Difference between revisions of "Cisco 1941 with AIR-SAP 1602E-E-K9 Standalone"
Jump to navigation
Jump to search
(Created page with "Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router. = Product codd...") |
|||
(83 intermediate revisions by the same user not shown) | |||
Line 28: | Line 28: | ||
PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11 | PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11 | ||
Please notice that | Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W. | ||
#sh power inline | |||
PowerSupply SlotNum. Maximum Allocated Status | PowerSupply SlotNum. Maximum Allocated Status | ||
----------- -------- ------- --------- ------ | ----------- -------- ------- --------- ------ | ||
Line 40: | Line 41: | ||
Gi0/1/3 auto IEEE-3 On 15.400 Watts PHONE | Gi0/1/3 auto IEEE-3 On 15.400 Watts PHONE | ||
= Basic router config = | |||
== Applying config == | |||
#Shape config to your needs following color coding and place into TFTP root folder | |||
#*change update system users and passwords | |||
#*change hostname | |||
#*update with APs ethernet mac addresses | |||
#*update the router serial number | |||
#Connect Interface Gi0/0 to a laptop running TFTP server | |||
#Optional, issue from Windows <code>route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13</code> to maintain access to internet. | |||
#At router, issue <code>copy tftp: startup-config</code> and follow the wizard | |||
#Reload the router issuing <code>reload</code> but do not save changes to nvram configuration | |||
#Activate the licence<br/><code>license udi pid CISCO1941/K9 sn $routerserialnumber</code><br/><code>license accept end user agreement</code> | |||
#Generate RSA crypto key to enable ssh 2 | |||
#Apply VLANs | |||
== Router config == | |||
! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech | |||
version 15.2 | |||
service timestamps debug datetime msec localtime show-timezone | |||
service timestamps log datetime msec localtime show-timezone | |||
service password-encryption | |||
! | |||
hostname <span style="color: blue">$ID-r1</span> | |||
! | |||
boot-start-marker | |||
boot-end-marker | |||
! | |||
! | |||
logging userinfo | |||
logging buffered 50000 | |||
logging console warnings | |||
enable secret <span style="color: blue">enablepassword</span> | |||
! | |||
aaa new-model | |||
! | |||
! | |||
aaa authentication password-prompt LocalPassword: | |||
aaa authentication username-prompt LocalUsername: | |||
aaa authentication login default local | |||
! force to use aaa auth on console line | |||
aaa authentication login admin-con line | |||
aaa authorization exec default local | |||
! | |||
! | |||
! | |||
! | |||
! | |||
aaa session-id common | |||
clock timezone GMT 0 0 | |||
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 | |||
! | |||
no ipv6 cef | |||
no ip source-route | |||
ip cef | |||
! | |||
! | |||
! | |||
ip dhcp excluded-address 10.0.10.1 10.0.10.10 | |||
ip dhcp excluded-address 10.0.11.240 10.0.11.254 | |||
ip dhcp excluded-address 10.0.20.1 10.0.20.10 | |||
ip dhcp excluded-address 10.0.21.240 10.0.21.254 | |||
ip dhcp excluded-address 10.0.99.100 | |||
ip dhcp excluded-address 10.0.99.1 10.0.99.10 | |||
! | |||
ip dhcp pool WIRELESS | |||
import all | |||
network 10.0.10.0 255.255.254.0 | |||
default-router 10.0.10.1 | |||
dns-server 10.0.10.1 8.8.8.8 | |||
domain-name lan.gateway | |||
lease 0 2 | |||
! | |||
ip dhcp pool WIRELESS-GUEST | |||
network 10.0.20.0 255.255.254.0 | |||
default-router 10.0.20.1 | |||
dns-server 10.0.20.1 8.8.8.8 | |||
domain-name lan-guest.gateway | |||
lease 0 2 | |||
! | |||
ip dhcp pool MANAGEMENT | |||
network 10.0.99.0 255.255.255.128 | |||
default-router 10.0.99.100 | |||
dns-server 10.0.99.100 8.8.8.8 | |||
domain-name lan.management | |||
lease 0 2 | |||
! | |||
ip dhcp pool AP1 | |||
host 10.0.99.1 255.255.255.128 | |||
client-identifier 01<span style="color: blue">7c.69f6.e1d8.7d</span> | |||
! | |||
ip dhcp pool AP2 | |||
host 10.0.99.2 255.255.255.128 | |||
client-identifier 01<span style="color: blue">7c.69f6.e1d9.18</span> | |||
! | |||
ip dhcp pool AP3 | |||
host 10.0.99.3 255.255.255.128 | |||
client-identifier 01<span style="color: blue">7c.69f6.e1d9.78</span> | |||
! | |||
ip dhcp pool LAN | |||
network 10.0.30.0 255.255.254.0 | |||
default-router 10.0.30.1 | |||
! line below is optional in case you want to hand out different DNS servers than the router itself is using | |||
dns-server <span style="color: blue">primary_dns secondary_dns</span> | |||
domain-name lan.gateway | |||
lease 0 2 | |||
! | |||
no ip bootp server | |||
ip domain name lma.geteway | |||
! | |||
<span style="color: grey">ip name-server <span style="color: blue">$primary_dns</span> | |||
ip name-server <span style="color: blue">$secondary_dns</span></span> | |||
! | |||
login block-for 300 attempts 3 within 300 | |||
no ipv6 cef | |||
multilink bundle-name authenticated | |||
! | |||
<span style="color: green">chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"</span> | |||
<span style="color: red">chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"</span> | |||
! | |||
! | |||
license udi pid CISCO1941/K9 sn <span style="color: blue">£routerserialnumber</span> | |||
! | |||
license accept end user agreement | |||
license boot module c1900 technology-package securityk9 disable | |||
license boot module c1900 technology-package datak9 disable | |||
! | |||
! | |||
username <span style="color: blue">****tech</span> privilege 0 secret 0 <span style="color: blue">password</span> | |||
username <span style="color: blue">**neteng</span> privilege 15 secret 0 <span style="color: blue">password</span> | |||
! | |||
! | |||
<span style="color: green">controller Cellular 0/0</span> | |||
<span style="color: red">controller Cellular 0/0</span> | |||
<span style="color: purple">controller VDSL 0/0/0</span> | |||
<span style="color: orange">controller VDSL 0/0/0</span> | |||
! | |||
ip ssh version 2 | |||
! | |||
! | |||
! | |||
! | |||
interface Embedded-Service-Engine0/0 | |||
no ip address | |||
shutdown | |||
! | |||
interface GigabitEthernet0/0 | |||
no ip address | |||
duplex auto | |||
speed auto | |||
shutdown | |||
! | |||
<span style="color: grey">interface GigabitEthernet0/0 | |||
description --> WAN $WiMAX ##Mbps down/up | |||
ip address <span style="color: blue">$public_ip subnet_mask</span> | |||
! Comment out 'access-group' lines only when you applying ACLs at the same time | |||
! ip access-group INTERNET-IN in | |||
! ip access-group INTERNET-OUT out | |||
ip verify unicast reverse-path | |||
ip nat enable | |||
ntp disable | |||
no shutdown</span> | |||
! | |||
! | |||
interface GigabitEthernet0/1 | |||
description Wired user LAN | |||
ip address 10.0.30.1 255.255.254.0 | |||
ip nat enable | |||
duplex auto | |||
speed auto | |||
no shutdown | |||
! | |||
<span style="color: purple">interface ATM0/0/0 | |||
no ip address | |||
no ip redirects | |||
no ip unreachables | |||
no ip proxy-arp | |||
no atm ilmi-keepalive | |||
ntp disable | |||
pvc 0/38 | |||
encapsulation aal5mux ppp dialer | |||
dialer pool-member 1 | |||
!</span> | |||
! | |||
<span style="color: orange">! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown | |||
interface Ethernet0/0/0 | |||
no ip address | |||
! | |||
interface Ethernet0/0/0.101 | |||
encapsulation dot1Q 101 | |||
pppoe enable group global | |||
pppoe-client dial-pool-number 1</span> | |||
! | |||
interface GigabitEthernet0/1/0 | |||
description --> trunk to AP | |||
switchport trunk native vlan 99 | |||
switchport trunk allowed vlan 1,10,20,99,1002-1005 | |||
switchport mode trunk | |||
no ip address | |||
no shutdown | |||
! | |||
interface GigabitEthernet0/1/1 | |||
description --> trunk to AP | |||
switchport trunk native vlan 99 | |||
switchport trunk allowed vlan 1,10,20,99,1002-1005 | |||
switchport mode trunk | |||
no ip address | |||
no shutdown | |||
! | |||
interface GigabitEthernet0/1/2 | |||
description --> trunk to AP | |||
switchport trunk native vlan 99 | |||
switchport trunk allowed vlan 1,10,20,99,1002-1005 | |||
switchport mode trunk | |||
no ip address | |||
no shutdown | |||
! | |||
interface GigabitEthernet0/1/3 | |||
description Management VLAN99 access port | |||
switchport access vlan 99 | |||
no ip address | |||
no shutdown | |||
! | |||
<span style="color: green">interface Cellular0/0/0 | |||
description WAN link to 3G Vodafone-APN | |||
ip address negotiated | |||
ip nat enable | |||
encapsulation slip | |||
dialer in-band | |||
dialer string hspa | |||
dialer-group 1 | |||
async mode interactive | |||
! | |||
interface Cellular0/0/1 | |||
no ip address | |||
encapsulation slip</span> | |||
! | |||
<span style="color: red">interface Cellular0/0/0 | |||
description WAN link to 4G Vodafone-APN | |||
ip address negotiated | |||
encapsulation slip | |||
dialer in-band | |||
dialer pool-member 1 | |||
dialer-group 1 | |||
async mode interactive | |||
routing dynamic</span> | |||
! | |||
interface Vlan1 | |||
no ip address | |||
shutdown | |||
! | |||
interface Vlan10 | |||
ip address 10.0.10.1 255.255.254.0 | |||
ip nat enable | |||
no shutdown | |||
! | |||
interface Vlan20 | |||
ip address 10.0.20.1 255.255.254.0 | |||
ip nat enable | |||
no shutdown | |||
! | |||
interface Vlan99 | |||
description Eherswitch Management Interface | |||
ip address 10.0.99.100 255.255.255.128 | |||
ntp broadcast | |||
no shutdown | |||
! | |||
<span style="color: orange">interface Dialer0 | |||
description BT Infinity 40Mb down / 10 Mb upload | |||
mtu 1492 | |||
ip address ip.add.re.ss m.a.s.k | |||
! no ip redirects #removed due to causing VPN reconnection | |||
no ip unreachables | |||
no ip proxy-arp | |||
ip nat enable | |||
ip virtual-reassembly in | |||
encapsulation ppp | |||
ip tcp adjust-mss 1452 | |||
dialer pool 1 | |||
dialer-group 1 | |||
ntp disable | |||
ppp authentication pap chap ms-chap callin | |||
ppp chap hostname D******@hg52.btclick.com | |||
ppp chap password 0 ****** | |||
ppp pap sent-username D******@hg52.btclick.com password 0 ****** | |||
ppp ipcp dns request | |||
no cdp enable</span> | |||
! | |||
<span style="color: purple">interface Dialer0 | |||
description BT ADSL 5Mdown/1Mup acc: WM****** no:0******** | |||
! for dynamic public ip replace a lien below with 'ip address negotiated' | |||
ip address <span style="color: blue">$static_public_ip $subnet_mask</span> | |||
no ip redirects | |||
no ip unreachables | |||
no ip proxy-arp | |||
ip nat enable | |||
ip virtual-reassembly in | |||
encapsulation ppp | |||
dialer pool 1 | |||
dialer-group 1 | |||
ntp disable | |||
ppp authentication chap callin | |||
ppp chap hostname <span style="color: blue">D******@hg52.btclick.com</span> | |||
ppp chap password 0 <span style="color: blue">******</span> | |||
ppp pap sent-username <span style="color: blue">D******@hg52.btclick.com</span> password 0 <span style="color: blue">******</span> | |||
ppp ipcp dns request | |||
no cdp enable</span> | |||
! | |||
<span style="color: red"> interface Dialer1 | |||
ip address negotiated | |||
ip nat enable | |||
encapsulation slip | |||
dialer pool 1 | |||
dialer idle-timeout 0 | |||
dialer string LTE | |||
dialer persistent | |||
dialer-group 1</span> | |||
! | |||
ip forward-protocol nd | |||
! | |||
no ip http server | |||
no ip http secure-server | |||
! | |||
ip dns server | |||
! | |||
<span style="color: green">ip nat source list 1 interface Cellular0/0/0 overload | |||
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 | |||
! | |||
access-list 1 permit any | |||
dialer-list 1 protocol ip permit</span> | |||
! | |||
<span style="color: red">ip nat source list 1 interface Dialer1 overload | |||
ip route 0.0.0.0 0.0.0.0 Dialer1 | |||
! | |||
access-list 1 permit any | |||
dialer-list 1 protocol ip permit</span> | |||
! | |||
<span style="color: purple">ip nat source list 1 interface Dialer0 overload | |||
ip route 0.0.0.0 0.0.0.0 Dialer0 | |||
! | |||
access-list 1 permit 10.0.0.0 0.0.255.255 | |||
dialer-list 1 protocol ip permit</span> | |||
! | |||
<span style="color: grey">ip nat source list 1 interface Gi0/0 overload | |||
ip route 0.0.0.0 0.0.0.0 Gi0/0 | |||
! | |||
access-list 1 permit 10.0.0.0 0.0.255.255</span> | |||
! | |||
access-list 20 remark Allow Management devices sync NTP clock | |||
access-list 20 permit 10.0.99.0 0.0.0.127 log | |||
access-list 20 deny any | |||
! | |||
! | |||
snmp-server community contingency RO site | |||
snmp-server enable traps entity-sensor threshold | |||
! | |||
! | |||
! | |||
control-plane | |||
! | |||
! | |||
banner motd ^ | |||
This system is for COMPANY authorized use only. It is | |||
monitored to detect improper use and other illicit activity. | |||
There is no expectation of privacy while using this system. | |||
^ | |||
! | |||
line con 0 | |||
exec-timeout 5 0 | |||
password 0 <span style="color: blue">consolepassword</span> | |||
logging synchronous | |||
login authentication admin-con | |||
line aux 0 | |||
line 2 | |||
no activation-character | |||
no exec | |||
transport preferred none | |||
transport input all | |||
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh | |||
stopbits 1 | |||
<span style="color: green">line 0/0/0 | |||
exec-timeout 0 0 | |||
script dialer hspa | |||
script activation hspa | |||
modem InOut | |||
no exec | |||
line 0/0/1 | |||
no exec</span> | |||
! | |||
<span style="color: red">line 0/0/0 | |||
exec-timeout 0 0 | |||
script dialer LTE | |||
script activation LTE | |||
modem InOut | |||
no exec</span> | |||
! | |||
line vty 0 4 | |||
logging synchronous | |||
transport input ssh | |||
! | |||
scheduler allocate 20000 1000 | |||
ntp logging | |||
ntp access-group peer 20 | |||
ntp master | |||
! | |||
end | |||
;Key: | |||
*<span style="color: blue">Blue - variables: passwords, host names, serial numbers</span> | |||
*<span style="color: green">Green - Cellular/3G card configuration</span> | |||
*<span style="color: red">Red - Cellular/4G card configuration</span> | |||
*<span style="color: purple">Purple - ATM/ADSL card configuration, BT Business ADSL</span> | |||
*<span style="color: orange">Orange - PPPoE, BT Infinity</span> | |||
*<span style="color: grey">Grey - WAN Ethernet RJ45 from ISP</span> | |||
== Applying VLANs == | |||
conf t | |||
vlan 10 | |||
name WIRELESS | |||
vlan 20 | |||
name GUEST-WIRELESS | |||
vlan 99 | |||
name MANAGEMENT&NATIVE | |||
^Z | |||
;Verify | |||
R1#sh vlan-switch | |||
VLAN Name Status Ports | |||
---- -------------------------------- --------- ------------------------------- | |||
1 default active Gi0/1/1, Gi0/1/2 | |||
10 WIRELESS active | |||
20 GUEST-WIRELESS active | |||
99 MANAGEMENT&NATIVE active Gi0/1/3 | |||
1002 fddi-default act/unsup | |||
1003 token-ring-default act/unsup | |||
1004 fddinet-default act/unsup | |||
1005 trnet-default act/unsup | |||
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 | |||
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ | |||
1 enet 100001 1500 - - - - - 1002 1003 | |||
10 enet 100010 1500 - - - - - 0 0 | |||
20 enet 100020 1500 - - - - - 0 0 | |||
99 enet 100099 1500 - - - - - 0 0 | |||
1002 fddi 101002 1500 - - - - - 1 1003 | |||
1003 tr 101003 1500 1005 0 - - srb 1 1002 | |||
1004 fdnet 101004 1500 - - 1 ibm - 0 0 | |||
1005 trnet 101005 1500 - - 1 ibm - 0 0 | |||
== Apply Access Lists == | |||
Please make sure you are connected through a console cable as you will lock out yourself. | |||
;Variables: | |||
*<span style="color: blue">$WAN</span> = it is WAN Interface '''Dialer1''' or '''ATM0/0/0''' or '''Gi0/0/0''' | |||
ip access-list extended INTERNET-OUT | |||
permit tcp any any reflect REMEMBER timeout 300 | |||
permit udp any any reflect REMEMBER timeout 300 | |||
permit icmp any any reflect REMEMBER timeout 300 | |||
deny ip any any log | |||
! | |||
ip access-list extended INTERNET-IN | |||
permit udp any eq domain any | |||
permit tcp any any eq 22 | |||
permit icmp host <span style="color: blue">$monitoring_host_ip</span> any echo | |||
evaluate REMEMBER | |||
deny ip any any log | |||
! | |||
! Apply access lists to WAN interface | |||
! | |||
interface <span style="color: blue">$WAN</span> | |||
ip access-group INTERNET-IN in | |||
ip access-group INTERNET-OUT out | |||
== Disable unnecessary services == | |||
no ip source-route | |||
ip options drop | |||
no ip http server | |||
no ip http secure-server | |||
no service tcp-small-servers | |||
no service udp-small-servers | |||
service tcp-keepalives-in | |||
service tcp-keepalives-out | |||
no ip bootp server | |||
no ip finger | |||
no ip identd | |||
no service config | |||
no lldp run | |||
no service pad | |||
Verify you have still access to Internet. | |||
== Configure NTP == | |||
;Router NTP config | |||
! Protect sync time to hosts permitted by access-list | |||
access-list 20 remark Allow Management devices sync NTP clock | |||
access-list 20 permit 10.0.99.0 0.0.0.127 | |||
access-list 20 deny any log | |||
! Disable sending ntp messages on WAN interfaces | |||
Interface Dialer 0 | |||
ntp disable | |||
Interface Vlan99 | |||
ntp broadcast | |||
Interface ATM0/0/0 | |||
ntp disable | |||
ntp logging | |||
ntp access-group peer 20 | |||
ntp master | |||
;Access point NTP config | |||
sntp server 10.0.99.100 | |||
== Configure SNMP == | |||
! protect snmp RO (readonly) with access-list | |||
access-list 60 remark Access to read SNMP messages | |||
access-list 60 permit 10.0.10.0 0.0.1.255 | |||
access-list 60 permit 10.0.99.0 0.0.0.127 | |||
access-list 60 deny any log | |||
! SNMP configuration | |||
snmp-server community <span style="color: blue">hardpassword</span> RO 60 | |||
snmp-server location BuldingID | |||
snmp-server contact AdminID | |||
! log wrong community string attempts | |||
logging snmp-authfail | |||
;Test | |||
Device | |||
snmpstatus -c 'communitystring' -v2c <span style="color: blue">DEV_IP_ADDRESS</span> | |||
List of interfaces | |||
snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2 | |||
iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0" | |||
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0" | |||
iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1" | |||
<-- output ommited --> | |||
iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20" | |||
iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99" | |||
iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1" | |||
Uptime | |||
snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0 | |||
iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21 | |||
= Basic AP config with WPA2-PSK auth = | |||
;Default account credentials on the access point | ;Default account credentials on the access point | ||
Username: Cisco | Username: Cisco | ||
Line 45: | Line 589: | ||
Enabled mode: Cisco | Enabled mode: Cisco | ||
*remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for <tt>interface Dot11Radio0</tt> | |||
*remember change 'password' and AP 'hostname' when deploying config | |||
* not sure why but when applying config BVI1 interface does not take any changes | |||
* remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below: | |||
conf t | |||
hostname <span style="color: red">ap1</span> | |||
ip domain name <span style="color: orange">home.gateway</span> | |||
! label for '''hostname''':<span style="color: red">ap1</span> and '''ipdomainname''':<span style="color: orange">home.gateway</span> will be <span style="color: red">ap1</span>.<span style="color: orange">home.gateway</span> | |||
crypto key generate rsa label <span style="color: red">ap1</span>.<span style="color: orange">home.gateway</span> general-keys modulus 1024 | |||
! Last configuration change at 01: | ! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech | ||
version 15.2 | version 15.2 | ||
no service pad | no service pad | ||
Line 54: | Line 607: | ||
service password-encryption | service password-encryption | ||
! | ! | ||
hostname <span style="color: blue">ap1</span> | |||
hostname ap1 | |||
! | ! | ||
! | ! | ||
logging rate-limit console 9 | logging rate-limit console 9 | ||
enable secret <span style="color: blue">secretpassword</span> | |||
! | ! | ||
aaa new-model | aaa new-model | ||
! | ! | ||
! | ! | ||
aaa authentication password-prompt LocalPassword: | |||
aaa authentication username-prompt LocalUsername: | |||
aaa authentication login default local | aaa authentication login default local | ||
aaa authorization exec default local | aaa authorization exec default local | ||
Line 73: | Line 628: | ||
no ip routing | no ip routing | ||
no ip cef | no ip cef | ||
ip domain name home.gateway | |||
! | ! | ||
! | ! | ||
! | ! | ||
dot11 syslog | dot11 syslog | ||
dot11 vlan-name Management vlan 99 | |||
dot11 vlan-name Wireless vlan 10 | |||
dot11 vlan-name Wireless-guest vlan 20 | |||
! | |||
dot11 ssid DS_Guest | |||
vlan 20 | |||
authentication open | |||
authentication key-management wpa version 2 | |||
mbssid guest-mode | |||
wpa-psk ascii 0 <span style="color: blue">guestpassword</span> | |||
! | ! | ||
dot11 ssid | dot11 ssid DS_MGM | ||
vlan 99 | |||
authentication open | authentication open | ||
authentication key-management wpa version 2 | authentication key-management wpa version 2 | ||
guest-mode | ! mbssid guest-mode commented out to prevent broadcasting BSSID | ||
wpa-psk ascii 0 <span style="color: blue">managementpassword</span> | |||
! | |||
wpa-psk ascii | dot11 ssid <span style="color: blue">DS_WPA2</span> | ||
vlan 10 | |||
authentication open | |||
authentication key-management wpa version 2 | |||
mbssid guest-mode | |||
wpa-psk ascii 0 <span style="color: blue">wirelesspassword</span> | |||
! | ! | ||
! | ! | ||
Line 90: | Line 662: | ||
! | ! | ||
! | ! | ||
username | username <span style="color: blue">tech</span> privilege 1 secret 0 <span style="color: blue">techpassword</span> | ||
username | username <span style="color: blue">admin</span> privilege 15 secret 0 <span style="color: blue">adminpassword</span> | ||
! | ! | ||
ip ssh time-out 180 | |||
ip ssh authentication-retries 5 | |||
ip ssh version 2 | |||
bridge irb | bridge irb | ||
! | ! | ||
Line 104: | Line 678: | ||
encryption mode ciphers aes-ccm | encryption mode ciphers aes-ccm | ||
! | ! | ||
ssid DS_WPA2 | encryption vlan 10 mode ciphers aes-ccm | ||
! | |||
encryption vlan 20 mode ciphers aes-ccm | |||
! | |||
encryption vlan 99 mode ciphers aes-ccm | |||
! | |||
ssid DS_Guest | |||
! | |||
ssid DS_MGM | |||
! | |||
<span style="color: blue">ssid DS_WPA2</span> | |||
! | ! | ||
antenna gain 0 | antenna gain 0 | ||
stbc | stbc | ||
beamform ofdm | beamform ofdm | ||
mbssid | |||
station-role root | station-role root | ||
no shutdown | |||
! | |||
interface Dot11Radio0.10 | |||
encapsulation dot1Q 10 | |||
no ip route-cache | |||
bridge-group 10 | |||
bridge-group 10 subscriber-loop-control | |||
bridge-group 10 spanning-disabled | |||
bridge-group 10 block-unknown-source | |||
no bridge-group 10 source-learning | |||
no bridge-group 10 unicast-flooding | |||
! | |||
interface Dot11Radio0.20 | |||
encapsulation dot1Q 20 | |||
no ip route-cache | |||
bridge-group 20 | |||
bridge-group 20 subscriber-loop-control | |||
bridge-group 20 spanning-disabled | |||
bridge-group 20 block-unknown-source | |||
no bridge-group 20 source-learning | |||
no bridge-group 20 unicast-flooding | |||
! | |||
interface Dot11Radio0.99 | |||
encapsulation dot1Q 99 native | |||
no ip route-cache | |||
bridge-group 1 | bridge-group 1 | ||
bridge-group 1 subscriber-loop-control | bridge-group 1 subscriber-loop-control | ||
Line 137: | Line 747: | ||
duplex auto | duplex auto | ||
speed auto | speed auto | ||
no shutdown | |||
! | |||
interface GigabitEthernet0.10 | |||
encapsulation dot1Q 10 | |||
no ip route-cache | |||
bridge-group 10 | |||
bridge-group 10 spanning-disabled | |||
no bridge-group 10 source-learning | |||
! | |||
interface GigabitEthernet0.20 | |||
encapsulation dot1Q 20 | |||
no ip route-cache | |||
bridge-group 20 | |||
bridge-group 20 spanning-disabled | |||
no bridge-group 20 source-learning | |||
! | |||
interface GigabitEthernet0.99 | |||
encapsulation dot1Q 99 native | |||
no ip route-cache | |||
bridge-group 1 | bridge-group 1 | ||
bridge-group 1 spanning-disabled | bridge-group 1 spanning-disabled | ||
Line 144: | Line 773: | ||
ip address dhcp client-id GigabitEthernet0 | ip address dhcp client-id GigabitEthernet0 | ||
no ip route-cache | no ip route-cache | ||
no shutdown | |||
! | ! | ||
ip forward-protocol nd | ip forward-protocol nd | ||
Line 158: | Line 788: | ||
line con 0 | line con 0 | ||
line vty 0 4 | line vty 0 4 | ||
transport input | transport input ssh | ||
sntp server 10.0.99.100 | |||
! | ! | ||
end | end | ||
== | ;Enable sending logs to syslog server | ||
logging source-interface GigabitEthernet0 | |||
logging 10.0.10.5 | |||
= Configure WPA2 from WEB = | |||
;Security > Encription Manager | |||
# Set Encryption Mode and Keys for VLAN: from drop down menu | |||
# Tick <tt>Cipher</tt> and from drop down menu <tt>AES CCMP</tt> | |||
;Security > SSID Manager | |||
# Select <NEW> | |||
# Type SSID_name into SSID box | |||
# Select VLAN | |||
# Tick Interface Radio0 (2.4 GHz) | |||
# Key Management: <tt>Mandatory</tt> | |||
# Tick: Enable WPA and select <tt>WPAv2</tt> from drop down menu | |||
# Enter your WPA Pre-shared Key into a box | |||
# Enable SSID broadcast in beacons (requires enabling per SSID) | |||
## Go to section: Multiple BSSID Beacon Settings | |||
## Check: Set SSID as Guest Mode | |||
# Press <tt>Apply</tt> | |||
# Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio) | |||
## Go to section: Guest Mode/Infrastructure SSID Settings | |||
## Check: <tt>Multiple BSSID</tt> | |||
## Press <tt>Apply</tt> | |||
;Error message when ticking CCKM | |||
ERROR: | |||
VLAN 99 cannot support CCKM. | |||
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption Manager). | |||
;Error message when enabling WPA | |||
ERROR: | |||
VLAN 99 cannot support WPA optional. | |||
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' <br>or 'AES CCMP + TKIP + WEP 40 bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.<br>(See Security> Encryption Manager) | |||
To set the correct 'Key Management', follow the steps below: | |||
STEP 1:Set the 'Key Management' to 'None'. | |||
STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager) | |||
STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'. | |||
= References = | |||
*[http://www.cisco.com/en/US/docs/wireless/access_point/1600/quick/guide/ap1600getstart.pdf Cisco Aironet 1600 Series Access Points] Getting Started Guide, December, 2012 Revised: April 16, 2013 | *[http://www.cisco.com/en/US/docs/wireless/access_point/1600/quick/guide/ap1600getstart.pdf Cisco Aironet 1600 Series Access Points] Getting Started Guide, December, 2012 Revised: April 16, 2013 | ||
*[http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12555/data_sheet_c78-715702.html Cisco Aironet 1600 Series Access Point Data Sheet] | *[http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12555/data_sheet_c78-715702.html Cisco Aironet 1600 Series Access Point Data Sheet] | ||
*[http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#wlc Wireless LAN Controller and Lightweight Access Point Basic Configuration Example] | *[http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#wlc Wireless LAN Controller and Lightweight Access Point Basic Configuration Example] | ||
*[http://www.cisco.com/en/US/docs/wireless/access_point/15_2_4_JA/configuration/guide/scg15.2.4_book.html Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA] | *[http://www.cisco.com/en/US/docs/wireless/access_point/15_2_4_JA/configuration/guide/scg15.2.4_book.html Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA] | ||
[[Category:cisco]] | [[Category:cisco]] | ||
*[http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml#native VLANs on Aironet Access Points Configuration Example] | |||
*[http://www.cisco.com/en/US/docs/wireless/access_point/ios/release/notes/15.2_2_JB.html Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB] Default behavior changes on AP pior IOS15 | |||
*[http://www.cisco.com/en/US/products/ps5855/products_password_recovery09186a0080b3911d.shtml Password Recovery Procedure for the Cisco 1900 Integrated Services Router] |
Latest revision as of 21:02, 8 June 2014
Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.
Product codding
Product/Model Number: AIR-SAP1602E-E-K9 IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1) Regulatory Domain / AIR-SAP 1602E-E-K9 \ \_External antenna \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller) \_S_ stands for: Standalone AP
- Router
show inventory
#show inventory NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0" PID: CISCO1941/K9 , VID: V05 , SN: *********** NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS" PID: EHWIC-3G-HSPA+7 , VID: V01 , SN: *********** NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705" PID: MC8705 , VID: 1.0, SN: *********** NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch" PID: EHWIC-4ESG-P , VID: V01 , SN: *********** NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply" PID: PWR-1941-POE , VID: , SN:
- Access point
show inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point" PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11
Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.
#sh power inline PowerSupply SlotNum. Maximum Allocated Status ----------- -------- ------- --------- ------ INT-PS 0 80.000 46.200 PS GOOD Interface Config Device Powered PowerAllocated State --------- ------ ------ ------- -------------- ----- Gi0/1/0 auto Unknown Off 0.000 Watts NOT_PHONE Gi0/1/1 auto IEEE-3 On 15.400 Watts PHONE Gi0/1/2 auto IEEE-3 On 15.400 Watts PHONE Gi0/1/3 auto IEEE-3 On 15.400 Watts PHONE
Basic router config
Applying config
- Shape config to your needs following color coding and place into TFTP root folder
- change update system users and passwords
- change hostname
- update with APs ethernet mac addresses
- update the router serial number
- Connect Interface Gi0/0 to a laptop running TFTP server
- Optional, issue from Windows
route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13
to maintain access to internet. - At router, issue
copy tftp: startup-config
and follow the wizard - Reload the router issuing
reload
but do not save changes to nvram configuration - Activate the licence
license udi pid CISCO1941/K9 sn $routerserialnumber
license accept end user agreement
- Generate RSA crypto key to enable ssh 2
- Apply VLANs
Router config
! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech version 15.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname $ID-r1 ! boot-start-marker boot-end-marker ! ! logging userinfo logging buffered 50000 logging console warnings enable secret enablepassword ! aaa new-model ! ! aaa authentication password-prompt LocalPassword: aaa authentication username-prompt LocalUsername: aaa authentication login default local ! force to use aaa auth on console line aaa authentication login admin-con line aaa authorization exec default local ! ! ! ! ! aaa session-id common clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! no ipv6 cef no ip source-route ip cef ! ! ! ip dhcp excluded-address 10.0.10.1 10.0.10.10 ip dhcp excluded-address 10.0.11.240 10.0.11.254 ip dhcp excluded-address 10.0.20.1 10.0.20.10 ip dhcp excluded-address 10.0.21.240 10.0.21.254 ip dhcp excluded-address 10.0.99.100 ip dhcp excluded-address 10.0.99.1 10.0.99.10 ! ip dhcp pool WIRELESS import all network 10.0.10.0 255.255.254.0 default-router 10.0.10.1 dns-server 10.0.10.1 8.8.8.8 domain-name lan.gateway lease 0 2 ! ip dhcp pool WIRELESS-GUEST network 10.0.20.0 255.255.254.0 default-router 10.0.20.1 dns-server 10.0.20.1 8.8.8.8 domain-name lan-guest.gateway lease 0 2 ! ip dhcp pool MANAGEMENT network 10.0.99.0 255.255.255.128 default-router 10.0.99.100 dns-server 10.0.99.100 8.8.8.8 domain-name lan.management lease 0 2 ! ip dhcp pool AP1 host 10.0.99.1 255.255.255.128 client-identifier 017c.69f6.e1d8.7d ! ip dhcp pool AP2 host 10.0.99.2 255.255.255.128 client-identifier 017c.69f6.e1d9.18 ! ip dhcp pool AP3 host 10.0.99.3 255.255.255.128 client-identifier 017c.69f6.e1d9.78 ! ip dhcp pool LAN network 10.0.30.0 255.255.254.0 default-router 10.0.30.1 ! line below is optional in case you want to hand out different DNS servers than the router itself is using dns-server primary_dns secondary_dns domain-name lan.gateway lease 0 2 ! no ip bootp server ip domain name lma.geteway ! ip name-server $primary_dns ip name-server $secondary_dns ! login block-for 300 attempts 3 within 300 no ipv6 cef multilink bundle-name authenticated ! chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK" chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK" ! ! license udi pid CISCO1941/K9 sn £routerserialnumber ! license accept end user agreement license boot module c1900 technology-package securityk9 disable license boot module c1900 technology-package datak9 disable ! ! username ****tech privilege 0 secret 0 password username **neteng privilege 15 secret 0 password ! ! controller Cellular 0/0 controller Cellular 0/0 controller VDSL 0/0/0 controller VDSL 0/0/0 ! ip ssh version 2 ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address duplex auto speed auto shutdown ! interface GigabitEthernet0/0 description --> WAN $WiMAX ##Mbps down/up ip address $public_ip subnet_mask ! Comment out 'access-group' lines only when you applying ACLs at the same time ! ip access-group INTERNET-IN in ! ip access-group INTERNET-OUT out ip verify unicast reverse-path ip nat enable ntp disable no shutdown ! ! interface GigabitEthernet0/1 description Wired user LAN ip address 10.0.30.1 255.255.254.0 ip nat enable duplex auto speed auto no shutdown ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive ntp disable pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! ! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown interface Ethernet0/0/0 no ip address ! interface Ethernet0/0/0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0/1/0 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/1 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/2 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/3 description Management VLAN99 access port switchport access vlan 99 no ip address no shutdown ! interface Cellular0/0/0 description WAN link to 3G Vodafone-APN ip address negotiated ip nat enable encapsulation slip dialer in-band dialer string hspa dialer-group 1 async mode interactive ! interface Cellular0/0/1 no ip address encapsulation slip ! interface Cellular0/0/0 description WAN link to 4G Vodafone-APN ip address negotiated encapsulation slip dialer in-band dialer pool-member 1 dialer-group 1 async mode interactive routing dynamic ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address 10.0.10.1 255.255.254.0 ip nat enable no shutdown ! interface Vlan20 ip address 10.0.20.1 255.255.254.0 ip nat enable no shutdown ! interface Vlan99 description Eherswitch Management Interface ip address 10.0.99.100 255.255.255.128 ntp broadcast no shutdown ! interface Dialer0 description BT Infinity 40Mb down / 10 Mb upload mtu 1492 ip address ip.add.re.ss m.a.s.k ! no ip redirects #removed due to causing VPN reconnection no ip unreachables no ip proxy-arp ip nat enable ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ntp disable ppp authentication pap chap ms-chap callin ppp chap hostname D******@hg52.btclick.com ppp chap password 0 ****** ppp pap sent-username D******@hg52.btclick.com password 0 ****** ppp ipcp dns request no cdp enable ! interface Dialer0 description BT ADSL 5Mdown/1Mup acc: WM****** no:0******** ! for dynamic public ip replace a lien below with 'ip address negotiated' ip address $static_public_ip $subnet_mask no ip redirects no ip unreachables no ip proxy-arp ip nat enable ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ntp disable ppp authentication chap callin ppp chap hostname D******@hg52.btclick.com ppp chap password 0 ****** ppp pap sent-username D******@hg52.btclick.com password 0 ****** ppp ipcp dns request no cdp enable ! interface Dialer1 ip address negotiated ip nat enable encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string LTE dialer persistent dialer-group 1 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns server ! ip nat source list 1 interface Cellular0/0/0 overload ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 ! access-list 1 permit any dialer-list 1 protocol ip permit ! ip nat source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit any dialer-list 1 protocol ip permit ! ip nat source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! access-list 1 permit 10.0.0.0 0.0.255.255 dialer-list 1 protocol ip permit ! ip nat source list 1 interface Gi0/0 overload ip route 0.0.0.0 0.0.0.0 Gi0/0 ! access-list 1 permit 10.0.0.0 0.0.255.255 ! access-list 20 remark Allow Management devices sync NTP clock access-list 20 permit 10.0.99.0 0.0.0.127 log access-list 20 deny any ! ! snmp-server community contingency RO site snmp-server enable traps entity-sensor threshold ! ! ! control-plane ! ! banner motd ^ This system is for COMPANY authorized use only. It is monitored to detect improper use and other illicit activity. There is no expectation of privacy while using this system. ^ ! line con 0 exec-timeout 5 0 password 0 consolepassword logging synchronous login authentication admin-con line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 0/0/0 exec-timeout 0 0 script dialer hspa script activation hspa modem InOut no exec line 0/0/1 no exec ! line 0/0/0 exec-timeout 0 0 script dialer LTE script activation LTE modem InOut no exec ! line vty 0 4 logging synchronous transport input ssh ! scheduler allocate 20000 1000 ntp logging ntp access-group peer 20 ntp master ! end
- Key
- Blue - variables: passwords, host names, serial numbers
- Green - Cellular/3G card configuration
- Red - Cellular/4G card configuration
- Purple - ATM/ADSL card configuration, BT Business ADSL
- Orange - PPPoE, BT Infinity
- Grey - WAN Ethernet RJ45 from ISP
Applying VLANs
conf t vlan 10 name WIRELESS vlan 20 name GUEST-WIRELESS vlan 99 name MANAGEMENT&NATIVE ^Z
- Verify
R1#sh vlan-switch VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1/1, Gi0/1/2 10 WIRELESS active 20 GUEST-WIRELESS active 99 MANAGEMENT&NATIVE active Gi0/1/3 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 1002 1003 10 enet 100010 1500 - - - - - 0 0 20 enet 100020 1500 - - - - - 0 0 99 enet 100099 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 1 1003 1003 tr 101003 1500 1005 0 - - srb 1 1002 1004 fdnet 101004 1500 - - 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0
Apply Access Lists
Please make sure you are connected through a console cable as you will lock out yourself.
- Variables
- $WAN = it is WAN Interface Dialer1 or ATM0/0/0 or Gi0/0/0
ip access-list extended INTERNET-OUT permit tcp any any reflect REMEMBER timeout 300 permit udp any any reflect REMEMBER timeout 300 permit icmp any any reflect REMEMBER timeout 300 deny ip any any log ! ip access-list extended INTERNET-IN permit udp any eq domain any permit tcp any any eq 22 permit icmp host $monitoring_host_ip any echo evaluate REMEMBER deny ip any any log ! ! Apply access lists to WAN interface ! interface $WAN ip access-group INTERNET-IN in ip access-group INTERNET-OUT out
Disable unnecessary services
no ip source-route ip options drop no ip http server no ip http secure-server no service tcp-small-servers no service udp-small-servers service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip finger no ip identd no service config no lldp run no service pad
Verify you have still access to Internet.
Configure NTP
- Router NTP config
! Protect sync time to hosts permitted by access-list access-list 20 remark Allow Management devices sync NTP clock access-list 20 permit 10.0.99.0 0.0.0.127 access-list 20 deny any log ! Disable sending ntp messages on WAN interfaces Interface Dialer 0 ntp disable Interface Vlan99 ntp broadcast Interface ATM0/0/0 ntp disable ntp logging ntp access-group peer 20 ntp master
- Access point NTP config
sntp server 10.0.99.100
Configure SNMP
! protect snmp RO (readonly) with access-list
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny any log
! SNMP configuration
snmp-server community hardpassword RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
- Test
Device
snmpstatus -c 'communitystring' -v2c DEV_IP_ADDRESS
List of interfaces
snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2 iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0" iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0" iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1" <-- output ommited --> iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20" iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99" iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"
Uptime
snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0 iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21
Basic AP config with WPA2-PSK auth
- Default account credentials on the access point
Username: Cisco Password: Cisco Enabled mode: Cisco
- remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
- remember change 'password' and AP 'hostname' when deploying config
- not sure why but when applying config BVI1 interface does not take any changes
- remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
conf t hostname ap1 ip domain name home.gateway ! label for hostname:ap1 and ipdomainname:home.gateway will be ap1.home.gateway crypto key generate rsa label ap1.home.gateway general-keys modulus 1024
! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap1 ! ! logging rate-limit console 9 enable secret secretpassword ! aaa new-model ! ! aaa authentication password-prompt LocalPassword: aaa authentication username-prompt LocalUsername: aaa authentication login default local aaa authorization exec default local ! ! ! ! ! aaa session-id common no ip routing no ip cef ip domain name home.gateway ! ! ! dot11 syslog dot11 vlan-name Management vlan 99 dot11 vlan-name Wireless vlan 10 dot11 vlan-name Wireless-guest vlan 20 ! dot11 ssid DS_Guest vlan 20 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 0 guestpassword ! dot11 ssid DS_MGM vlan 99 authentication open authentication key-management wpa version 2 ! mbssid guest-mode commented out to prevent broadcasting BSSID wpa-psk ascii 0 managementpassword ! dot11 ssid DS_WPA2 vlan 10 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 0 wirelesspassword ! ! crypto pki token default removal timeout 0 ! ! username tech privilege 1 secret 0 techpassword username admin privilege 15 secret 0 adminpassword ! ip ssh time-out 180 ip ssh authentication-retries 5 ip ssh version 2 bridge irb ! ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! encryption vlan 10 mode ciphers aes-ccm ! encryption vlan 20 mode ciphers aes-ccm ! encryption vlan 99 mode ciphers aes-ccm ! ssid DS_Guest ! ssid DS_MGM ! ssid DS_WPA2 ! antenna gain 0 stbc beamform ofdm mbssid station-role root no shutdown ! interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding ! interface Dot11Radio0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no shutdown ! interface GigabitEthernet0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 spanning-disabled no bridge-group 10 source-learning ! interface GigabitEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled no bridge-group 20 source-learning ! interface GigabitEthernet0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache no shutdown ! ip forward-protocol nd ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 transport input ssh sntp server 10.0.99.100 ! end
- Enable sending logs to syslog server
logging source-interface GigabitEthernet0 logging 10.0.10.5
Configure WPA2 from WEB
- Security > Encription Manager
- Set Encryption Mode and Keys for VLAN: from drop down menu
- Tick Cipher and from drop down menu AES CCMP
- Security > SSID Manager
- Select <NEW>
- Type SSID_name into SSID box
- Select VLAN
- Tick Interface Radio0 (2.4 GHz)
- Key Management: Mandatory
- Tick: Enable WPA and select WPAv2 from drop down menu
- Enter your WPA Pre-shared Key into a box
- Enable SSID broadcast in beacons (requires enabling per SSID)
- Go to section: Multiple BSSID Beacon Settings
- Check: Set SSID as Guest Mode
- Press Apply
- Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
- Go to section: Guest Mode/Infrastructure SSID Settings
- Check: Multiple BSSID
- Press Apply
- Error message when ticking CCKM
ERROR: VLAN 99 cannot support CCKM. Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption Manager).
- Error message when enabling WPA
ERROR: VLAN 99 cannot support WPA optional. Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit'
or 'AES CCMP + TKIP + WEP 40 bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security> Encryption Manager) To set the correct 'Key Management', follow the steps below: STEP 1:Set the 'Key Management' to 'None'. STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager) STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.
References
- Cisco Aironet 1600 Series Access Points Getting Started Guide, December, 2012 Revised: April 16, 2013
- Cisco Aironet 1600 Series Access Point Data Sheet
- Wireless LAN Controller and Lightweight Access Point Basic Configuration Example
- Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA
- VLANs on Aironet Access Points Configuration Example
- Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB Default behavior changes on AP pior IOS15
- Password Recovery Procedure for the Cisco 1900 Integrated Services Router