Cisco: 897VAW Running Config – Wireless AP

On the newer Cisco ISR / SOHO routers, Cisco have moved the WiFi capability to a separate module (Access Point (AP)) that runs its own IOS image. The router and the AP have to talk to each other through the integrated “Wlan-GigabitEthernet8” interface.

If you are new to this concept, it takes a little working out to actually connect to the AP module. The default enable password is “Cisco” (without quotes). To exit from the AP and return to the router, press CTRL+Shift+6, x, then once in the router config, type disconnect to close the session. Most of the info can be found here.

Rather than me try to explain it, aryoba describes it far better on my new favourite website here, towards the bottom of the page and quoted below:

Cisco Wireless Router New Product Lines

1. 881-W model

The 881-W introduces a concept where there is an integrated AP that is running dedicated IOS image file separated from the router’s IOS image file. In this sample configuration, the integrated AP runs ap801-k9w7-mx.124-25d.JA1 IOS image while the router runs c880data-universalk9-mz.150-1.M8.bin IOS image.

Since the 881-W model supports wireless N, the Ethernet port is now in a form of Gigabit Ethernet instead of Fast Ethernet. This Gigabit Ethernet ports show on both the AP configuration and router configuration where a GigabitEthernet0 interface resides in the AP and a Wlan-GigabitEthernet0 interface resides in the router. The two Gigabit Ethernet ports are internally interconnected, similar to a setup where there is an external AP 1200 Fast Ethernet port is interconnected using a physical Ethernet cable to a 871 non-wireless router’s Fast Ethernet port.

Such internal interconnectivity between the two Gigabit Ethernet ports can be seen as a regular switch access or trunk port. Similar to a regular switch port that by default both Gigabit Ethernet ports are set as access port passing only default VLAN which is VLAN 1. Should you plan to create multiple SSID over the same dot11radio interface, then the Gigabit Ethernet ports must be set as trunk ports.

As the AP runs it’s own IOS image, I have listed the AP config separate to the associated Router config that can be found in my post here.

I aim to have guest WiFi on VLAN30 and “trusted” WiFi on VLAN40. As of 03/07/2014, I have only attempted to configure VLAN40 thus far but I cannot get the AP to communicate with the router. I will update this config when I find the issue.

Update

I can now communicate with the VLANs on the router from the AP. Now trying to work out where to put the ip helper-address so VLAN40 gets a DHCP assigned IP.

Update2
It’s mostly working now, although I am not sure I can test the Dot11Radio1 as I don’t seem to have a 5GHz device. Still need to set up a local DHCP server for the guest WiFi.

There were two main issues:

  1. 1. I had dot11 vlan-name CoreWiFi vlan 40 rather than dot11 vlan-name vlan40 vlan 40. It uses this to ensure the correct VLAN mapping.
  2. 2. I had encapsulation dot1Q 40 native rather than encapsulation dot1Q 40 on Dot11Radio1.40. If you remove native using the cli, it moves bridge-group 1 from the subinterface to the interface (From Do1.40 to Do1). You have to set another bridge-group (e.g Bridge-Group 5) on Do1, then set bridge-group 1 on Do1.40, then you can remove bridge-group 5 from Do1. It’s explained better in the comments for an Aironet access point here.

Do = Dot11Radio (shorthand).

I worked through the example given here to produce the following config:

[code]

C897-AP#sh run
<pre>Building configuration…

Current configuration : 5125 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname C897-AP
!
logging rate-limit console 9
!
no aaa new-model
ip domain name myinternaldomain.com
!
!
dot11 syslog
dot11 vlan-name vlan30 vlan 30
dot11 vlan-name vlan40 vlan 40
!
dot11 ssid GUEST
vlan 30
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 0215003648850A7C
!
dot11 ssid PRIVATE
vlan 40
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 0215003648850A7C
!
!
crypto pki trustpoint TP-self-signed-2615761306
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2615761306
revocation-check none
rsakeypair TP-self-signed-2615761306
!
!
crypto pki certificate chain TP-self-signed-2615761306
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363135 37363133 3036301E 170D3032 30333139 31303138
34355A17 0D323030 210E872A 30303030 305A3031 312F302D 06035504 03132649
AE609FD0 7CCFE607 5656C2B7 AFA8118C 300D0609 2A864886 F70D0101 04050003
81810083 248B1668 2C2059A4 D2B2DCE9 19DE8ADF EBD4DB02 633C3EB3 DF3A637C
56BEA854 6CF1511B DAE67DC4 B788F62C D691DF60 2BFD7B5E 6AE5FC8D FFEA4273
C78BFCBD 3C15AD50 D73FF48E EC3D9F18 59D23F59 7485C99C 12FC058E 0CE6DA30
6595BD79 47AABD54 EEB580C3 5B8D09FF D05CD5F3 3964ED8F ABD5BC48 172503B3 F18E40
quit
username user1 privilege 15 secret 5 $1$hQPG$pPAsese3XgG8sXF5AdKsH/
!
!
ip ssh authentication-retries 5
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 40 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
broadcast-key vlan 40 change 30
!
broadcast-key vlan 30 change 30
!
!
ssid GUEST
!
ssid PRIVATE
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
!
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 40 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
broadcast-key vlan 40 change 30
!
broadcast-key vlan 30 change 30
!
!
ssid GUEST
!
ssid PRIVATE
!
antenna gain 0
no dfs band block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
!
interface Dot11Radio1.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
!
interface GigabitEthernet0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.16.40.2 255.255.255.240
no ip route-cache
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging trap debugging
logging 172.16.50.100
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
end
[/code]

Please feel free to leave a comment...