Cisco Router 850 Series Software Configuration Guide

							
CH A P T E R
 
9-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
9
Configuring a Wireless LAN Connection
The Cisco 850 and Cisco 870 series routers support a secure, af fordable, and easy-to-use wireless LAN 
solution that combines mobility and flexibility with the enterprise-class features required by networking 
professionals. With a management system based on  Cisco IOS software, the Cisco routers act as access 
points, and are Wi-Fi certified, IEEE 802.11 a/b/g-compliant wireless LAN transceivers.
You can configure and monitor the routers using th e command-line interface (CLI), the browser-based 
management system, or Simple Ne twork Management Protocol (SNMP) . This chapter describes how to 
configure the router us ing the CLI. Use the interface dot11radio  global configuration CLI command to 
place the device into radio configuration mode.
See the  Cisco Access Router Wireless Configuration Guide  for more detailed information about 
configuring these Cisco routers  in a wireless LAN application.
Figure 9-1 shows a wireless network deployment.
Figure 9-1 Wireless Connection to the Cisco Router
129282
1
2
3
4
1Wireless LAN (with multiple networked devices)
2Cisco 850 or Cisco 870 series acce ss router connected to the Internet
3VLAN 1
4VLAN 2
In the configuration example that fo llows, a remote user is accessing the Cisco 850 or Cisco 870 series 
access router using a wireless connection. Each remote user has his own VLAN. 
						

							 
9-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configure the Root Radio Station
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure the Root Radio Station
 Configure Bridging on VLANs
 Configure Radio Station Subinterfaces
A configuration example showing the results of these configuration tasks is provided in the 
“Configuration Example” section on page 9-6.
NoteThe procedures in this chapter assume that you have already configured basic router features as well as 
PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see 
Chapter 1, “Basic 
Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, 
“Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured 
DHCP, VLANs, and secure tunnels.
Configure the Root Radio Station
Perform these steps to create and configure the root radio station for your wireless LAN, beginning in 
global configuration mode:
CommandPurpose
Step 1interface name number
Example:
Router(config)# interface dot11radio 0Router(config-if)# 
Enters interface configuration mode for the 
radio interface.
Step 2broadcast-key [vlan vlan-id] change seconds 
Example:
Router(config-if)# broadcast-key vlan 1 
change 45
Router(config-if)# 
Specifies the time interval, in seconds, between 
rotations of the broadcast encryption key used 
for clients.
NoteClient devices using static Wired 
Equivalent Privacy (WEP) cannot use 
the access point when you enable 
broadcast key rotation—only wireless 
client devices using 802.1x 
authentication (such as Light Extensible 
Authentication Protocol [LEAP], 
Extensible Authentication 
Protocol–Transport Layer Security 
[EAP-TLS], or Protected Extensible 
Authentication Protocol [PEAP]) can 
use the access point.
NoteThis command is not supported on 
bridges.
See the Cisco IOS Commands for Access Points 
and Bridges for more details. 
						

							 
9-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configure the Root Radio Station
Step 3encryption method algorithm key
Example:
Router(config-if)# encryption vlan 1 mode 
ciphers tkip
Router(config-if)# 
Specifies the encryption method, algorithm, and 
key used to access the wireless interface.
The example uses the VLAN with optional 
encryption method of data ciphers.
Step 4ssid name 
Example:
Router(config-if)# ssid ciscoRouter(config-if-ssid)# 
Creates a Service Set ID (SSID), the public 
name of a wireless network.
NoteAll of the wireless devices on a WLAN 
must employ the same SSID to 
communicate with each other.
Step 5vlan number
Example:
Router(config-if-ssid)# vlan 1
Router(config-if-ssid)# 
Binds the SSID with a VLAN.
Step 6authentication type
Example:
Router(config-if-ssid)# authentication openRouter(config-if-ssid)# authentication 
network-eap eap_methods
Router(config-if-ssid)# authentication 
key-management wpa
Sets the permitted authentication methods for a 
user attempting access to the wireless LAN.
More than one method can be specified, as 
shown in the example.
Step 7exit
Example:
Router(config-if-ssid)# exit
Router(config-if)# 
Exits SSID configuration mode, and enters 
interface configuration mode for the radio 
interface.
Step 8speed rate
Example:
Router(config-if)# basic-1.0 basic-2.0 
basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 
36.0 48.0 54.0
Router(config-if)# 
(Optional) Specifies the required and allowed 
rates, in Mbps, for traffic over the wireless 
connection.
Step 9rts [retries | threshold]
Example:
Router(config-if)# rts threshold 2312
Router(config-if)# 
(Optional) Specifies the Request to Send (RTS) 
threshold or the number of times to send a 
request before determining the wireless LAN is 
unreachable.
Command Purpose 
						

							 
9-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configure Bridging on VLANs
Configure Bridging on VLANs
Perform these steps to configure integrated routing and bridging on VLANs, beginning in global 
configuration mode:
Step 10power [client | local] [cck [number | maximum] | 
ofdm [number | maximum]]
Example:
Router(config-if)# power local cck 50Router(config-if)# power local ofdm 30
Router(config-if)# 
(Optional) Specifies the radio transmitter power 
level.
See the Cisco Access Router Wireless 
Configuration Guide for available power level 
values.
Step 11channel [number | least-congested]
Example:
Router(config-if)# channel 2462Router(config-if)# 
(Optional) Specifies the channel on which 
communication occurs.
See the Cisco Access Router Wireless 
Configuration Guide for available channel 
numbers.
Step 12station-role [repeater | root]
Example:
Router(config-if)# station-role root
Router(config-if)# 
(Optional) Specifies the role of this radio 
interface. 
You must specify at least one root interface.
Step 13exit
Example:
Router(config-if)# exitRouter(config)# 
Exits interface configuration mode, and enters 
global configuration mode.
Command Purpose
Command or ActionPurpose
Step 1bridge [number | crb | irb |mac-address-table]
Example:
Router(config)# bridge irbRouter(config)# 
Specifies the type of bridging.
The example specifies integrated routing and 
bridging.
Step 2interface name number 
Example:
Router(config)# interface vlan 1
Router(config)# 
Enters interface configuration mode. 
We want to set up bridging on the VLANs, so the 
example enters the VLAN interface 
configuration mode. 
						

							 
9-5
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configure Radio Station Subinterfaces
Repeat Step 2 through Step 6 above for each VLAN that requires a wireless interface.
Configure Radio Station Subinterfaces
Perform these steps to configure subinterfaces for each root station, beginning in global configuration 
mode:
Step 3bridge-group number
Example:
Router(config)# bridge-group 1Router(config)# 
Assigns a bridge group to the interface.
Step 4bridge-group parameter
Example:
Router(config)# bridge-group 
spanning-disabled
Router(config)# 
Sets other bridge parameters for the bridging 
interface.
Step 5interface name number
Example:
Router(config)# interface bvi 1
Router(config)# 
Enters configuration mode for the virtual bridge 
interface.
Step 6ip address address mask
Example:
Router(config)# ip address 10.0.1.1 
255.255.255.0
Router(config)# 
Specifies the address for the virtual bridge 
interface.
Command or Action Purpose
CommandPurpose
Step 1interface type number
Example:
Router(config)# interface dot11radio 0.1
Router(config-subif)# 
Enters subinterface configuration mode for the 
root station interface.
Step 2description string
Example:
Router(config-subif)# description Cisco open
Router(config-subif)# 
Provides a description of the subinterface for the 
administrative user. 
						

							 
9-6
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configuration Example
Repeat these steps to configure more subinterfaces, as needed.
Configuration Example
The following configuration example shows a portion of the configuration file for the wireless LAN 
scenario described in the preceding sections.
!
bridge irb
!interface Dot11Radio0
 no ip address
 ! broadcast-key vlan 1 change 45
 !
 ! encryption vlan 1 mode ciphers tkip 
 !
 ssid cisco    vlan 1
    authentication open 
wpa-psk ascii 0 cisco123    authentication key-management wpa
 !
Step 3encapsulation dot1q vlanID [native | 
second-dot1q]
Example:
Router(config-subif)# encapsulation dot1q 1 
native
Router(config-subif)# 
Specifies that IEEE 802.1Q (dot1q) 
encapsulation is used on the specified 
subinterface.
Step 4no cdp enable
Example:
Router(config-subif)# no cdp enableRouter(config-subif)# 
Disables the Cisco Discovery Protocol (CDP) on 
the wireless interface.
Step 5bridge-group number
Example:
Router(config-subif)# bridge-group 1
Router(config-subif)# 
Assigns a bridge group to the subinterface.
Step 6exit
Example:
Router(config-subif)# exitRouter(config)# 
Exits subinterface configuration mode, and 
enters global configuration mode.
Command Purpose 
						

							 
9-7
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configuration Example
 ssid ciscowep    vlan 2
    authentication open 
 ! ssid ciscowpa
    vlan 3
    authentication open  !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 rts threshold 2312 power local cck 50
 power local ofdm 30
 channel 2462 station-role root
!
interface Dot11Radio0.1 description Cisco Open
 encapsulation dot1Q 1 native
 no cdp enable bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!interface Dot11Radio0.2
 encapsulation dot1Q 2
 bridge-group 2 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!interface Dot11Radio0.3
 encapsulation dot1Q 3
 bridge-group 3 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 block-unknown-source no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!interface Vlan1
 no ip address
 bridge-group 1 bridge-group 1 spanning-disabled
!
interface Vlan2 no ip address
 bridge-group 2
 bridge-group 2 spanning-disabled!
interface Vlan3
 no ip address bridge-group 3
 bridge-group 3 spanning-disabled
!interface BVI1
 ip address 10.0.1.1 255.255.255.0
! 
						

							 
9-8
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 9      Configuring a Wireless LAN Connection
  Configuration Example
interface BVI2 ip address 10.0.2.1 255.255.255.0
!
interface BVI3 ip address 10.0.3.1 255.255.255.0
! 
						

							CH A P T E R
 
10-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
10
Sample Configuration
This chapter collects the results of the Ethernet WAN interface, DHCP, VLAN, Easy VPN, and wireless 
interface configurations made in previous chapters. This allows you to view what a basic configuration 
provided by this guide looks like in a single sample, 
Example 10-1.
NoteCommands marked by “(default)” are generated automatically when you run the show running-config 
command.
Example 10-1 Sample Configuration
Router# show running-config
Building configuration...
Current configuration : 3781 bytes
!
version 12.3no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption!
hostname retail
!boot-start-marker
boot-end-marker
!enable password cisco123
!
username jsomeone password 0 cg6#107Xaaa new-model
!
aaa group server radius rad_eapserver 10.0.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eapaaa session-id common
ip subnet-zero
ip cef!
vpdn enable
vpdn-group 1request-dialin
protocol pppoe
! 
						

							 
10-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 10      Sample Configuration
  
interface dialer 1ip address negotiated
ppp authentication chap
dialer pool 1dialer-group 1
!
dialer-list 1 protocol ip permitip nat inside source list 1 interface dialer 0 overload
ip classless (default)
ip route 10.10.25.2 0.255.255.255 dialer 0!
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.2.1 10.0.2.10ip dhcp excluded-address 10.0.3.1 10.0.3.10
!
ip dhcp pool vlan1   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1 
!ip dhcp pool vlan2
   network 10.0.2.0 255.255.255.0
   default-router 10.0.2.1 !
ip dhcp pool vlan3
   network 10.0.3.0 255.255.255.0
   default-router 10.0.3.1 !
ip ips po max-events 100
no ftp-server write-enable!
bridge irb
!interface FastEthernet0
no ip address
!interface FastEthernet1
no ip address
!interface FastEthernet2
no ip address
!interface FastEthernet3
switchport mode trunk
no ip address!
interface FastEthernet4
ip address 192.168.12.2 255.255.255.0no ip directed-broadcast (default)
speed auto
ip nat outsideip access-group 103 in
no cdp enable
crypto ipsec client ezvpn ezvpnclient outsidecrypto map static-map
!
crypto isakmp policy 1encryption 3des
authentication pre-share
group 2lifetime 480
!