Hi Joseph,
When you can ping the router from the AP then its default gateway is working. Since you are unable to ping the Internet, it’s probably your NAT configuration.
Did you configure NAT and if so, did you include the subnet of the access point?
Here’s an example:
https://networklessons.com/network-services/how-to-configure-pat-on-cisco-ios-router/
Just imagine that one of the hosts is your AP.
Rene
Thanks a lot for your help Rene
I would just add the last configuration for those like me who never used a Cisco Router Before
Ap(config)#interface dot11Radio 0
Ap(config-if)#no shutdown
Ap(config)#interface dot11Radio 1
Ap(config-if)#no shutdown
so the Ap can broadcast the SSID
Regards 
Ivan
Rene, I have a Cisco 2851 with an HWIC-AP installed. Since the AP is inside the router itself, any subinterface IP addresses assigned to the SSIDs would automatically appear in its routing table. Is there a need for VLANS to be configured? Are BVIs necessary in this situation? How would the configuration look to reflect this? Matt.
Hi Matt,
I’m not sure if the 2851 works similar as the 1941 when it comes to AP but let’s assume it is similar. The only reason to use VLANs is if you want to separate your Wifi traffic. For example, let’s say you have a “guest” SSID and a “corporate” SSID. You probably want to use two different VLANs for this. The BVIs are used on the 1941 to bridge the radio + internal Ethernet connection together.
I’m on a holiday for a few days now but if you want to see the config, let me know and I’ll look it up when I get back ok?
Rene
I’d love to see your config when you get a chance to post it. I suppose I am having trouble getting my head around the need for VLANS. I understand that VLANs separate the broadcast traffic into sub-domains and therefore isolate traffic as routers do not forward broadcast frames.
My understanding so far is:
The bridge-groups in the radio sub-interfaces tie these interfaces to the BVIs that are created.
So then the “encapsulation dot1Q xx native” command in the sub-interface then ties the SSIDs (which have the vlan command) to the respective sub-interface and BVI. Is this correct?
So technically a bridge-group = VLAN in this context with the BVI getting the IP address instead of the VLAN. Am I correct in assuming this?
It just seems like a very complicated way to do something that should be quite simple.
I’ve included my config for the wireless side that seems to work. I can access the internet and ping the other subnets on the router. One last question, where is it best practice to put the “ip nat inside” command, on the BVIs or on the radio sub-interfaces?
Have a great holiday.
Matt.
!
dot11 ssid admin
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid guest
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid user
vlan 30
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
bridge irb
!
!
interface Loopback0
ip address 2.8.5.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
!
!
interface Dot11Radio0/3/0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
ssid admin
!
ssid guest
!
ssid user
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
!
interface Dot11Radio0/3/0.10
description admin.subint
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0/3/0.20
description guest.subint
encapsulation dot1Q 20
ip nat inside
ip virtual-reassembly in
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0/3/0.30
description user.subint
encapsulation dot1Q 30 native
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
!
interface BVI10
description admin.bvi
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI20
description guest.bvi
ip address 20.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI30
description user.bvi
ip address 30.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
!
!
!Hi Matt,
Take a look at my 1941 example:
https://networklessons.com/wireless/cisco-1941w-wireless-configuration-example/
Does your 2851 work the same? Do you have to use the console on the router to switch to the AP? The AP is integrated in the router but in reality, these are two separate devices that are connected with an internal gigabit link.
In my 1941, the router uses the wlan-GI0/0 and the AP uses its Gi0/0 interface. This is a L2 interface…it’s the same thing as connecting a router to a switch.
We use VLANs so that you can separate traffic. In your example, you have BVI10, 20 and 30 with a different SSID each. You could attach an ACL to each VLAN so that your guest users can only access the Internet, admins can do anything, etc. If you don’t care about this then you can just create one SSID and one VLAN.
The bridge-group ties two interfaces together…correct. Normally on a switch, all interfaces in the same VLAN can communicate with each other. It’s easier to understand the bridge group when you think of a router…you can bridge two L3 interfaces on a router and then it will become one “L2 domain”. We do the same thing on the AP…we bridge the radio + gigabit interface together.
Encapsulation dot1q is configuring trunking. The interface will add a VLAN tag for all frames it sends. You have them on the radio interface which is not needed, unless you want to send tagged frames to the wireless client 
You need this on the internal interface towards the router…take a look at my 1941 example. It has this command on the AP so that it sends tagged frames to the router. Otherwise the router has no way to know to which VLAN the frames belong.
The bridge group “bridges” two interfaces together. You can use this on a router to bridge two L3 interfaces together so it becomes a single L2 domain or you can use it to bridge two different kind of interfaces. For example, the radio interface uses 802.11 Ethernet frames and the Gigabit interface uses regular Ethernet frames. The bridge group allows us to get IP packets from one type of interface to another.
You should probably put the NAT commands on the VLAN interfaces of the router (interface vlan). These are L3 interfaces that the router can use for everything. The BVI interfaces can probably only be used for simple stuff like telnetting/ssh’ing to the AP.
These routers with an internal AP are pretty complex to configure. It is a lot easier when you only have a radio interface on the router. The 1941 (and I think your 2851 as well) are two separate boxes in one device. You can create pretty complex configurations with multiple SSIDs, authentication types, access-lists and everything.
Rene
Hi Rene, I hope you had a great holiday. I have managed to get a wireless setup on my Cisco 2851 with an HWIC-AP that works that doesn’t use BVIs, bridge-groups and actual VLANS. I am able to access the internet from any of the three SSIDs I have configured. I have not configured any actual VLANs on it, a sh vlan-switch command only shows the five default ones. The Dot11Radio0/3/0 and its subinterfaces are L3 ethernet types with a native VLAN assigned to each. The dot11 ssids are then placed into a VLAN which binds them to the respective L3 interfaces. As shown in your config above, I thought it a bit strange to have to bind everything to bridge-groups and BVIs on L3 interfaces on this router. Your config above is necessary for a standalone AP and router setup and routers such as the 877W which only has switchports and requires BVIs. I’ve included my config for the AP below and also the full config in case it is of use to others. It is still a work in progress so is a bit untidy and has loose ends. I thank you for your above config as it helped clarify how these things interact. Cheers, Matt.
Config is in the attachment.
R2851#term length 0
R2851#terminal monitor
R2851#sh run
Building configuration...
Current configuration : 8517 bytes
!
! Last configuration change at 17:07:08 Sydney Fri Apr 22 2016 by admin
! NVRAM config last updated at 17:07:10 Sydney Fri Apr 22 2016 by admin
! NVRAM config last updated at 17:07:10 Sydney Fri Apr 22 2016 by admin
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service internal
service sequence-numbers
!
hostname R2851
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging discriminator Test severity drops 4 facility drops ENVMON mnemonics drops FAN_LOW_RPM
logging buffered discriminator Test 4096
logging console discriminator Test
logging monitor discriminator Test
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone Sydney 10 0
clock summer-time sydney date Oct 2 2016 2:00 Apr 2 2017 2:00
clock calendar-valid
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1640221266
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1640221266
revocation-check none
rsakeypair TP-self-signed-1640221266
!
!
crypto pki certificate chain TP-self-signed-1640221266
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363430 32323132 3636301E 170D3136 30343130 30323433
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36343032
32313236 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ECD9 BEED48C8 423C86F8 7A440629 3F9AC9A0 71C7A605 FFC63DD0 7A3496DA
0A5F7679 857A1B43 4C5AD662 38930B5D 93BBA66B 08133080 82EAF734 2C5B8AD1
FF4D13B4 AD1A94CB 88EAAC1A 28F6C354 32C03F73 FA9072B3 E25C33C1 656FA2A1
82F90A69 4B11C065 3953EEEC 4EAE3D02 2AE8C0BD 9A127E70 CF6B41D8 171D934B
19A90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1450E518 BA75F113 20751156 2D73822C 3D9E474C 50301D06
03551D0E 04160414 50E518BA 75F11320 7511562D 73822C3D 9E474C50 300D0609
2A864886 F70D0101 05050003 81810078 B35CE047 44B89377 62F0D9F3 122EE3A5
C53856C2 927F64CF BD74CD27 FFA06328 9720EF18 20D53FAA CD319BB4 18FF2A1C
35973BB3 99DDF0B1 5A5BDB5E 149B027D 82CBBA2A 626C4A68 3B700F3F 1D605721
64B69463 C777C1F0 2656D51C 0C8DBE22 577A5D2A 6D494637 3BAE113A 4E5023E7
CC62A2C3 AA0B84A2 FA109137 1EE05A
quit
dot11 syslog
!
dot11 ssid admin.bde
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid guest.bde
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid user.bde
vlan 30
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no ip source-route
!
!
ip cef
!
ip dhcp excluded-address 10.1.1.1 10.1.1.230
ip dhcp excluded-address 20.1.1.1 20.1.1.230
ip dhcp excluded-address 30.1.1.1 30.1.1.230
!
ip dhcp pool 10.admin.bde
import all
network 10.1.1.0 255.255.255.0
domain-name admin.bde.local
default-router 10.1.1.1
dns-server 103.26.62.218 8.8.8.8
option 42 ip 2.8.5.1
lease 7
!
ip dhcp pool 20.guest.bde
import all
network 20.1.1.0 255.255.255.0
domain-name guest.bde.local
default-router 20.1.1.1
dns-server 103.26.62.218 8.8.8.8
option 42 ip 2.8.5.1
lease 7
!
ip dhcp pool 30.user.bde
import all
network 30.1.1.0 255.255.255.0
domain-name user.bde.local
default-router 30.1.1.1
dns-server 103.26.62.218 8.8.8.8
option 42 ip 2.8.5.1
lease 7
!
!
ip domain name bde.local
ip name-server 103.26.62.218
ip name-server 8.8.8.8
ip inspect WAAS flush-timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
license udi pid CISCO2851 sn FHK1248F30L
object-group network admin.net.obj
description Admin IP Addresses
range 10.1.1.1 10.1.1.254
range 192.168.1.50 192.168.1.254
!
object-group service admin.svc.obj
description Admin Services
ip
!
object-group network guest.net.obj
description Guest IP Addresses
range 20.1.1.50 20.1.1.254
!
object-group service guest.svc.obj
description Guest Services
tcp eq 443
tcp eq pop3
tcp eq www
udp eq domain
tcp eq 67
tcp eq 143
tcp eq 993
tcp eq 995
tcp eq smtp
!
object-group network user.net.obj
description User IP Addresses
range 30.1.1.50 30.1.1.254
!
object-group service user.svc.obj
description User Services
tcp
udp
icmp
!
username admin privilege 15 view root password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
zone security inside
zone security outside
zone security guest
!
!
!
bridge irb
!
!
!
!
!
interface Loopback0
ip address 2.8.5.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex full
speed 1000
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl noise-margin -2
dsl bitswap both
!
interface ATM0/2/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dot11Radio0/3/0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
ssid admin.bde
!
ssid guest.bde
!
ssid user.bde
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0/3/0.10
description admin.bde.subint
encapsulation dot1Q 10
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface Dot11Radio0/3/0.20
description guest.bde.subint
encapsulation dot1Q 20
ip address 20.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface Dot11Radio0/3/0.30
description users.bde.subint
encapsulation dot1Q 30
ip address 30.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet0/1/0
switchport access vlan 10
switchport mode trunk
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/1
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/2
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/3
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/4
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/5
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/6
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/7
no ip address
duplex full
speed 100
!
interface FastEthernet0/1/8
no ip address
duplex full
speed 100
!
interface Vlan1
no ip address
!
interface Dialer0
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no cdp enable
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list wan.access.acl interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended wan.access.acl
remark What is allowed access to the internet
permit object-group admin.svc.obj object-group admin.net.obj any
permit object-group guest.svc.obj object-group guest.net.obj any
permit object-group user.svc.obj object-group user.net.obj any
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
length 512
width 100
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
transport input ssh
transport output ssh
escape-character 3
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
transport input ssh
transport output ssh
escape-character 3
!
scheduler allocate 20000 1000
ntp source Loopback0
ntp master 3
ntp update-calendar
ntp server 150.203.1.10 prefer source Dialer0
ntp server 150.203.22.28 source Dialer0
end
R2851#So how do I exit the wlan-ap0 service-module session ?
Hello Robert.
I refer you to Cisco’s documentation found at:http://www.cisco.com/en/US/docs/routers/access/800/880/software/configuration/guide/880_basic_device_wireless_config.html
Closing the Session
To close the session between the wireless device and the router’s console, follow these steps:
Wireless Device
I hope this has been helpful.
Laz
Good morning Rene, which ip address assign GigabitEthernet0/0 for plug lan cable ?
thanks
Mario
Good morning Rene, it’s possible have access list for this problem ?
“Don’t forget to create an access-list to restrict traffic between the management and wireless VLANs. We seperated them but there’s nothing stopping the router from routing between the two vlans…”
Thanks very much
Thanks for the great post.
Wondering if you know a way to wirelessly connect the AP to a cellphone’s hotspot, so that devices connected to the built-in swtich within 1941can access the internet through this path: Device --> built-in switch port --> 1941 router --> built-in AP --> Andriod/iPhone’s hotspot --> internet
Hello Naser
In order for you to use the mobile phone as a hotspot and have all users on the 1941 switch port connect to the internet, you must set up the 1941 router as a transparent bridge. This means that the router itself becomes a client in a sense and connects to the Android/iPhone mobile hotspot. In order to do this, you must define the role of the radio on the 1941. You can do this by using one of the following commands:
interface dot11radio {0| 1}
station-role
non-root bridge
exit
This will make the wireless interface function as a client to the mobile hotspot. This will also allow clients that connect to the 1941 router wirelessly to connect to the internet via the mobile hotspot.
In order to get wired clients on the 1941 connect to the internet via the mobile hotspot, it may be necessary to create a Bridged Virtual Interface (BVI) on the router to bind the wired and wireless connections together, however I’m not certain that the BVI can function simlutaneously with the bridge mode. You can find more information about it here.
I hope this has been helpful! Keep us updated on your progress…
Laz
Thanks Laz. I have tired the the non-root bridge config, but the AP didn’t connect my my cell phone’s hotsopt.
I got this message:
07:43:01.695: %DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: No Response
Hello Naser
This issue is usally one of a parameter mismatch. First, try removing all authentication on the mobile hotspot and attempt an open connection. Make sure the devices are close together to start off with. Also, you might find this Cisco document helpful concerning bridging the VLANs.
Keep us posted!
Laz
Good Afternoon,
I have over 20 years of networking experience, but am a complete beginner with Cisco.
One of our sister companies has a 1941W router and has asked if it can be reconfigured after relocating it to our location.
I have stepped through your example, and am at the point where I’m trying to connect to the AP GUI through the wifi.
The GUI answers with a request for a username and password,
http://11.11.11.11 is requesting your username and password. The site says: “level_15 or view_access”
none of the console level credentials seem to work. Is there a default set of credentials for the GUI?
NOTE: This is a stand-alone system, so will need to use internal security options only.
Any help appreciated.
Todd
Good Afternoon,
Please disregard the post above. IP HTTP Authentication was set to ‘Local’. Reset to ‘Enable’ and resolved the issue.
Best Regards,
Todd
Rene,
Thanks for the tutorial, I have been successful in configuring the 1941w, and have become fairly comfortable in making changes to the AP configuration (ssids, dhcp, etc). it is currently a mirror of what the tutorial sets up.
Now, I need to deploy the box, and my lack of experience with Cisco has caught up with me.
We are looking to connect a single non-VLAN switch to the 1941w and use it as a WiFi access point. While I can connect via the AP and ping the 10.1.10.254 gateway, I’m not sure what the next step would be to connect a simple non-VLAN network (172.16.0.0 / 24 / gateway 172.16.0.1).
I had assumed that the 1941 was routing the AP traffic to the GigE0/0 interface, but I’m missing something - probably obvious - and am stuck.
Any help is appreciated.
Best Regards,
Todd
Hi Todd,
The 1941 is a tricky box to start with 
The VLAN interfaces + WLAN GI0/0 of the router and the BVI interface of the API are on the same L2 segment. Traffic from the 1941 to the AP is switched, not routed. The VLAN interface of the 1941 is a L3 interface where you can configure an IP address on.
You can connect your switch to another interface of the 1941, let’s say Gi0/2. The only thing you have to do is to configure your 172.16.0.1/24 address on it. If you now look in the routing table of the 1941, you will find an entry for 172.16.0.0/24 on Gi0/2 and 10.1.10.0/24 on the VLAN 10 interface.
The 1941 will route between these two subnets so if you set your default gateway for the wireless users and wired users, they should be able to reach each other. You can also test this by pinging 172.16.0.1 from a wireless user or 10.1.10.254 from a wired user.
Btw, it is also possible to use the same 10.1.1.0/24 for the wired and wireless users. If you want this, don’t add an IP address on the Gi0/2 interface but add the bridge-group 10 command there.
I don’t recommend this, if you use a different subnet for wired and wireless then you can use access-lists to filter traffic between wired/wireless if needed.
Hope this helps!