

description wired internal network

ip address 192.168.1.1 255.255.255.0

ip nat inside

vpn#show ip route connected

200.100.17.0..0/30 is subnetted, 1 subnets

C 200.100.17.16 is directly connected, FastEthernet4

C 192.168.1.0/24 is directly connected, Vlan1

C 192.168.2.0/24 is directly connected, Dot11Radio0

192.168.3.0/32 is subnetted, 1 subnets

C 192.168.3.1 is directly connected, Loopback1

mirosmanali Tue, 06/20/2006 - 07:50

I hope this may help you, note that in this scenario the DHCP was configured from the server, if your setup is not the same then you have to define the DHCP scope on the AP.

Current configuration : 1823 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP_NAME

!

enable secret xxx

!

ip subnet-zero

ip domain name somecompany.com.sa

ip name-server [DNS Primary IP]

ip name-server [DNS Secondary IP]

!

!

no aaa new-model

!

dot11 ssid CORE_AP_HG4_01

vlan 2

authentication open

guest-mode

!

!

!

username Cisco password xxxxxxxx

!

bridge irb

!

!

interface Dot11Radio0

bandwidth 55296

no ip address

no ip route-cache

!

encryption vlan 2 key 1 size 40bit xxx transmit-key

encryption vlan 2 mode wep mandatory

!

ssid AP_ITDPT

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.80.12.224 255.255.255.0

no ip route-cache

!

ip default-gateway 10.10.10.115 {Cisco Switch IP Address}

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

transport preferred all

transport output all

line vty 0 4

login local

transport preferred all

transport input all

transport output all

line vty 5 15

login

transport preferred all

transport input all

transport output all

!

end

Best of Luck

d16lee@yahoo.ca Thu, 09/20/2007 - 05:51

Hello,

Just want to add my working version to the pool. What's posted here did not work for me, but the thread was very helpful.

Also helpful was this link:

http://www.velocityreviews.com/forums/t295238-cisco-871-wireless-setup-questions.html

Mine is a 877 Wireless with Adv Security - only 1 VLAN allowed.

hostname

!

boot-start-marker

boot system flash:/c870-advsecurityk9-mz.124-4.T7.bin

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address

ip dhcp excluded-address

ip dhcp excluded-address

ip dhcp excluded-address

!

ip dhcp pool

network

dns-server

default-router

!

!

no ip domain lookup

ip domain name

!

!

bridge irb

!

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

switchport mode trunk

speed 100

!

interface FastEthernet1

switchport mode trunk

speed 100

!

interface FastEthernet2

switchport mode trunk

speed 100

!

interface FastEthernet3

switchport mode trunk

speed 100

!

interface Dot11Radio0

no ip address

no ip route-cache cef

no ip route-cache

!

encryption vlan 1 mode ciphers tkip

!

ssid

vlan 1

authentication open

authentication key-management wpa

guest-mode

wpa-psk

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

no snmp trap link-status

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

no ip redirects

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

bridge-group 1

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password

!

interface Dialer0

no ip address

no cdp enable

!

interface BVI1

ip address INSIDE DATA LAN ADDRESS

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map RMAP_1 interface Dialer1 overload

!

dialer-list 1 protocol ip permit

no cdp run

route-map RMAP_1 permit 1

match ip address NONAT

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

Actions

Login or Register to take actions

This Discussion

Posted May 26, 2006 at 12:57 PM
Stats:
Replies:15 Avg. Rating:5
Views:407 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard