Hi Rene, I hope you had a great holiday. I have managed to get a wireless setup on my Cisco 2851 with an HWIC-AP that works that doesn’t use BVIs, bridge-groups and actual VLANS. I am able to access the internet from any of the three SSIDs I have configured. I have not configured any actual VLANs on it, a sh vlan-switch command only shows the five default ones. The Dot11Radio0/3/0 and its subinterfaces are L3 ethernet types with a native VLAN assigned to each. The dot11 ssids are then placed into a VLAN which binds them to the respective L3 interfaces. As shown in your config above, I thought it a bit strange to have to bind everything to bridge-groups and BVIs on L3 interfaces on this router. Your config above is necessary for a standalone AP and router setup and routers such as the 877W which only has switchports and requires BVIs. I’ve included my config for the AP below and also the full config in case it is of use to others. It is still a work in progress so is a bit untidy and has loose ends. I thank you for your above config as it helped clarify how these things interact. Cheers, Matt.
Config is in the attachment.
R2851#term length 0
R2851#terminal monitor
R2851#sh run
Building configuration...
Current configuration : 8517 bytes
!
! Last configuration change at 17:07:08 Sydney Fri Apr 22 2016 by admin
! NVRAM config last updated at 17:07:10 Sydney Fri Apr 22 2016 by admin
! NVRAM config last updated at 17:07:10 Sydney Fri Apr 22 2016 by admin
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service internal
service sequence-numbers
!
hostname R2851
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging discriminator Test severity drops 4 facility drops ENVMON mnemonics drops FAN_LOW_RPM
logging buffered discriminator Test 4096
logging console discriminator Test
logging monitor discriminator Test
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone Sydney 10 0
clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
clock calendar-valid
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1640221266
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1640221266
revocation-check none
rsakeypair TP-self-signed-1640221266
!
!
crypto pki certificate chain TP-self-signed-1640221266
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363430 32323132 3636301E 170D3136 30343130 30323433
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36343032
32313236 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ECD9 BEED48C8 423C86F8 7A440629 3F9AC9A0 71C7A605 FFC63DD0 7A3496DA
0A5F7679 857A1B43 4C5AD662 38930B5D 93BBA66B 08133080 82EAF734 2C5B8AD1
FF4D13B4 AD1A94CB 88EAAC1A 28F6C354 32C03F73 FA9072B3 E25C33C1 656FA2A1
82F90A69 4B11C065 3953EEEC 4EAE3D02 2AE8C0BD 9A127E70 CF6B41D8 171D934B
19A90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1450E518 BA75F113 20751156 2D73822C 3D9E474C 50301D06
03551D0E 04160414 50E518BA 75F11320 7511562D 73822C3D 9E474C50 300D0609
2A864886 F70D0101 05050003 81810078 B35CE047 44B89377 62F0D9F3 122EE3A5
C53856C2 927F64CF BD74CD27 FFA06328 9720EF18 20D53FAA CD319BB4 18FF2A1C
35973BB3 99DDF0B1 5A5BDB5E 149B027D 82CBBA2A 626C4A68 3B700F3F 1D605721
64B69463 C777C1F0 2656D51C 0C8DBE22 577A5D2A 6D494637 3BAE113A 4E5023E7
CC62A2C3 AA0B84A2 FA109137 1EE05A
quit
dot11 syslog
!
dot11 ssid admin.bde
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid guest.bde
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid user.bde
vlan 30
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no ip source-route
!
!
ip cef
!
ip dhcp excluded-address 10.1.1.1 10.1.1.230
ip dhcp excluded-address 20.1.1.1 20.1.1.230
ip dhcp excluded-address 30.1.1.1 30.1.1.230
!
ip dhcp pool 10.admin.bde
import all
network 10.1.1.0 255.255.255.0
domain-name admin.bde.local
default-router 10.1.1.1
dns-server 103.26.62.218 8.8.8.8
option 42 ip 2.8.5.1
lease 7
!
ip dhcp pool 20.guest.bde
import all
network 20.1.1.0 255.255.255.0
domain-name guest.bde.local
default-router 20.1.1.1
dns-server 103.26.62.218 8.8.8.8
option 42 ip 2.8.5.1
lease 7
!
ip dhcp pool 30.user.bde
import all
network 30.1.1.0 255.255.255.0
domain-name user.bde.local
default-router 30.1.1.1
dns-server 103.26.62.218 8.8.8.8
option 42 ip 2.8.5.1
lease 7
!
!
ip domain name bde.local
ip name-server 103.26.62.218
ip name-server 8.8.8.8
ip inspect WAAS flush-timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
license udi pid CISCO2851 sn FHK1248F30L
object-group network admin.net.obj
description Admin IP Addresses
range 10.1.1.1 10.1.1.254
range 192.168.1.50 192.168.1.254
!
object-group service admin.svc.obj
description Admin Services
ip
!
object-group network guest.net.obj
description Guest IP Addresses
range 20.1.1.50 20.1.1.254
!
object-group service guest.svc.obj
description Guest Services
tcp eq 443
tcp eq pop3
tcp eq www
udp eq domain
tcp eq 67
tcp eq 143
tcp eq 993
tcp eq 995
tcp eq smtp
!
object-group network user.net.obj
description User IP Addresses
range 30.1.1.50 30.1.1.254
!
object-group service user.svc.obj
description User Services
tcp
udp
icmp
!
username admin privilege 15 view root password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
zone security inside
zone security outside
zone security guest
!
!
!
bridge irb
!
!
!
!
!
interface Loopback0
ip address 2.8.5.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex full
speed 1000
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl noise-margin -2
dsl bitswap both
!
interface ATM0/2/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dot11Radio0/3/0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
ssid admin.bde
!
ssid guest.bde
!
ssid user.bde
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0/3/0.10
description admin.bde.subint
encapsulation dot1Q 10
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface Dot11Radio0/3/0.20
description guest.bde.subint
encapsulation dot1Q 20
ip address 20.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface Dot11Radio0/3/0.30
description users.bde.subint
encapsulation dot1Q 30
ip address 30.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet0/1/0
switchport access vlan 10
switchport mode trunk
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/1
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/2
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/3
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/4
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/5
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/6
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/7
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/8
no ip address
duplex full
speed 100
!
interface Vlan1
no ip address
!
interface Dialer0
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no cdp enable
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list wan.access.acl interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended wan.access.acl
remark What is allowed access to the internet
permit object-group admin.svc.obj object-group admin.net.obj any
permit object-group guest.svc.obj object-group guest.net.obj any
permit object-group user.svc.obj object-group user.net.obj any
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
length 512
width 100
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
transport input ssh
transport output ssh
escape-character 3
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
transport input ssh
transport output ssh
escape-character 3
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp master 3
ntp update-calendar
ntp server 150.203.1.10 prefer source Dialer0
ntp server 150.203.22.28 source Dialer0
end
R2851#