The Product
Many moons ago I purchased a nice new Cisco 867w as I needed another branch router, and it didn’t really warrant the expense of a larger router for the task at hand. I am reasonably familiar with configuring Cisco switches, security devices (ASA, Catalyst etc) and routers, and can find my way around the IOS fairly well, or so I thought. I haven’t really had much to do with Cisco Wireless APs and general AiroNet products.
But the 867w (and 887w) has a full Cisco AP embedded in to the router. The AP has it’s own IOS and needs a full configuration, and even more alarmingly, I could not find any sample wireless configurations anywhere on the net, including on the Cisco.com site. There is a good configuration guide on the Cisco site but it falls way short of the mark to configure the router from scratch. It is much better as a reference guide. I couldn’t find any reference in it to how the 867w’s AP actually integrated, and hence, communicated with the router itself.
Another major issue for me was that the router shipped with an old IOS and apart from that absolutely nothing in the flash. (Pretty sloppy Cisco!)
The Problem
My problem, in a nutshell, was how to bridge the AP to the router’s vlan. Sounds simple enough doesn’t it. But I couldn’t see an obvious solution and couldn’t find any relevant documentation. I posted on a couple of quality forums to see if anyone else had had a similar issue, and yes lots of people had. What was the solution? None given. Grrr… There are loads of posts pointing to the concept of bridging VLANs and the concept of configuring a router but no wireless sample configs. Personally I find it beneficial when faced with a new device to see a working Config, pull it apart and figure out why it works. I learn the most that way.
To cut a very long story short, there is a Wlan-GigabitEthernet 0 interface visible in both the Router and the AP configuration and this is the glue that binds the Router to the AP. So, below I have included the running config for each of my relevant interfaces on both the Router and the embedded AP.
Don’t forget that, until you configure a management ip on the AP’s BVI1 the only way to configure the AP is by logging on to the router and the using
Router# service-module wlan-ap 0 session
to get into the AP config. Once in there the only way to get back is to use
AP# <Shift>+<Ctrl>+6 X
to get back to the Router’s Configuration mode. This leaves the AP config session open. If you subsequently want to close that session you also need to type
Router# disconnect
to close it completely.
The Solution
On the Router…
interface Vlan1
ip address 192.168.xx.1 255.255.255.0
ip nat inside
ip virtual-reassembly
end
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
end
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
end
!
interface Dialer0
description PPPoA Dialer for Int ATM0
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map
end
Of course there is no necessity for the
ip route 0.0.0.0 0.0.0.0
due to the ip ipcp route default on the dialer interface.
On the AP
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid
antenna gain 0
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root ap-only
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
end
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
end
!
interface BVI1
ip address 192.168.xx.2 255.255.255.0
no ip route-cache
end
And on the AP you will need a default route, so you will need a
AP(config)# ip default-gateway 192.168.xx.1
to tell the outside bound traffic how to get out to the world at large through the Router’s VLAN interface.
Edit: A few people have asked for a full AP config to get started with so here is a “Bare Bone” one to get you started…
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname AP
logging buffered 132000 notifications
enable secret 0 <PutAGoodPasswordHere>
no aaa new-model
clock timezone AEST 10
clock save interval 8
dot11 syslog
dot11 ssid SSID
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 0 <PutAGoodPasswordHere>
username me privilege 15 secret 0 <PutAGoodPasswordHere>
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid SSID
antenna gain 0
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root ap-only
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.xx.2 255.255.255.0
no ip route-cache
ip default-gateway 192.168.xx.1
no ip http server
no ip http secure-server
bridge 1 route ip
line con 0
no activation-character
line vty 0 2
exec-timeout 20 0
login local
transport preferred none
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport preferred none
transport input ssh
transport output all
sntp server <IPofSntpServer>
I hope that helps.