Cisco 1941W Wireless Configuration Example

So i followed this example and setup my router and ap. I also have a t1 module configured along with RIPv2.

From the router I can ping the internet, from the AP I cannot. From the AP I can ping the router and the T1 module, the next hop is not reachable. Its like the traffic from the AP is not going through the static default route for some reason. Any thoughts?

Hi Joseph,

When you can ping the router from the AP then its default gateway is working. Since you are unable to ping the Internet, it’s probably your NAT configuration.

Did you configure NAT and if so, did you include the subnet of the access point?

Here’s an example:

https://networklessons.com/network-services/how-to-configure-pat-on-cisco-ios-router/

Just imagine that one of the hosts is your AP.

Rene

Thanks a lot for your help Rene
I would just add the last configuration for those like me who never used a Cisco Router Before

Ap(config)#interface dot11Radio 0
Ap(config-if)#no shutdown

Ap(config)#interface dot11Radio 1
Ap(config-if)#no shutdown

so the Ap can broadcast the SSID

Regards :smiley:
Ivan

1 Like

Rene, I have a Cisco 2851 with an HWIC-AP installed. Since the AP is inside the router itself, any subinterface IP addresses assigned to the SSIDs would automatically appear in its routing table. Is there a need for VLANS to be configured? Are BVIs necessary in this situation? How would the configuration look to reflect this? Matt.

Hi Matt,

I’m not sure if the 2851 works similar as the 1941 when it comes to AP but let’s assume it is similar. The only reason to use VLANs is if you want to separate your Wifi traffic. For example, let’s say you have a “guest” SSID and a “corporate” SSID. You probably want to use two different VLANs for this. The BVIs are used on the 1941 to bridge the radio + internal Ethernet connection together.

I’m on a holiday for a few days now but if you want to see the config, let me know and I’ll look it up when I get back ok?

Rene

I’d love to see your config when you get a chance to post it. I suppose I am having trouble getting my head around the need for VLANS. I understand that VLANs separate the broadcast traffic into sub-domains and therefore isolate traffic as routers do not forward broadcast frames.

My understanding so far is:

  1. The bridge-groups in the radio sub-interfaces tie these interfaces to the BVIs that are created.

  2. So then the “encapsulation dot1Q xx native” command in the sub-interface then ties the SSIDs (which have the vlan command) to the respective sub-interface and BVI. Is this correct?

  3. So technically a bridge-group = VLAN in this context with the BVI getting the IP address instead of the VLAN. Am I correct in assuming this?

It just seems like a very complicated way to do something that should be quite simple.

I’ve included my config for the wireless side that seems to work. I can access the internet and ping the other subnets on the router. One last question, where is it best practice to put the “ip nat inside” command, on the BVIs or on the radio sub-interfaces?

Have a great holiday.

Matt.

!
dot11 ssid admin
 vlan 10
 authentication open 
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid guest
 vlan 20
 authentication open 
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid user
 vlan 30
 authentication open 
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
bridge irb
!
!
interface Loopback0
 ip address 2.8.5.1 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex full
 speed 1000
!
!
interface Dot11Radio0/3/0
 no ip address
 !
 encryption vlan 10 mode ciphers aes-ccm tkip 
 !
 encryption vlan 20 mode ciphers aes-ccm tkip 
 !
 encryption vlan 30 mode ciphers aes-ccm tkip 
 !
 ssid admin
 !
 ssid guest
 !
 ssid user
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
!
interface Dot11Radio0/3/0.10
 description admin.subint
 encapsulation dot1Q 10
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0/3/0.20
 description guest.subint
 encapsulation dot1Q 20
 ip nat inside
 ip virtual-reassembly in
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0/3/0.30
 description user.subint
 encapsulation dot1Q 30 native
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 spanning-disabled
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
!
!
interface BVI10
 description admin.bvi
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface BVI20
 description guest.bvi
 ip address 20.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface BVI30
 description user.bvi
 ip address 30.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
!
!
!

Hi Matt,

Take a look at my 1941 example:

https://networklessons.com/wireless/cisco-1941w-wireless-configuration-example/

Does your 2851 work the same? Do you have to use the console on the router to switch to the AP? The AP is integrated in the router but in reality, these are two separate devices that are connected with an internal gigabit link.

In my 1941, the router uses the wlan-GI0/0 and the AP uses its Gi0/0 interface. This is a L2 interface…it’s the same thing as connecting a router to a switch.

We use VLANs so that you can separate traffic. In your example, you have BVI10, 20 and 30 with a different SSID each. You could attach an ACL to each VLAN so that your guest users can only access the Internet, admins can do anything, etc. If you don’t care about this then you can just create one SSID and one VLAN.

  1. The bridge-group ties two interfaces together…correct. Normally on a switch, all interfaces in the same VLAN can communicate with each other. It’s easier to understand the bridge group when you think of a router…you can bridge two L3 interfaces on a router and then it will become one “L2 domain”. We do the same thing on the AP…we bridge the radio + gigabit interface together.

  2. Encapsulation dot1q is configuring trunking. The interface will add a VLAN tag for all frames it sends. You have them on the radio interface which is not needed, unless you want to send tagged frames to the wireless client :slight_smile: You need this on the internal interface towards the router…take a look at my 1941 example. It has this command on the AP so that it sends tagged frames to the router. Otherwise the router has no way to know to which VLAN the frames belong.

  3. The bridge group “bridges” two interfaces together. You can use this on a router to bridge two L3 interfaces together so it becomes a single L2 domain or you can use it to bridge two different kind of interfaces. For example, the radio interface uses 802.11 Ethernet frames and the Gigabit interface uses regular Ethernet frames. The bridge group allows us to get IP packets from one type of interface to another.

You should probably put the NAT commands on the VLAN interfaces of the router (interface vlan). These are L3 interfaces that the router can use for everything. The BVI interfaces can probably only be used for simple stuff like telnetting/ssh’ing to the AP.

These routers with an internal AP are pretty complex to configure. It is a lot easier when you only have a radio interface on the router. The 1941 (and I think your 2851 as well) are two separate boxes in one device. You can create pretty complex configurations with multiple SSIDs, authentication types, access-lists and everything.

Rene

Hi Rene, I hope you had a great holiday. I have managed to get a wireless setup on my Cisco 2851 with an HWIC-AP that works that doesn’t use BVIs, bridge-groups and actual VLANS. I am able to access the internet from any of the three SSIDs I have configured. I have not configured any actual VLANs on it, a sh vlan-switch command only shows the five default ones. The Dot11Radio0/3/0 and its subinterfaces are L3 ethernet types with a native VLAN assigned to each. The dot11 ssids are then placed into a VLAN which binds them to the respective L3 interfaces. As shown in your config above, I thought it a bit strange to have to bind everything to bridge-groups and BVIs on L3 interfaces on this router. Your config above is necessary for a standalone AP and router setup and routers such as the 877W which only has switchports and requires BVIs. I’ve included my config for the AP below and also the full config in case it is of use to others. It is still a work in progress so is a bit untidy and has loose ends. I thank you for your above config as it helped clarify how these things interact. Cheers, Matt.

Config is in the attachment.

R2851#term length 0 
R2851#terminal monitor 
R2851#sh run 
Building configuration...


Current configuration : 8517 bytes
!
! Last configuration change at 17:07:08 Sydney Fri Apr 22 2016 by admin
! NVRAM config last updated at 17:07:10 Sydney Fri Apr 22 2016 by admin
! NVRAM config last updated at 17:07:10 Sydney Fri Apr 22 2016 by admin
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service internal
service sequence-numbers
!
hostname R2851
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging discriminator Test severity drops 4 facility drops ENVMON mnemonics drops FAN_LOW_RPM 
logging buffered discriminator Test 4096
logging console discriminator Test
logging monitor discriminator Test
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone Sydney 10 0
clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
clock calendar-valid
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1640221266
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1640221266
 revocation-check none
 rsakeypair TP-self-signed-1640221266
!
!
crypto pki certificate chain TP-self-signed-1640221266
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31363430 32323132 3636301E 170D3136 30343130 30323433 
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36343032 
  32313236 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100ECD9 BEED48C8 423C86F8 7A440629 3F9AC9A0 71C7A605 FFC63DD0 7A3496DA 
  0A5F7679 857A1B43 4C5AD662 38930B5D 93BBA66B 08133080 82EAF734 2C5B8AD1 
  FF4D13B4 AD1A94CB 88EAAC1A 28F6C354 32C03F73 FA9072B3 E25C33C1 656FA2A1 
  82F90A69 4B11C065 3953EEEC 4EAE3D02 2AE8C0BD 9A127E70 CF6B41D8 171D934B 
  19A90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 1450E518 BA75F113 20751156 2D73822C 3D9E474C 50301D06 
  03551D0E 04160414 50E518BA 75F11320 7511562D 73822C3D 9E474C50 300D0609 
  2A864886 F70D0101 05050003 81810078 B35CE047 44B89377 62F0D9F3 122EE3A5 
  C53856C2 927F64CF BD74CD27 FFA06328 9720EF18 20D53FAA CD319BB4 18FF2A1C 
  35973BB3 99DDF0B1 5A5BDB5E 149B027D 82CBBA2A 626C4A68 3B700F3F 1D605721 
  64B69463 C777C1F0 2656D51C 0C8DBE22 577A5D2A 6D494637 3BAE113A 4E5023E7 
  CC62A2C3 AA0B84A2 FA109137 1EE05A
        quit
dot11 syslog
!
dot11 ssid admin.bde
 vlan 10
 authentication open 
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid guest.bde
 vlan 20
 authentication open 
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid user.bde
 vlan 30
 authentication open 
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no ip source-route
!
!
ip cef
!
ip dhcp excluded-address 10.1.1.1 10.1.1.230
ip dhcp excluded-address 20.1.1.1 20.1.1.230
ip dhcp excluded-address 30.1.1.1 30.1.1.230
!
ip dhcp pool 10.admin.bde
 import all
 network 10.1.1.0 255.255.255.0
 domain-name admin.bde.local
 default-router 10.1.1.1 
 dns-server 103.26.62.218 8.8.8.8 
 option 42 ip 2.8.5.1 
 lease 7
!
ip dhcp pool 20.guest.bde
 import all
 network 20.1.1.0 255.255.255.0
 domain-name guest.bde.local
 default-router 20.1.1.1 
 dns-server 103.26.62.218 8.8.8.8 
 option 42 ip 2.8.5.1 
 lease 7
!
ip dhcp pool 30.user.bde
 import all
 network 30.1.1.0 255.255.255.0
 domain-name user.bde.local
 default-router 30.1.1.1 
 dns-server 103.26.62.218 8.8.8.8 
 option 42 ip 2.8.5.1 
 lease 7
!
!
ip domain name bde.local
ip name-server 103.26.62.218
ip name-server 8.8.8.8
ip inspect WAAS flush-timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
license udi pid CISCO2851 sn FHK1248F30L
object-group network admin.net.obj 
 description Admin IP Addresses
 range 10.1.1.1 10.1.1.254
 range 192.168.1.50 192.168.1.254
!
object-group service admin.svc.obj 
 description Admin Services
 ip
!
object-group network guest.net.obj 
 description Guest IP Addresses
 range 20.1.1.50 20.1.1.254
!
object-group service guest.svc.obj 
 description Guest Services
 tcp eq 443
 tcp eq pop3
 tcp eq www
 udp eq domain
 tcp eq 67
 tcp eq 143
 tcp eq 993
 tcp eq 995
 tcp eq smtp
!
object-group network user.net.obj 
 description User IP Addresses
 range 30.1.1.50 30.1.1.254
!
object-group service user.svc.obj 
 description User Services
 tcp
 udp
 icmp
!
username admin privilege 15 view root password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
zone security inside
zone security outside
zone security guest
! 
!
!
bridge irb
!
!
!
!
!
interface Loopback0
 ip address 2.8.5.1 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex full
 speed 1000
!
interface GigabitEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 duplex full
 speed 1000
!
interface ATM0/2/0
 no ip address
 no atm ilmi-keepalive
 dsl noise-margin -2
 dsl bitswap both
!
interface ATM0/2/0.1 point-to-point
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Dot11Radio0/3/0
 no ip address
 !
 encryption vlan 10 mode ciphers aes-ccm tkip 
 !
 encryption vlan 20 mode ciphers aes-ccm tkip 
 !
 encryption vlan 30 mode ciphers aes-ccm tkip 
 !
 ssid admin.bde
 !
 ssid guest.bde
 !
 ssid user.bde
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0/3/0.10
 description admin.bde.subint
 encapsulation dot1Q 10
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface Dot11Radio0/3/0.20
 description guest.bde.subint
 encapsulation dot1Q 20
 ip address 20.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface Dot11Radio0/3/0.30
 description users.bde.subint
 encapsulation dot1Q 30
 ip address 30.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface FastEthernet0/1/0
 switchport access vlan 10
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/1
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/2
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/3
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/4
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/5
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/6
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/7
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/1/8
 no ip address
 duplex full
 speed 100
!
interface Vlan1
 no ip address
!
interface Dialer0
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list wan.access.acl interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended wan.access.acl
 remark What is allowed access to the internet
 permit object-group admin.svc.obj object-group admin.net.obj any
 permit object-group guest.svc.obj object-group guest.net.obj any
 permit object-group user.svc.obj object-group user.net.obj any
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 length 512
 width 100
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 transport input ssh
 transport output ssh
 escape-character 3
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 transport input ssh
 transport output ssh
 escape-character 3
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp master 3
ntp update-calendar
ntp server 150.203.1.10 prefer source Dialer0
ntp server 150.203.22.28 source Dialer0
end

R2851#

So how do I exit the wlan-ap0 service-module session ?

Hello Robert.

I refer you to Cisco’s documentation found at:http://www.cisco.com/en/US/docs/routers/access/800/880/software/configuration/guide/880_basic_device_wireless_config.html

Closing the Session
To close the session between the wireless device and the router’s console, follow these steps:

Wireless Device

  1. Control-Shift-6
    Router
  2. Type the disconnect command.
  3. Press Enter.

I hope this has been helpful.

Laz

Good morning Rene, which ip address assign GigabitEthernet0/0 for plug lan cable ?

thanks

Mario

Good morning Rene, it’s possible have access list for this problem ?
“Don’t forget to create an access-list to restrict traffic between the management and wireless VLANs. We seperated them but there’s nothing stopping the router from routing between the two vlans…”

Thanks very much

19 posts were merged into an existing topic: Cisco 1941W Wireless Configuration Example

Thanks for the great post.
Wondering if you know a way to wirelessly connect the AP to a cellphone’s hotspot, so that devices connected to the built-in swtich within 1941can access the internet through this path: Device --> built-in switch port --> 1941 router --> built-in AP --> Andriod/iPhone’s hotspot --> internet

Hello Naser

In order for you to use the mobile phone as a hotspot and have all users on the 1941 switch port connect to the internet, you must set up the 1941 router as a transparent bridge. This means that the router itself becomes a client in a sense and connects to the Android/iPhone mobile hotspot. In order to do this, you must define the role of the radio on the 1941. You can do this by using one of the following commands:

 interface dot11radio {0| 1}
  station-role
  non-root bridge
  exit

This will make the wireless interface function as a client to the mobile hotspot. This will also allow clients that connect to the 1941 router wirelessly to connect to the internet via the mobile hotspot.

In order to get wired clients on the 1941 connect to the internet via the mobile hotspot, it may be necessary to create a Bridged Virtual Interface (BVI) on the router to bind the wired and wireless connections together, however I’m not certain that the BVI can function simlutaneously with the bridge mode. You can find more information about it here.

I hope this has been helpful! Keep us updated on your progress…

Laz

Thanks Laz. I have tired the the non-root bridge config, but the AP didn’t connect my my cell phone’s hotsopt.
I got this message:

07:43:01.695: %DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: No Response

Hello Naser

This issue is usally one of a parameter mismatch. First, try removing all authentication on the mobile hotspot and attempt an open connection. Make sure the devices are close together to start off with. Also, you might find this Cisco document helpful concerning bridging the VLANs.

Keep us posted!

Laz

Good Afternoon,

I have over 20 years of networking experience, but am a complete beginner with Cisco.
One of our sister companies has a 1941W router and has asked if it can be reconfigured after relocating it to our location.
I have stepped through your example, and am at the point where I’m trying to connect to the AP GUI through the wifi.
The GUI answers with a request for a username and password,

http://11.11.11.11 is requesting your username and password. The site says: “level_15 or view_access”

none of the console level credentials seem to work. Is there a default set of credentials for the GUI?
NOTE: This is a stand-alone system, so will need to use internal security options only.

Any help appreciated.

Todd

Good Afternoon,
Please disregard the post above. IP HTTP Authentication was set to ‘Local’. Reset to ‘Enable’ and resolved the issue.

Best Regards,
Todd

Rene,
Thanks for the tutorial, I have been successful in configuring the 1941w, and have become fairly comfortable in making changes to the AP configuration (ssids, dhcp, etc). it is currently a mirror of what the tutorial sets up.

Now, I need to deploy the box, and my lack of experience with Cisco has caught up with me.

We are looking to connect a single non-VLAN switch to the 1941w and use it as a WiFi access point. While I can connect via the AP and ping the 10.1.10.254 gateway, I’m not sure what the next step would be to connect a simple non-VLAN network (172.16.0.0 / 24 / gateway 172.16.0.1).

I had assumed that the 1941 was routing the AP traffic to the GigE0/0 interface, but I’m missing something - probably obvious - and am stuck.

Any help is appreciated.

Best Regards,
Todd