I change the default IP for VLAN1 from 10.10.10.1 to 10.199.199.1 for security purpose.
To ensure VLAN 2 is created, we suggest you configure one of the router's FastEthernet interfaces so that it is assigned to VLAN 2. This will force the router to create VLAN 2 in its VLAN database:
R1-887W(config)# interface FastEthernet3
R1-887W(config-if)# switchport access VLAN 2
Once the switchport access VLAN 2 command is given, the router will automatically create VLAN 2 if it does not exist. Below is the output to expect when this happens:
% Access VLAN does not exist. Creating VLAN 2
Perform Show ip int brief, this should fix the status of VLAN interface to Protocol UP.
Configuring DHCP
ip dhcp excluded-address 192.168.89.1 192.168.89.64
ip dhcp excluded-address 192.168.89.251 192.168.89.254
ip dhcp excluded-address 10.127.0.1 10.127.0.10
!
ip dhcp pool Office
import all
network 192.168.89.0 255.255.255.0
default-router 192.168.89.1
!
ip dhcp pool Guest
network 172.16.18.0 255.255.255.0
default-router 172.16.18.1
!
Configuring Interfaces
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
no ip address
!
Configuring Wireless Interfaces
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip address 10.127.1.1 255.255.255.255
!
Configuring ADSL interface
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 199.99.99.99 255.255.255.0
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname abc0@xx.xxx.net
ppp chap password 0 9999
ppp pap sent-username abc0@xx.xxx.net password 0 9999
no cdp enable
IP NAT
ip nat inside source list 1 interface Dialer0 overload
Default Route
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
Access List
Dialer Overload
access-list 1 remark Permit Interface Dialor overload
access-list 1 permit 172.16.18.0 0.0.0.255
access-list 1 permit 192.168.89.0 0.0.0.255
dialer-list 1 protocol ip permit
VTY Access
access-list 101 remark vty access
access-list 101 permit ip host 202.61.141.6 any
access-list 101 permit ip 10.199.199.0 0.0.0.7 any
Restrict Wireless Guest Access
access-list 113 deny ip 172.16.18.0 0.0.0.255 192.168.89.0 0.0.0.255
access-list 113 permit ip any any
access-list 113 remark Wireless Guest deny acess to COTD
VTY line access
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input ssh
Configuring Access Point
To access to the access Point, there must be an IP assigned to interface wlan-ap0.
To access to AP configuration:
R1# service-module wlan-ap 0 session
To toggle back from AP configuration to Router, press Shift-Ctrl-6, follow by x.
It takes several attempts to toggle ;)
Configuring the SSID
dot11 ssid Office
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 065657761A1F2B4E5346435955540B780179106404
!
dot11 ssid Guest
vlan 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 11584C5C40475858517C73717A6304153635223A347F7668
!
bridge irb
we must ensure the integrated routing and bridging (IRB) feature is enabled to allow the routing of our protocols (IP) between routed interfaces and bridge groups
Configuring the Dot11Radio0 interface
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
broadcast-key vlan 2 change 30
!
broadcast-key vlan 3 change 30
!
!
ssid COTD
!
ssid Guest-SB
!
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
!
Configuring the Dot11Radio0 sub-interfaces
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
Configuring AP GigabitEthernet0, Sub-interfaces
The GigabitEthernet interface and sub-interface configuration follows the same logic as the Dot11Radio0 interface. Notice that each GigabitEthernet sub-interface is mapped to the same VLAN and bridge-group as the Dot11Radio0 sub-interfaces.
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
Configuring BVI Interface
interface BVI1
ip address 10.1.1.4 255.255.255.248
no ip route-cache
we create the one and only BVI1 interface and assign it an IP Address. This is basically the IP Address of our access point and is reachable from our LAN network, so it's best to assign it an IP Address from your LAN network.
It is important to note that only one bridge-interface (BVI Interface) is configured with an IP Address. The rest of the bridge groups are not required to have a BVI interface as all traffic is trunked through the BVI1 Interface. This is per Cisco design.
Finally, we must enable ip routing for bridge 1:
bridge 1 route ip
Reset Router 887 Access Point
Router#service-module wlan-ap 0 reset default-config
Remove paragraph containing: crypto pki trustpoint TP-self-signed-
References
Cisco 880W (881W, 886W, 887W, 888W) Multiple - Dual SSID Integrated Access Point Configuration
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/825-cisco880w-multiple-ssid.html
