Solved

Cisco 1811W CLI CONFIG

Posted on 2010-11-23
9
1,579 Views
Last Modified: 2012-05-10
So, I cleaned my 1811 to try to clean it up.  I want my wireless networks on the same LAN as my wired network.  Below is my clean config, what must I do to make the wireless SSID iHydrant with wpa-psk of wirelesspassword on radio 1.  

My current Config:
1800W-westside#sh conf
Using 5324 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1800W-westside
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2724351362
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2724351362
 revocation-check none
 rsakeypair TP-self-signed-2724351362
!
!
crypto pki certificate chain TP-self-signed-2724351362
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.104.1
!
ip dhcp pool ccp-pool
   import all
   network 192.168.104.0 255.255.255.0
   default-router 192.168.104.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name efdlocal.com
ip name-server 66.18.32.2
ip name-server 66.18.32.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username efdadmin privilege 15 secret 5 $1$p85k$HudcL0ggymMoPNepgIpAU1
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key hellfire address 24.129.144.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to24.129.144.70
 set peer 24.129.144.70
 set transform-set TS
 match address 106
!
archive
 log config
  hidekeys
!
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface FastEthernet0
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip dhcp client hostname westside
 ip dhcp client lease 365 0 0
 ip dhcp client update dns
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 192.168.104.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 23 permit 192.168.104.0 0.0.0.7
access-list 101 permit ip any any
access-list 106 permit ip 192.168.104.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 106 permit ip 192.168.104.0 0.0.0.255 192.168.105.0 0.0.0.255
no cdp run

!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
end

1800W-westside#
0
Comment
Question by:wortzc36027
  • 6
  • 3
9 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
What you need to do is tie VLAN1 and Dot11Radio1 into a single bridge group and assign the IP address for the collective set to the BVI1 interface.

First you need to set up an SSID definition:

dot11 ssid iHydrant
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 wirelesspassword

Then you need  to set it up on Dot11Radio1:

interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid iHydrant
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root

Now, the router needs to be configured to allow bridging between the interfaces:

bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface Vlan1
 no description
 no ip address
 bridge-group 1
 no ip access-group 101 in
 default ip redirects
 default ip unreachables
 default ip proxy-arp
 no ip flow ingress
 no ip nat inside
 no ip virtual-reassembly
 no ip tcp adjust-mss 1452
!
interface Dot11Radio1
 bridge-group 1
 no shutdown
!
interface BVI1
 ip address 192.168.104.1 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip nat inside
 ip virtual-reassembly

Once you're done, systems on both the VLAN1 and Dot11Radio1 interfaces will share the same network and will reach their default gateway via the BVI1 interface.

A few additional points to consider though...

These statements are a best practice for an Internet-facing interface, but shouldn't be applied to the LAN interface.

no ip redirects
no ip unreachables
no ip proxy-arp

This statement is really useful if you're using a PPPoE-based Internet connection, but should be left out if you're not.

ip tcp adjust-mss 1452

If you're going to permit all IP traffic with access-list 101, it's better not to even have access-list 101 and just leave the following statement off of the BVI1 interface entirely.

ip access-group 101 in

Hopefully that helps.
0
 

Author Comment

by:wortzc36027
Comment Utility
Ok, so here is my modified config, but my wireless clients cannot see the ssid.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1800W-westside
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2724351362
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2724351362
 revocation-check none
 rsakeypair TP-self-signed-2724351362
!
!
crypto pki certificate chain TP-self-signed-2724351362
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
!
dot11 ssid iHydrant
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 0 wirelesspassword
!
ip source-route
!
!
ip dhcp excluded-address 192.168.104.1
!
ip dhcp pool ccp-pool
   import all
   network 192.168.104.0 255.255.255.0
   default-router 192.168.104.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name efdlocal.com
ip name-server 66.18.32.2
ip name-server 66.18.32.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username efdadmin privilege 15 secret 5 $1$p85k$HudcL0ggymMoPNepgIpAU1
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key hellfire address 24.129.144.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to24.129.144.70
 set peer 24.129.144.70
 set transform-set TS
 match address 106
!
archive
 log config
  hidekeys
!
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid iHydrant
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface FastEthernet0
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip dhcp client hostname westside
 ip dhcp client lease 365 0 0
 ip dhcp client update dns
 ip address dhcp
 ip access-group WebSurfing out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
 zone-member security in-zone
 bridge-group 1
!
interface Async1
 no ip address
 encapsulation slip
!
interface BVI1
 ip address 192.168.104.1 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended WebSurfing
 permit ip any any
ip access-list extended nat
 permit ip any any
!
access-list 23 permit 192.168.104.0 0.0.0.7
access-list 101 permit ip any any
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 109 deny   ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 109 permit ip 192.168.104.0 0.0.0.255 any
access-list 109 permit ip any any
no cdp run

!
!
!
!
route-map nonat permit 10
 match ip address nat
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
end

1800W-westside#
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Looks like your wireless interfaces are in shutdown state.  Do a "no shutdown" on those and see if it all comes up.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Also, if you're going to be using the zone-based firewall feature, you'll want to take "zone-member security in-zone" off of VLAN1 and put it on BVI1.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:wortzc36027
Comment Utility
I made the changes, but still no luck on the wireless.  It is not broadcasting.  Also, my lan and wireless clients cannot get on thei internet, however the router can ping 4.2.2.2 just fine.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
Internet access is going to require that you configure NAT on your router.  It looks like most of it is there, but the route map referenced by your "ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload" statement isn't in your configuration.  That will stop your Internet access in its tracks.

As for the wireless not broadcasting, can you post the output of the following commands?

shoe dot11 bssid
show bridge 1
show ip interface brief
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Whoops.  That first command should be "show" and not "shoe"
0
 

Author Comment

by:wortzc36027
Comment Utility
Happy Thanksgiving to ALL!! God Bless

Here are the results:
1800W-westside#sh dot11 bssid
Interface      BSSID         Guest  SSID
Dot11Radio1   f866.f2fe.b510  Yes  iHydrant
1800W-westside#sh bridge 1

Total of 300 station blocks, 299 free
Codes: P - permanent, S - self

Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
0019.d145.9ed9   forward   Vlan1             0         32          1
1800W-westside#sh ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Async1                     unassigned      YES NVRAM  down                  down

BVI1                       192.168.104.1   YES NVRAM  up                    up

Dot11Radio0                unassigned      YES NVRAM  reset                 down

Dot11Radio1                unassigned      YES NVRAM  up                    up

FastEthernet0              10.10.10.111    YES DHCP   up                    up

FastEthernet1              unassigned      YES NVRAM  administratively down down

FastEthernet2              unassigned      YES unset  up                    down

FastEthernet3              unassigned      YES unset  up                    down

FastEthernet4              unassigned      YES unset  up                    down

FastEthernet5              unassigned      YES unset  up                    down

FastEthernet6              unassigned      YES unset  up                    down

FastEthernet7              unassigned      YES unset  up                    down

FastEthernet8              unassigned      YES unset  up                    down

FastEthernet9              unassigned      YES unset  up                    up

NVI0                       unassigned      YES unset  administratively down down

Vlan1                      unassigned      YES NVRAM  up                    up

1800W-wes
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
The output from the "show dot11 bssid" says that the iHydrant guest network is definitely broadcasting.  Keep in mind that Dot11Radio1 is 802.11a on the 1811, so if you're trying to reach it with 802.11b/g clients, it won't show up.  Did you manage to get the route map fixed for your NAT?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now