Solved

Cisco 1811W CLI CONFIG

Posted on 2010-11-23
9
1,594 Views
Last Modified: 2012-05-10
So, I cleaned my 1811 to try to clean it up.  I want my wireless networks on the same LAN as my wired network.  Below is my clean config, what must I do to make the wireless SSID iHydrant with wpa-psk of wirelesspassword on radio 1.  

My current Config:
1800W-westside#sh conf
Using 5324 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1800W-westside
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2724351362
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2724351362
 revocation-check none
 rsakeypair TP-self-signed-2724351362
!
!
crypto pki certificate chain TP-self-signed-2724351362
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.104.1
!
ip dhcp pool ccp-pool
   import all
   network 192.168.104.0 255.255.255.0
   default-router 192.168.104.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name efdlocal.com
ip name-server 66.18.32.2
ip name-server 66.18.32.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username efdadmin privilege 15 secret 5 $1$p85k$HudcL0ggymMoPNepgIpAU1
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key hellfire address 24.129.144.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to24.129.144.70
 set peer 24.129.144.70
 set transform-set TS
 match address 106
!
archive
 log config
  hidekeys
!
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface FastEthernet0
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip dhcp client hostname westside
 ip dhcp client lease 365 0 0
 ip dhcp client update dns
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 192.168.104.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 23 permit 192.168.104.0 0.0.0.7
access-list 101 permit ip any any
access-list 106 permit ip 192.168.104.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 106 permit ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
no cdp run

!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
end

1800W-westside#
0
Comment
Question by:wortzc36027
  • 6
  • 3
9 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 34202339
What you need to do is tie VLAN1 and Dot11Radio1 into a single bridge group and assign the IP address for the collective set to the BVI1 interface.

First you need to set up an SSID definition:

dot11 ssid iHydrant
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 wirelesspassword

Then you need  to set it up on Dot11Radio1:

interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid iHydrant
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root

Now, the router needs to be configured to allow bridging between the interfaces:

bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface Vlan1
 no description
 no ip address
 bridge-group 1
 no ip access-group 101 in
 default ip redirects
 default ip unreachables
 default ip proxy-arp
 no ip flow ingress
 no ip nat inside
 no ip virtual-reassembly
 no ip tcp adjust-mss 1452
!
interface Dot11Radio1
 bridge-group 1
 no shutdown
!
interface BVI1
 ip address 192.168.104.1 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip nat inside
 ip virtual-reassembly

Once you're done, systems on both the VLAN1 and Dot11Radio1 interfaces will share the same network and will reach their default gateway via the BVI1 interface.

A few additional points to consider though...

These statements are a best practice for an Internet-facing interface, but shouldn't be applied to the LAN interface.

no ip redirects
no ip unreachables
no ip proxy-arp

This statement is really useful if you're using a PPPoE-based Internet connection, but should be left out if you're not.

ip tcp adjust-mss 1452

If you're going to permit all IP traffic with access-list 101, it's better not to even have access-list 101 and just leave the following statement off of the BVI1 interface entirely.

ip access-group 101 in

Hopefully that helps.
0
 

Author Comment

by:wortzc36027
ID: 34205633
Ok, so here is my modified config, but my wireless clients cannot see the ssid.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1800W-westside
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2724351362
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2724351362
 revocation-check none
 rsakeypair TP-self-signed-2724351362
!
!
crypto pki certificate chain TP-self-signed-2724351362
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
!
dot11 ssid iHydrant
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 0 wirelesspassword
!
ip source-route
!
!
ip dhcp excluded-address 192.168.104.1
!
ip dhcp pool ccp-pool
   import all
   network 192.168.104.0 255.255.255.0
   default-router 192.168.104.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name efdlocal.com
ip name-server 66.18.32.2
ip name-server 66.18.32.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username efdadmin privilege 15 secret 5 $1$p85k$HudcL0ggymMoPNepgIpAU1
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key hellfire address 24.129.144.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to24.129.144.70
 set peer 24.129.144.70
 set transform-set TS
 match address 106
!
archive
 log config
  hidekeys
!
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid iHydrant
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface FastEthernet0
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip dhcp client hostname westside
 ip dhcp client lease 365 0 0
 ip dhcp client update dns
 ip address dhcp
 ip access-group WebSurfing out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
 zone-member security in-zone
 bridge-group 1
!
interface Async1
 no ip address
 encapsulation slip
!
interface BVI1
 ip address 192.168.104.1 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended WebSurfing
 permit ip any any
ip access-list extended nat
 permit ip any any
!
access-list 23 permit 192.168.104.0 0.0.0.7
access-list 101 permit ip any any
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 109 deny   ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 109 permit ip 192.168.104.0 0.0.0.255 any
access-list 109 permit ip any any
no cdp run

!
!
!
!
route-map nonat permit 10
 match ip address nat
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
end

1800W-westside#
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 34205730
Looks like your wireless interfaces are in shutdown state.  Do a "no shutdown" on those and see if it all comes up.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 34205753
Also, if you're going to be using the zone-based firewall feature, you'll want to take "zone-member security in-zone" off of VLAN1 and put it on BVI1.
0
 

Author Comment

by:wortzc36027
ID: 34206111
I made the changes, but still no luck on the wireless.  It is not broadcasting.  Also, my lan and wireless clients cannot get on thei internet, however the router can ping 4.2.2.2 just fine.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 34206240
Internet access is going to require that you configure NAT on your router.  It looks like most of it is there, but the route map referenced by your "ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload" statement isn't in your configuration.  That will stop your Internet access in its tracks.

As for the wireless not broadcasting, can you post the output of the following commands?

shoe dot11 bssid
show bridge 1
show ip interface brief
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 34206261
Whoops.  That first command should be "show" and not "shoe"
0
 

Author Comment

by:wortzc36027
ID: 34218227
Happy Thanksgiving to ALL!! God Bless

Here are the results:
1800W-westside#sh dot11 bssid
Interface      BSSID         Guest  SSID
Dot11Radio1   f866.f2fe.b510  Yes  iHydrant
1800W-westside#sh bridge 1

Total of 300 station blocks, 299 free
Codes: P - permanent, S - self

Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
0019.d145.9ed9   forward   Vlan1             0         32          1
1800W-westside#sh ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Async1                     unassigned      YES NVRAM  down                  down

BVI1                       192.168.104.1   YES NVRAM  up                    up

Dot11Radio0                unassigned      YES NVRAM  reset                 down

Dot11Radio1                unassigned      YES NVRAM  up                    up

FastEthernet0              10.10.10.111    YES DHCP   up                    up

FastEthernet1              unassigned      YES NVRAM  administratively down down

FastEthernet2              unassigned      YES unset  up                    down

FastEthernet3              unassigned      YES unset  up                    down

FastEthernet4              unassigned      YES unset  up                    down

FastEthernet5              unassigned      YES unset  up                    down

FastEthernet6              unassigned      YES unset  up                    down

FastEthernet7              unassigned      YES unset  up                    down

FastEthernet8              unassigned      YES unset  up                    down

FastEthernet9              unassigned      YES unset  up                    up

NVI0                       unassigned      YES unset  administratively down down

Vlan1                      unassigned      YES NVRAM  up                    up

1800W-wes
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 34232223
The output from the "show dot11 bssid" says that the iHydrant guest network is definitely broadcasting.  Keep in mind that Dot11Radio1 is 802.11a on the 1811, so if you're trying to reach it with 802.11b/g clients, it won't show up.  Did you manage to get the route map fixed for your NAT?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question