This topic is to discuss the following lesson:
Nice explaination!!! Thank you!
I have a cisco 1941w router that we just bought and I am having a lot of problems trying to get it configured correctly. I went through your post until I got to the Access Point configuration part and it wouldn’t let me use “config t”. Any help would be much appreciated.
Did you use “enable” before trying to use “configure terminal” ? The access point is configured the same way as a router, switch or any other IOS device.
I own this router and I plan on setting it up for home user. Can I create a 3rd ssid for Guest?
What I really want to do is create an SSID for my 2.4GHz (Home2G) and one for my 5GHz radio (Home5G). Then on the 2.4GHz, create a 3rd one for Home2GGuest.
Is this possible?
I guess I can do:
Ap(config)#interface dot11Radio 0 Ap(config-if)#description 2.4GHz Radio Ap(config-if)#encryption mode ciphers aes-ccm Ap(config-if)#ssid Home2G Ap(config-if)#bridge-group 10 Ap(config-if)#no cdp enable Ap(config)#interface dot11Radio 0 Ap(config-if)#description 2.4GHz Radio Ap(config-if)#encryption mode ciphers aes-ccm Ap(config-if)#ssid Home2GGuest Ap(config-if)#bridge-group 10 Ap(config-if)#no cdp enable
But how do I prevent users on the Home2GGuest from accessing my LAN network?
One more question. I’m confused about the BVI interface and the Wireless Management interface (Console AP). How come we need two management interfaces for the AP?
If you want to seperate home and guest users, you need to use VLANs and different subnets. I don’t have the 1941W with me here but the configuration for two VLANs should look like this, I used VLAN70 and VLAN80:
dot11 ssid VLAN80 authentication open guest-mode vlan 70 exit dot11 ssid VLAN80 authentication open guest-mode vlan 80 exit
These are the SSIDs for VLAN70 and VLAN80. Now we need to apply both of them to the radio that you want to use:
interface dot11radio0 ssid VLAN70 ssid VLAN80 mbssid
the “mbssid” command tells the access point to use multiple SSIDs. We also have to create sub-interfaces on the radio and assign the VLANs there:
interface dot11radio0.70 description VLAN70-USERS encapsulation dot1q 70 bridge-group 70 interface dot11radio0.80 description VLAN80-USERS encapsulation dot1q 80 bridge-group 80
And we need to create additional sub-interfaces on the internal Gigabit link towards the router:
interface GigabitEthernet0.70 description VLAN70-USERS encapsulation dot1Q 70 no ip route-cache bridge-group 70 interface GigabitEthernet0.80 description VLAN70-USERS encapsulation dot1Q 80 no ip route-cache bridge-group 80
That’s what you have to do on the Access Point. On the router side you also have to create the BVI interfaces for VLAN 70 and 80. Also, don’t forget to create VLAN 70 + 80 on the router and configure a DHCP pool for each of them.
The “Console AP” is useful to get access to the CLI of the access point. The BVI interface however gives the Access Point an IP address and a way to get access to other devices behind the router. You can use this for remote management (telnet/ssh), monitoring (snmp) or to talk to RADIUS servers (WPA-2 enterprise authentication).
Does that make sense?
This is helpful. So the BVI interfaces needs to be created on the router for VLAN70 and VLAN80 on the actual router and not the AP?
Hi Rene excellent explanation, but I have a problem, after doing all the settings all devices connected to WiFi, no internet exit onto I may be missing?
That’s right. The access point is just a L2 device while the router does L3. The BVI interfaces on the router is where you configure the IP address that will be the default gateway for the wifi users.
Make sure that:
a) the radio interfaces are configured for the correct VLAN (sub-interface)
b) the internal gigabit interface on the access point is configured for the VLANs.
c) you created the VLANs on the router.
d) the internal gigabit interface on the router to the access point allows the VLAN.
Check all those items and it probably solves the problem.
Love your site …
i have a expired CCNA cert… but what i learned with access-lists in that time(2008) does not help me to figure out where to place the access-lists ? On the AP or on the router ?
And if i understand correctly we want to prevent wireless clients from accessing the management VLAN1 on the AP right ?
Further when we create a access-list we can specify that no access is allowed except for one authorized ip addr from a still to be decided subnet (for example) ?
As last question why do you not specify the trunking protocol used at the int wlan-ge0/0 ?, is it because ISL is not used anymore by cisco ? , but why do we still need to specify that at the sub-interfaces on the AP ? :
Router(config)#interface wlan-gigabitEthernet 0/0
Router(config-if)#switchport mode trunk
Thanks in Advance for your reply!
Glad to hear you like it! The AP is just a layer 2 device, the router does all the routing for the wired and wireless subnets. That’s where you should place the access-list(s).
Typically you’ll want to use an access-list to prevent the wireless users from accessing the management subnet. You can also use it to restrict them from accessing other resources on the wired side if needed.
On newer Cisco devices ISL is often not supported anymore. I’m 99% sure that this router only uses 802.1Q
Thanks for the reply Rene , it is clear to me now.
Now we encounter a problem , we have configured the 1941W router like in your example but we cannot connect to the wlan. We see the SSID. But no ip address is gained.
Another question, I do not see in your config that you excluded the two ip addresses from the DHCP pool that are in use on WLAN-Gi0/0 and on the AP Gi0/0 interfaces: 10.1.10.254 and 10.1.10.253
Should we not also add this command ? :
ip dhcp excluded-address 10.1.10.253 ip dhcp excluded-address 10.1.10.254
Further can we also place a DHCP pool with for example half of the ip addresses that are in the router pool on the AP ? And also decrease the router pool so we have two pools from one subnet ?
For example 10.1.10.0 - 10.1.10.119 and 10.1.10.120 - 10.1.10.250 ?
Thanks for the help.
I am confused, where do I apply the IP NAT Inside command for my wireless network?
In my example that would be the VLAN 10 interface of the router. That’s the L3 interface that the wireless users use as the default gateway.
Are you able to ping the default gateway if you configure a static IP on the wireless client? If not, maybe something “in between” the AP and router isn’t configured correctly. Check the dot11radio / GI0 interface on the AP and the wlan GI0 / VLAN interface on the router. It’s possible that your DHCP server is configured correctly but that something between the AP/router isn’t working.
Excluding those IP addresses is a good idea, technically it won’t matter much as the router does a check for duplicate IP addresses but it’s a good practice to exclude them.
You could make a smaller DHCP pool, no problem at all
Sorry but thanks for this reply , i was very busy lately.
So i followed this example and setup my router and ap. I also have a t1 module configured along with RIPv2.
From the router I can ping the internet, from the AP I cannot. From the AP I can ping the router and the T1 module, the next hop is not reachable. Its like the traffic from the AP is not going through the static default route for some reason. Any thoughts?