Difference between revisions of "Cisco 1941 with AIR-SAP 1602E-E-K9 Standalone"

From Ever changing code
Jump to navigation Jump to search
Line 307: Line 307:


== Router config ==
== Router config ==
  ! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech
!
  ! Last configuration change at 00:50:58 UTC Wed Oct 23 2013 by tech
  version 15.2
  version 15.2
  service timestamps debug datetime msec
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service password-encryption
  !
  !
  hostname R1
  hostname <span style="color: blue">$ID-r1</span>
  !
  !
  boot-start-marker
  boot-start-marker
Line 321: Line 319:
  !
  !
  !
  !
  logging buffered 10000
logging userinfo
  logging buffered 50000
  logging console warnings
  logging console warnings
  enable secret <span style="color: blue">enablepassword</span>
  enable secret <span style="color: blue">enablepassword</span>
Line 331: Line 330:
  aaa authentication username-prompt LocalUsername:
  aaa authentication username-prompt LocalUsername:
  aaa authentication login default local
  aaa authentication login default local
! force to use aaa auth on console line
  aaa authentication login admin-con line
  aaa authentication login admin-con line
  aaa authorization exec default local  
  aaa authorization exec default local  
Line 392: Line 392:
   network 10.0.30.0 255.255.254.0
   network 10.0.30.0 255.255.254.0
   default-router 10.0.30.1  
   default-router 10.0.30.1  
   dns-server 194.72.0.114 194.72.0.114
  ! line below is optional in case you want to hand out different DNS servers than the router itself is using
   dns-server <span style="color: blue">primary_dns secondary_dns</span>
   domain-name lan.gateway
   domain-name lan.gateway
   lease 0 2
   lease 0 2
Line 398: Line 399:
  no ip bootp server
  no ip bootp server
  ip domain name lma.geteway
  ip domain name lma.geteway
!
<span style="color: grey">ip name-server <span style="color: blue">$primary_dns</span>
ip name-server <span style="color: blue">$secondary_dns</span></span>
!
login block-for 300 attempts 3 within 300
  no ipv6 cef
  no ipv6 cef
  multilink bundle-name authenticated
  multilink bundle-name authenticated
Line 405: Line 411:
  !
  !
  !
  !
  license udi pid CISCO1941/K9 sn <span style="color: blue">routerserialnumber</span>
  license udi pid CISCO1941/K9 sn <span style="color: blue">£routerserialnumber</span>
  !
  !
  license accept end user agreement
  license accept end user agreement
Line 412: Line 418:
  !
  !
  !
  !
  username <span style="color: blue">****tech</span> privilege 0 secret 0 <span style="color: blue">techpassword</span>
  username <span style="color: blue">****tech</span> privilege 0 secret 0 <span style="color: blue">password</span>
  username <span style="color: blue">**neteng</span>  privilege 15 secret 0 <span style="color: blue">netengpassword</span>
  username <span style="color: blue">**neteng</span>  privilege 15 secret 0 <span style="color: blue">password</span>
  !
  !
  !
  !
Line 435: Line 441:
   speed auto
   speed auto
   shutdown
   shutdown
!
<span style="color: grey">interface GigabitEthernet0/0
description --> WAN $WiMAX ##Mbps down/up
ip address <span style="color: blue">$public_ip subnet_mask</span>
! Comment out 'access-group' lines only when you applying ACLs at the same time
! ip access-group INTERNET-IN in
! ip access-group INTERNET-OUT out
ip verify unicast reverse-path
ip nat enable
ntp disable
no shutdown</span>
!
  !
  !
  interface GigabitEthernet0/1
  interface GigabitEthernet0/1
  description Wired user LAN
   ip address 10.0.30.1 255.255.254.0
   ip address 10.0.30.1 255.255.254.0
   ip nat enable
   ip nat enable
Line 465: Line 484:
  !
  !
  interface GigabitEthernet0/1/0
  interface GigabitEthernet0/1/0
   description Trunk to AIR-SAP1602
   description --> trunk to AP
   switchport trunk native vlan 99
   switchport trunk native vlan 99
   switchport trunk allowed vlan 1,10,20,99,1002-1005
   switchport trunk allowed vlan 1,10,20,99,1002-1005
   switchport mode trunk
   switchport mode trunk
   no ip address
   no ip address
  no shutdown
  !
  !
  interface GigabitEthernet0/1/1
  interface GigabitEthernet0/1/1
   description Trunk to AIR-SAP1602
   description --> trunk to AP
   switchport trunk native vlan 99
   switchport trunk native vlan 99
   switchport trunk allowed vlan 1,10,20,99,1002-1005
   switchport trunk allowed vlan 1,10,20,99,1002-1005
   switchport mode trunk
   switchport mode trunk
   no ip address
   no ip address
  no shutdown
  !
  !
  interface GigabitEthernet0/1/2
  interface GigabitEthernet0/1/2
   description Trunk to AIR-SAP1602
   description --> trunk to AP
   switchport trunk native vlan 99
   switchport trunk native vlan 99
   switchport trunk allowed vlan 1,10,20,99,1002-1005
   switchport trunk allowed vlan 1,10,20,99,1002-1005
   switchport mode trunk
   switchport mode trunk
   no ip address
   no ip address
  no shutdown
  !
  !
  interface GigabitEthernet0/1/3
  interface GigabitEthernet0/1/3
Line 489: Line 511:
   switchport access vlan 99
   switchport access vlan 99
   no ip address
   no ip address
  no shutdown
  !
  !
   <span style="color: green">interface Cellular0/0/0
   <span style="color: green">interface Cellular0/0/0
Line 516: Line 539:
  interface Vlan1
  interface Vlan1
   no ip address
   no ip address
  shutdown
  !
  !
  interface Vlan10
  interface Vlan10
   ip address 10.0.10.1 255.255.254.0
   ip address 10.0.10.1 255.255.254.0
   ip nat enable
   ip nat enable
  no shutdown
  !
  !
  interface Vlan20
  interface Vlan20
   ip address 10.0.20.1 255.255.254.0
   ip address 10.0.20.1 255.255.254.0
   ip nat enable
   ip nat enable
  no shutdown
  !
  !
  interface Vlan99
  interface Vlan99
Line 529: Line 555:
   ip address 10.0.99.100 255.255.255.128
   ip address 10.0.99.100 255.255.255.128
   ntp broadcast
   ntp broadcast
  no shutdown
  !
  !
  <span style="color: orange">interface Dialer0
  <span style="color: orange">interface Dialer0
Line 553: Line 580:
  <span style="color: purple">interface Dialer0
  <span style="color: purple">interface Dialer0
   description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
   description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
   ip address ip.add.re.ss m.a.s.k
   ! for dynamic public ip replace a lien below with 'ip address negotiated'
  ip address <span style="color: blue">$static_public_ip $subnet_mask</span>
   no ip redirects
   no ip redirects
   no ip unreachables
   no ip unreachables
Line 564: Line 592:
   ntp disable
   ntp disable
   ppp authentication chap callin
   ppp authentication chap callin
   ppp chap hostname D******@hg52.btclick.com
   ppp chap hostname <span style="color: blue">D******@hg52.btclick.com</span>
   ppp chap password 0 ******
   ppp chap password 0 <span style="color: blue">******</span>
   ppp pap sent-username D******@hg52.btclick.com password 0 ******
   ppp pap sent-username <span style="color: blue">D******@hg52.btclick.com</span> password 0 <span style="color: blue">******</span>
   ppp ipcp dns request
   ppp ipcp dns request
   no cdp enable</span>
   no cdp enable</span>
Line 604: Line 632:
  access-list 1 permit 10.0.0.0 0.0.255.255
  access-list 1 permit 10.0.0.0 0.0.255.255
  dialer-list 1 protocol ip permit</span>
  dialer-list 1 protocol ip permit</span>
!
<span style="color: grey">ip nat source list 1 interface Gi0/0 overload
ip route 0.0.0.0 0.0.0.0 Gi0/0
!
access-list 1 permit 10.0.0.0 0.0.255.255</span>
!
  access-list 20 remark Allow Management devices sync NTP clock
  access-list 20 remark Allow Management devices sync NTP clock
  access-list 20 permit 10.0.99.0 0.0.0.127 log
  access-list 20 permit 10.0.99.0 0.0.0.127 log
Line 643: Line 677:
   modem InOut
   modem InOut
   no exec
   no exec
  line 0/0/1
  line 0/0/1
   no exec</span>
   no exec</span>
Line 670: Line 706:
*<span style="color: purple">Purple - ATM/ADSL card configuration, BT Business ADSL</span>
*<span style="color: purple">Purple - ATM/ADSL card configuration, BT Business ADSL</span>
*<span style="color: orange">Orange - PPPoE, BT Infinity</span>
*<span style="color: orange">Orange - PPPoE, BT Infinity</span>
*<span style="color: grey">Grey - WAN Ethernet RJ45 from ISP</span>


== Applying VLANs ==
== Applying VLANs ==

Revision as of 16:12, 15 February 2014

Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.

Product codding

Product/Model Number: AIR-SAP1602E-E-K9
IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

                Regulatory Domain
               /
AIR-SAP 1602E-E-K9
     \       \_External antenna
      \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller)
       \_S_ stands for: Standalone AP
Router show inventory
#show inventory
NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0"
PID: CISCO1941/K9      , VID: V05 , SN: ***********
NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand  EDGE/GPRS and GPS"
PID: EHWIC-3G-HSPA+7   , VID: V01 , SN: ***********
NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705"
PID: MC8705            , VID: 1.0, SN: ***********
NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch"
PID: EHWIC-4ESG-P      , VID: V01 , SN: ***********
NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply"
PID: PWR-1941-POE      , VID:    , SN:
Access point show inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point"
PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11

Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W. 

#sh power inline
PowerSupply   SlotNum.   Maximum   Allocated       Status
-----------   --------   -------   ---------       ------
INT-PS           0        80.000    46.200         PS GOOD
Interface   Config   Device   Powered    PowerAllocated   State
---------   ------   ------   -------    --------------   -----
Gi0/1/0     auto     Unknown  Off        0.000 Watts      NOT_PHONE
Gi0/1/1     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/2     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/3     auto     IEEE-3   On        15.400 Watts      PHONE
Default account credentials on the access point
Username: Cisco
Password: Cisco
Enabled mode: Cisco

Basic AP config with WPA2-PSK auth

  • remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
  • remember change 'password' and AP 'hostname' when deploying config
  • not sure why but when applying config BVI1 interface does not take any changes
  • remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
conf t
hostname ap1
ip domain name lma.gateway
! label for hostname:ap1 and ipdomainname:lma.gateway will be ap1.lma.gateway
crypto key generate rsa label ap1.lma.gateway general-keys modulus 1024

! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
!
logging rate-limit console 9
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name lma.gateway
!
!
!
dot11 syslog
dot11 vlan-name Management vlan 99
dot11 vlan-name Wireless vlan 10
dot11 vlan-name Wireless-guest vlan 20
!
dot11 ssid DS_Guest
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 guestpassword
!
dot11 ssid DS_MGM
   vlan 99
   authentication open
   authentication key-management wpa version 2
   ! mbssid guest-mode commented out to prevent broadcasting BSSID
   wpa-psk ascii 0 managementpassword
!
dot11 ssid DS_WPA2
   vlan 10
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wirelesspassword
!
!
crypto pki token default removal timeout 0
!
!
username ****tech privilege 1 secret 0 techpassword
username **neteng privilege 15 secret 0 netengpassword
!
ip ssh time-out 180
ip ssh authentication-retries 5
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 99 mode ciphers aes-ccm
 !
 ssid DS_Guest
 !
 ssid DS_MGM
 !
 ssid DS_WPA2
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
 no shutdown
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no shutdown
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
 no shutdown
!
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
sntp server 10.0.99.100
!
end
Enable sending logs to syslog server
logging source-interface GigabitEthernet0
logging 10.0.10.5

Configure WPA2 from WEB

Security > Encription Manager
  1. Set Encryption Mode and Keys for VLAN: from drop down menu
  2. Tick Cipher and from drop down menu AES CCMP
Security > SSID Manager
  1. Select <NEW>
  2. Type SSID_name into SSID box
  3. Select VLAN
  4. Tick Interface Radio0 (2.4 GHz)
  5. Key Management: Mandatory
  6. Tick: Enable WPA and select WPAv2 from drop down menu
  7. Enter your WPA Pre-shared Key into a box
  8. Enable SSID broadcast in beacons (requires enabling per SSID)
    1. Go to section: Multiple BSSID Beacon Settings
    2. Check: Set SSID as Guest Mode
  9. Press Apply
  10. Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
    1. Go to section: Guest Mode/Infrastructure SSID Settings
    2. Check: Multiple BSSID
    3. Press Apply
Error message when ticking CCKM
ERROR:
VLAN 99 cannot support CCKM.
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption  Manager).
Error message when enabling WPA
ERROR:
VLAN 99 cannot support WPA optional.
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' 
or 'AES CCMP + TKIP + WEP 40  bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security>  Encryption Manager)

To set the correct 'Key Management', follow the steps below:
STEP 1:Set the 'Key Management' to 'None'.
STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager)
STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.

Basic router config

Applying config

  1. Shape config to your needs following color coding and place into TFTP root folder
    • change update system users and passwords
    • change hostname
    • update with APs ethernet mac addresses
    • update the router serial number
  2. Connect Interface Gi0/0 to a laptop running TFTP server
  3. Optional, issue from Windows route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13 to maintain access to internet.
  4. At router, issue copy tftp: startup-config and follow the wizard
  5. Reload the router issuing reload but do not save changes to nvram configuration
  6. Generate RSA crypto key to enable ssh 2
  7. Apply VLANs

Router config

! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech
version 15.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname $ID-r1
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 50000
logging console warnings
enable secret enablepassword
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
! force to use aaa auth on console line
aaa authentication login admin-con line
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.11.240 10.0.11.254
ip dhcp excluded-address 10.0.20.1 10.0.20.10
ip dhcp excluded-address 10.0.21.240 10.0.21.254
ip dhcp excluded-address 10.0.99.100
ip dhcp excluded-address 10.0.99.1 10.0.99.10
!
ip dhcp pool WIRELESS
 import all
 network 10.0.10.0 255.255.254.0
 default-router 10.0.10.1 
 dns-server 10.0.10.1 8.8.8.8 
 domain-name lan.gateway
 lease 0 2
!
ip dhcp pool WIRELESS-GUEST
 network 10.0.20.0 255.255.254.0
 default-router 10.0.20.1 
 dns-server 10.0.20.1 8.8.8.8 
 domain-name lan-guest.gateway
 lease 0 2
!
ip dhcp pool MANAGEMENT
 network 10.0.99.0 255.255.255.128
 default-router 10.0.99.100 
 dns-server 10.0.99.100 8.8.8.8 
 domain-name lan.management
 lease 0 2
!
ip dhcp pool AP1
 host 10.0.99.1 255.255.255.128
 client-identifier 017c.69f6.e1d8.7d
!
ip dhcp pool AP2
 host 10.0.99.2 255.255.255.128
 client-identifier 017c.69f6.e1d9.18
!
ip dhcp pool AP3
 host 10.0.99.3 255.255.255.128
 client-identifier 017c.69f6.e1d9.78
!
ip dhcp pool LAN
 network 10.0.30.0 255.255.254.0
 default-router 10.0.30.1 
 ! line below is optional in case you want to hand out different DNS servers than the router itself is using
 dns-server primary_dns secondary_dns
 domain-name lan.gateway
 lease 0 2
!
no ip bootp server
ip domain name lma.geteway
!
ip name-server $primary_dns
ip name-server $secondary_dns
!
login block-for 300 attempts 3 within 300
no ipv6 cef
multilink bundle-name authenticated
!
chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
license udi pid CISCO1941/K9 sn £routerserialnumber
!
license accept end user agreement
license boot module c1900 technology-package securityk9 disable
license boot module c1900 technology-package datak9 disable
!
!
username ****tech privilege 0 secret 0 password
username **neteng  privilege 15 secret 0 password
!
!
controller Cellular 0/0
controller Cellular 0/0
controller VDSL 0/0/0
controller VDSL 0/0/0
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0
description --> WAN $WiMAX ##Mbps down/up
ip address $public_ip subnet_mask
! Comment out 'access-group' lines only when you applying ACLs at the same time
! ip access-group INTERNET-IN in
! ip access-group INTERNET-OUT out
ip verify unicast reverse-path
ip nat enable
ntp disable
no shutdown
!
!
interface GigabitEthernet0/1
 description Wired user LAN
 ip address 10.0.30.1 255.255.254.0
 ip nat enable
 duplex auto
 speed auto
 no shutdown
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 ntp disable
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown
interface Ethernet0/0/0
 no ip address
!
interface Ethernet0/0/0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/1
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/2
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/3
 description Management VLAN99 access port
 switchport access vlan 99
 no ip address
 no shutdown
!
 interface Cellular0/0/0
 description WAN link to 3G Vodafone-APN
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer in-band
 dialer string hspa
 dialer-group 1
 async mode interactive
!
interface Cellular0/0/1
 no ip address
 encapsulation slip
!
interface Cellular0/0/0
 description WAN link to 4G Vodafone-APN
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer pool-member 1
 dialer-group 1
 async mode interactive
 routing dynamic
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.10.1 255.255.254.0
 ip nat enable
 no shutdown
!
interface Vlan20
 ip address 10.0.20.1 255.255.254.0
 ip nat enable
 no shutdown
!
interface Vlan99
 description Eherswitch Management Interface
 ip address 10.0.99.100 255.255.255.128
 ntp broadcast
 no shutdown
!
interface Dialer0
 description BT Infinity 40Mb down / 10 Mb upload
 mtu 1492
 ip address ip.add.re.ss m.a.s.k
 ! no ip redirects #removed due to causing VPN reconnection
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication pap chap ms-chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
interface Dialer0
 description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
 ! for dynamic public ip replace a lien below with 'ip address negotiated'
 ip address $static_public_ip $subnet_mask
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
 interface Dialer1
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer pool 1
 dialer idle-timeout 0
 dialer string LTE
 dialer persistent
 dialer-group 1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
ip nat source list 1 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Gi0/0 overload
ip route 0.0.0.0 0.0.0.0 Gi0/0
!
access-list 1 permit 10.0.0.0 0.0.255.255
!
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127 log
access-list 20 deny   any
!
!
snmp-server community contingency RO site
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^
This system is for COMPANY authorized use only. It is
monitored to detect improper use and other illicit activity.
There is no expectation of privacy while using this system.

^
!
line con 0
 exec-timeout 5 0
 password 0 consolepassword
 logging synchronous
 login authentication admin-con
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 exec-timeout 0 0
 script dialer hspa
 script activation hspa
 modem InOut
 no exec



line 0/0/1
 no exec
!
line 0/0/0
 exec-timeout 0 0
 script dialer LTE
 script activation LTE
 modem InOut
 no exec
!
line vty 0 4
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer 20
ntp master
!
end
Key
  • Blue - variables: passwords, host names, serial numbers
  • Green - Cellular/3G card configuration
  • Red - Cellular/4G card configuration
  • Purple - ATM/ADSL card configuration, BT Business ADSL
  • Orange - PPPoE, BT Infinity
  • Grey - WAN Ethernet RJ45 from ISP

Applying VLANs

conf t
vlan 10
name WIRELESS
vlan 20
name GUEST-WIRELESS
vlan 99
name MANAGEMENT&NATIVE
^Z
Verify
R1#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/1, Gi0/1/2
10   WIRELESS                         active
20   GUEST-WIRELESS                   active
99   MANAGEMENT&NATIVE                active    Gi0/1/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

Configure NTP

Router NTP config
! Protect sync time to hosts permitted by access-list
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127
access-list 20 deny   any log
! Disable sending ntp messages on WAN interfaces
Interface Dialer 0
 ntp disable
Interface Vlan99
 ntp broadcast
Interface ATM0/0/0
 ntp disable
ntp logging
ntp access-group peer 20
ntp master
Access point NTP config
sntp server 10.0.99.100

Configure SNMP

! protect snmp RO (readonly) with access-list 
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny   any log
! SNMP configuration
snmp-server community hardpassword RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
Test

Device 

snmpstatus -c 'communitystring' -v2c DEV_IP_ADDRESS

List of interfaces 

snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2
iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0"
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0"
iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1"
<-- output ommited -->
iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20"
iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99"
iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"

Uptime 

snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21

References

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Cisco_1941_with_AIR-SAP_1602E-E-K9_Standalone&oldid=988