Cisco: 897VAW Running Config – Wireless AP

On the newer Cisco ISR / SOHO routers, Cisco have moved the WiFi capability to a separate module (Access Point (AP)) that runs its own IOS image. The router and the AP have to talk to each other through the integrated “wlan-ap0” interface.

If you are new to this concept, it takes a little working out to actually connect to the AP module.

To connect from the main router’s interface (enable):

The default enable password is “Cisco” (without quotes).

To exit from the AP and return to the router, press CTRL+Shift+6, x, then once in the router config, type disconnect to close the session. Most of the info can be found here. One you’re in, you can set it up so you can SSH directly into the AP.

Rather than me try to explain it, aryoba describes it far better on my new favourite website here, towards the bottom of the page and quoted below:

Cisco Wireless Router New Product Lines

1. 881-W model

The 881-W introduces a concept where there is an integrated AP that is running dedicated IOS image file separated from the router’s IOS image file. In this sample configuration, the integrated AP runs ap801-k9w7-mx.124-25d.JA1 IOS image while the router runs c880data-universalk9-mz.150-1.M8.bin IOS image.

Since the 881-W model supports wireless N, the Ethernet port is now in a form of Gigabit Ethernet instead of Fast Ethernet. This Gigabit Ethernet ports show on both the AP configuration and router configuration where a GigabitEthernet0 interface resides in the AP and a Wlan-GigabitEthernet0 interface resides in the router. The two Gigabit Ethernet ports are internally interconnected, similar to a setup where there is an external AP 1200 Fast Ethernet port is interconnected using a physical Ethernet cable to a 871 non-wireless router’s Fast Ethernet port.

Such internal interconnectivity between the two Gigabit Ethernet ports can be seen as a regular switch access or trunk port. Similar to a regular switch port that by default both Gigabit Ethernet ports are set as access port passing only default VLAN which is VLAN 1. Should you plan to create multiple SSID over the same dot11radio interface, then the Gigabit Ethernet ports must be set as trunk ports.

As the AP runs it’s own IOS image, I have listed the AP config separate to the associated Router config that can be found in my post here.

I aim to have guest WiFi on VLAN30 and “trusted” WiFi on VLAN40. As of 03/07/2014, I have only attempted to configure VLAN40 thus far but I cannot get the AP to communicate with the router. I will update this config when I find the issue.


I can now communicate with the VLANs on the router from the AP. Now trying to work out where to put the ip helper-address so VLAN40 gets a DHCP assigned IP.

It’s mostly working now, although I am not sure I can test the Dot11Radio1 as I don’t seem to have a 5GHz device. Still need to set up a local DHCP server for the guest WiFi.

There were two main issues:

  1. 1. I had dot11 vlan-name CoreWiFi vlan 40 rather than dot11 vlan-name vlan40 vlan 40. It uses this to ensure the correct VLAN mapping.
  2. 2. I had encapsulation dot1Q 40 native rather than encapsulation dot1Q 40 on Dot11Radio1.40. If you remove native using the cli, it moves bridge-group 1 from the subinterface to the interface (From Do1.40 to Do1). You have to set another bridge-group (e.g Bridge-Group 5) on Do1, then set bridge-group 1 on Do1.40, then you can remove bridge-group 5 from Do1. It’s explained better in the comments for an Aironet access point here.

Do = Dot11Radio (shorthand).

I worked through the example given here to produce the following config:



Please feel free to leave a comment...