Cisco 1941 with AIR-SAP 1602E-E-K9 Standalone
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.
Product codding
Product/Model Number: AIR-SAP1602E-E-K9 IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1) Regulatory Domain / AIR-SAP 1602E-E-K9 \ \_External antenna \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller) \_S_ stands for: Standalone AP
- Router
show inventory
#show inventory NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0" PID: CISCO1941/K9 , VID: V05 , SN: *********** NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS" PID: EHWIC-3G-HSPA+7 , VID: V01 , SN: *********** NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705" PID: MC8705 , VID: 1.0, SN: *********** NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch" PID: EHWIC-4ESG-P , VID: V01 , SN: *********** NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply" PID: PWR-1941-POE , VID: , SN:
- Access point
show inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point" PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11
Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.
#sh power inline PowerSupply SlotNum. Maximum Allocated Status ----------- -------- ------- --------- ------ INT-PS 0 80.000 46.200 PS GOOD Interface Config Device Powered PowerAllocated State --------- ------ ------ ------- -------------- ----- Gi0/1/0 auto Unknown Off 0.000 Watts NOT_PHONE Gi0/1/1 auto IEEE-3 On 15.400 Watts PHONE Gi0/1/2 auto IEEE-3 On 15.400 Watts PHONE Gi0/1/3 auto IEEE-3 On 15.400 Watts PHONE
Basic router config
Applying config
- Shape config to your needs following color coding and place into TFTP root folder
- change update system users and passwords
- change hostname
- update with APs ethernet mac addresses
- update the router serial number
- Connect Interface Gi0/0 to a laptop running TFTP server
- Optional, issue from Windows
route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13
to maintain access to internet. - At router, issue
copy tftp: startup-config
and follow the wizard - Reload the router issuing
reload
but do not save changes to nvram configuration - Activate the licence
license udi pid CISCO1941/K9 sn $routerserialnumber
license accept end user agreement
- Generate RSA crypto key to enable ssh 2
- Apply VLANs
Router config
! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech version 15.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname $ID-r1 ! boot-start-marker boot-end-marker ! ! logging userinfo logging buffered 50000 logging console warnings enable secret enablepassword ! aaa new-model ! ! aaa authentication password-prompt LocalPassword: aaa authentication username-prompt LocalUsername: aaa authentication login default local ! force to use aaa auth on console line aaa authentication login admin-con line aaa authorization exec default local ! ! ! ! ! aaa session-id common clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! no ipv6 cef no ip source-route ip cef ! ! ! ip dhcp excluded-address 10.0.10.1 10.0.10.10 ip dhcp excluded-address 10.0.11.240 10.0.11.254 ip dhcp excluded-address 10.0.20.1 10.0.20.10 ip dhcp excluded-address 10.0.21.240 10.0.21.254 ip dhcp excluded-address 10.0.99.100 ip dhcp excluded-address 10.0.99.1 10.0.99.10 ! ip dhcp pool WIRELESS import all network 10.0.10.0 255.255.254.0 default-router 10.0.10.1 dns-server 10.0.10.1 8.8.8.8 domain-name lan.gateway lease 0 2 ! ip dhcp pool WIRELESS-GUEST network 10.0.20.0 255.255.254.0 default-router 10.0.20.1 dns-server 10.0.20.1 8.8.8.8 domain-name lan-guest.gateway lease 0 2 ! ip dhcp pool MANAGEMENT network 10.0.99.0 255.255.255.128 default-router 10.0.99.100 dns-server 10.0.99.100 8.8.8.8 domain-name lan.management lease 0 2 ! ip dhcp pool AP1 host 10.0.99.1 255.255.255.128 client-identifier 017c.69f6.e1d8.7d ! ip dhcp pool AP2 host 10.0.99.2 255.255.255.128 client-identifier 017c.69f6.e1d9.18 ! ip dhcp pool AP3 host 10.0.99.3 255.255.255.128 client-identifier 017c.69f6.e1d9.78 ! ip dhcp pool LAN network 10.0.30.0 255.255.254.0 default-router 10.0.30.1 ! line below is optional in case you want to hand out different DNS servers than the router itself is using dns-server primary_dns secondary_dns domain-name lan.gateway lease 0 2 ! no ip bootp server ip domain name lma.geteway ! ip name-server $primary_dns ip name-server $secondary_dns ! login block-for 300 attempts 3 within 300 no ipv6 cef multilink bundle-name authenticated ! chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK" chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK" ! ! license udi pid CISCO1941/K9 sn £routerserialnumber ! license accept end user agreement license boot module c1900 technology-package securityk9 disable license boot module c1900 technology-package datak9 disable ! ! username ****tech privilege 0 secret 0 password username **neteng privilege 15 secret 0 password ! ! controller Cellular 0/0 controller Cellular 0/0 controller VDSL 0/0/0 controller VDSL 0/0/0 ! ip ssh version 2 ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address duplex auto speed auto shutdown ! interface GigabitEthernet0/0 description --> WAN $WiMAX ##Mbps down/up ip address $public_ip subnet_mask ! Comment out 'access-group' lines only when you applying ACLs at the same time ! ip access-group INTERNET-IN in ! ip access-group INTERNET-OUT out ip verify unicast reverse-path ip nat enable ntp disable no shutdown ! ! interface GigabitEthernet0/1 description Wired user LAN ip address 10.0.30.1 255.255.254.0 ip nat enable duplex auto speed auto no shutdown ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive ntp disable pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! ! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown interface Ethernet0/0/0 no ip address ! interface Ethernet0/0/0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0/1/0 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/1 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/2 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/3 description Management VLAN99 access port switchport access vlan 99 no ip address no shutdown ! interface Cellular0/0/0 description WAN link to 3G Vodafone-APN ip address negotiated ip nat enable encapsulation slip dialer in-band dialer string hspa dialer-group 1 async mode interactive ! interface Cellular0/0/1 no ip address encapsulation slip ! interface Cellular0/0/0 description WAN link to 4G Vodafone-APN ip address negotiated encapsulation slip dialer in-band dialer pool-member 1 dialer-group 1 async mode interactive routing dynamic ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address 10.0.10.1 255.255.254.0 ip nat enable no shutdown ! interface Vlan20 ip address 10.0.20.1 255.255.254.0 ip nat enable no shutdown ! interface Vlan99 description Eherswitch Management Interface ip address 10.0.99.100 255.255.255.128 ntp broadcast no shutdown ! interface Dialer0 description BT Infinity 40Mb down / 10 Mb upload mtu 1492 ip address ip.add.re.ss m.a.s.k ! no ip redirects #removed due to causing VPN reconnection no ip unreachables no ip proxy-arp ip nat enable ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ntp disable ppp authentication pap chap ms-chap callin ppp chap hostname D******@hg52.btclick.com ppp chap password 0 ****** ppp pap sent-username D******@hg52.btclick.com password 0 ****** ppp ipcp dns request no cdp enable ! interface Dialer0 description BT ADSL 5Mdown/1Mup acc: WM****** no:0******** ! for dynamic public ip replace a lien below with 'ip address negotiated' ip address $static_public_ip $subnet_mask no ip redirects no ip unreachables no ip proxy-arp ip nat enable ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ntp disable ppp authentication chap callin ppp chap hostname D******@hg52.btclick.com ppp chap password 0 ****** ppp pap sent-username D******@hg52.btclick.com password 0 ****** ppp ipcp dns request no cdp enable ! interface Dialer1 ip address negotiated ip nat enable encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string LTE dialer persistent dialer-group 1 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns server ! ip nat source list 1 interface Cellular0/0/0 overload ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 ! access-list 1 permit any dialer-list 1 protocol ip permit ! ip nat source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit any dialer-list 1 protocol ip permit ! ip nat source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! access-list 1 permit 10.0.0.0 0.0.255.255 dialer-list 1 protocol ip permit ! ip nat source list 1 interface Gi0/0 overload ip route 0.0.0.0 0.0.0.0 Gi0/0 ! access-list 1 permit 10.0.0.0 0.0.255.255 ! access-list 20 remark Allow Management devices sync NTP clock access-list 20 permit 10.0.99.0 0.0.0.127 log access-list 20 deny any ! ! snmp-server community contingency RO site snmp-server enable traps entity-sensor threshold ! ! ! control-plane ! ! banner motd ^ This system is for COMPANY authorized use only. It is monitored to detect improper use and other illicit activity. There is no expectation of privacy while using this system. ^ ! line con 0 exec-timeout 5 0 password 0 consolepassword logging synchronous login authentication admin-con line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 0/0/0 exec-timeout 0 0 script dialer hspa script activation hspa modem InOut no exec line 0/0/1 no exec ! line 0/0/0 exec-timeout 0 0 script dialer LTE script activation LTE modem InOut no exec ! line vty 0 4 logging synchronous transport input ssh ! scheduler allocate 20000 1000 ntp logging ntp access-group peer 20 ntp master ! end
- Key
- Blue - variables: passwords, host names, serial numbers
- Green - Cellular/3G card configuration
- Red - Cellular/4G card configuration
- Purple - ATM/ADSL card configuration, BT Business ADSL
- Orange - PPPoE, BT Infinity
- Grey - WAN Ethernet RJ45 from ISP
Applying VLANs
conf t vlan 10 name WIRELESS vlan 20 name GUEST-WIRELESS vlan 99 name MANAGEMENT&NATIVE ^Z
- Verify
R1#sh vlan-switch VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1/1, Gi0/1/2 10 WIRELESS active 20 GUEST-WIRELESS active 99 MANAGEMENT&NATIVE active Gi0/1/3 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 1002 1003 10 enet 100010 1500 - - - - - 0 0 20 enet 100020 1500 - - - - - 0 0 99 enet 100099 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 1 1003 1003 tr 101003 1500 1005 0 - - srb 1 1002 1004 fdnet 101004 1500 - - 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0
Apply Access Lists
Please make sure you are connected through a console cable as you will lock out yourself.
- Variables
- $WAN = it is WAN Interface Dialer1 or ATM0/0/0 or Gi0/0/0
ip access-list extended INTERNET-OUT permit tcp any any reflect REMEMBER timeout 300 permit udp any any reflect REMEMBER timeout 300 permit icmp any any reflect REMEMBER timeout 300 deny ip any any log ! ip access-list extended INTERNET-IN permit udp any eq domain any permit tcp any any eq 22 permit icmp host $monitoring_host_ip any echo evaluate REMEMBER deny ip any any log ! ! Apply access lists to WAN interface ! interface $WAN ip access-group INTERNET-IN in ip access-group INTERNET-OUT out
Disable unnecessary services
no ip source-route ip options drop no ip http server no ip http secure-server no service tcp-small-servers no service udp-small-servers service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip finger no ip identd no service config no lldp run no service pad
Verify you have still access to Internet.
Configure NTP
- Router NTP config
! Protect sync time to hosts permitted by access-list access-list 20 remark Allow Management devices sync NTP clock access-list 20 permit 10.0.99.0 0.0.0.127 access-list 20 deny any log ! Disable sending ntp messages on WAN interfaces Interface Dialer 0 ntp disable Interface Vlan99 ntp broadcast Interface ATM0/0/0 ntp disable ntp logging ntp access-group peer 20 ntp master
- Access point NTP config
sntp server 10.0.99.100
Configure SNMP
! protect snmp RO (readonly) with access-list
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny any log
! SNMP configuration
snmp-server community hardpassword RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
- Test
Device
snmpstatus -c 'communitystring' -v2c DEV_IP_ADDRESS
List of interfaces
snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2 iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0" iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0" iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1" <-- output ommited --> iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20" iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99" iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"
Uptime
snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0 iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21
Basic AP config with WPA2-PSK auth
- Default account credentials on the access point
Username: Cisco Password: Cisco Enabled mode: Cisco
- remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
- remember change 'password' and AP 'hostname' when deploying config
- not sure why but when applying config BVI1 interface does not take any changes
- remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
conf t hostname ap1 ip domain name home.gateway ! label for hostname:ap1 and ipdomainname:home.gateway will be ap1.home.gateway crypto key generate rsa label ap1.home.gateway general-keys modulus 1024
! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap1 ! ! logging rate-limit console 9 enable secret secretpassword ! aaa new-model ! ! aaa authentication password-prompt LocalPassword: aaa authentication username-prompt LocalUsername: aaa authentication login default local aaa authorization exec default local ! ! ! ! ! aaa session-id common no ip routing no ip cef ip domain name home.gateway ! ! ! dot11 syslog dot11 vlan-name Management vlan 99 dot11 vlan-name Wireless vlan 10 dot11 vlan-name Wireless-guest vlan 20 ! dot11 ssid DS_Guest vlan 20 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 0 guestpassword ! dot11 ssid DS_MGM vlan 99 authentication open authentication key-management wpa version 2 ! mbssid guest-mode commented out to prevent broadcasting BSSID wpa-psk ascii 0 managementpassword ! dot11 ssid DS_WPA2 vlan 10 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 0 wirelesspassword ! ! crypto pki token default removal timeout 0 ! ! username tech privilege 1 secret 0 techpassword username admin privilege 15 secret 0 adminpassword ! ip ssh time-out 180 ip ssh authentication-retries 5 ip ssh version 2 bridge irb ! ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! encryption vlan 10 mode ciphers aes-ccm ! encryption vlan 20 mode ciphers aes-ccm ! encryption vlan 99 mode ciphers aes-ccm ! ssid DS_Guest ! ssid DS_MGM ! ssid DS_WPA2 ! antenna gain 0 stbc beamform ofdm mbssid station-role root no shutdown ! interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding ! interface Dot11Radio0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no shutdown ! interface GigabitEthernet0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 spanning-disabled no bridge-group 10 source-learning ! interface GigabitEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled no bridge-group 20 source-learning ! interface GigabitEthernet0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache no shutdown ! ip forward-protocol nd ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 transport input ssh sntp server 10.0.99.100 ! end
- Enable sending logs to syslog server
logging source-interface GigabitEthernet0 logging 10.0.10.5
Configure WPA2 from WEB
- Security > Encription Manager
- Set Encryption Mode and Keys for VLAN: from drop down menu
- Tick Cipher and from drop down menu AES CCMP
- Security > SSID Manager
- Select <NEW>
- Type SSID_name into SSID box
- Select VLAN
- Tick Interface Radio0 (2.4 GHz)
- Key Management: Mandatory
- Tick: Enable WPA and select WPAv2 from drop down menu
- Enter your WPA Pre-shared Key into a box
- Enable SSID broadcast in beacons (requires enabling per SSID)
- Go to section: Multiple BSSID Beacon Settings
- Check: Set SSID as Guest Mode
- Press Apply
- Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
- Go to section: Guest Mode/Infrastructure SSID Settings
- Check: Multiple BSSID
- Press Apply
- Error message when ticking CCKM
ERROR: VLAN 99 cannot support CCKM. Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption Manager).
- Error message when enabling WPA
ERROR: VLAN 99 cannot support WPA optional. Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit'
or 'AES CCMP + TKIP + WEP 40 bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security> Encryption Manager) To set the correct 'Key Management', follow the steps below: STEP 1:Set the 'Key Management' to 'None'. STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager) STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.
References
- Cisco Aironet 1600 Series Access Points Getting Started Guide, December, 2012 Revised: April 16, 2013
- Cisco Aironet 1600 Series Access Point Data Sheet
- Wireless LAN Controller and Lightweight Access Point Basic Configuration Example
- Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA
- VLANs on Aironet Access Points Configuration Example
- Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB Default behavior changes on AP pior IOS15
- Password Recovery Procedure for the Cisco 1900 Integrated Services Router