For an IT guy in today's economy, you have to make good decisions and keep costs down. Not all of us can afford all the high-end equipment we want, and even if we can we can't afford to pay consultants to keep them running. In the interest of sharing what I've learned to help others in my situation, here is how I connected a Cisco 881W router to a DHCP-fed Internet connection.
First, just a little about the 881W. It's best to think of it as two routers inside one box, with a hidden ethernet cable linking them. The normal router and the wireless router are completely separate—they both have their own IOS (Cisco's operating system) and configuration files.
Also, remember that none of the changes you will make are permanent until you write the config to memory. You can mess the config up seven ways from Sunday and just pull the plug, power up and start all over again from the beginning. In fact, I strongly recommend doing it once or twice. Make all your changes and test to make sure it's working perfectly before you do any writing of the config to memory.
When you're ready to start configuring it, plug it into a switch from the FastEthernet0 (FE/0) port. The router's default address is 10.10.10.1 with a netmask of 255.255.255.248, which gives you a usable range of 10.10.10.1 to 10.10.10.6. I don't remember now if it had DHCP configured from the factory, so if you get an address, you're ready to go, but if not, you can set it manually for now (make sure you use one in the network range!), or you can plug into it via the serial cable if you're lucky enough to have a nearby machine that still has a serial port. I went the serial way and used minicom from my Linux laptop to get started.
If you're on the network with the router, you can telnet to it and open up a session. With minicom, just start it up. The default login is cisco and so is the password. You'll get a welcome screen and it's probably telling you that the login you just used is a one-time-only thing. Don't panic if you screw up, just reboot the router and you can use it again.
The first thing you'll want to do is set up a superuser. At the prompt, type
configure terminal (or just conf t), and then
username scurvyjake privilege 15 secret 0 password
substituting your name and password where appropriate.
Cisco's IOS has a lot of built-in help for you. Hit the ?key to get a list of commands or arguments you can use from the context in which you currently are.
Type exit and then show run (to show the running-config). It's paged like less in Linux, hit space to advance through it.
Pretty much all of the work you need to do is under the configure terminal section, so go ahead and type that back in again.
You can set the system's hostname with, you guessed it, the hostname command:
hostname ScurvyRouter
You may have a DHCP pool in a network that you don't want, so use the no version of the command to get rid of it
no ip dhcp pool ccp-pool (my default pool was called ccp-pool)
Create a DHCP pool for your network. I'm assuming you want to give your router the address 10.20.30.1 and serve out DHCP addresses from 10.20.30.100 to 10.20.30.200:
ip dhcp pool myDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server aaa.bbb.ccc.ddd eee.fff.ggg.hhh
lease 1 (for a 1-day DHCP lease timeout)
exit
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
You should set up some name servers for the router itself:
ip name-server aaa.bbb.ccc.ddd
ip name-server eee.fff.ggg.hhh
You can also set your domain name like so:
ip domain name bogomip.net
Configure your WAN port (FastEthernet4) for DHCP:
interface FastEthernet4
ip address dhcp
ip nat outside
exit
Configure your internal interfaces for trunking so you can move VLAN packets around between the wired and wireless networks:
interface FastEthernet0
switchport mode trunk
exit
Configure your VLAN, and set your router's home address on it:
interface Vlan1
ip address 10.20.30.1 255.255.255.0
ip nat inside
exit
You probably have to fix the default access list (mine was 23) to allow access from your new network:
no access-list 23
access-list 23 permit 10.20.30.0 0.0.0.255 (reverse of normal netmasks!)
Now if you don't overload theFE/4 WAN port you'll never get out, so make sure you run this:
ip nat inside source list 23 interface FastEthernet4 overload
And the last thing you'll really need is your gateway. The easiest way to find this is to plug some other device into your incoming Internet connection and see what it hands you as an address and gateway. We don't care what address and netmask it gives you because the router will get those by itself, but you have to configure the gateway by hand. This is not an off-the-shelf router, and it's not intuitive, but you'll never get out without it:
ip route 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz
Part Two, the Wireless Side
To connect to your wireless router, use the following command while you're connected to the main router:
service-module wlan-ap0 session (hit enter a second time if the prompt doesn't come up)
You will be connected to the access point (AP) side now (remember how I said it was like two separate boxes?). Log in with the same 'cisco' username and password you did earlier.
Configure your new username just like before also:
configure terminal
no username cisco
username scurvyjake privilege 15 secret 0 password
hostname ScurvyAP
FIrst off, your router may have a horribly buggy IOS installed on it. Check to make sure you're not running the awful 12.4.21(a)JA1 version:
exit
show version
If you see 12.4.21(a)JA1 you must replace it with an IOS that actually works. To do this, install a TFTP server (I used TFTP32 on a Windows laptop) on the same network as the Cisco router. Download a working version (I used 12.4.10(b)JDA3) from Cisco's site. Good luck finding it, I wish you all the best. If you do it in less than 20 minutes you are either a savant or have previously spent hours perusing Cisco's site.
Put the new IOS in the TFTP server's directory, then run this from the AP's command line (not in configure terminal mode):
archive download-sw /overwrite /reload tftp://10.20.30.xx/name-of-image-you-downloaded
Let it run the update, it will reboot itself.
Now for the fun stuff: the wireless network! I'm assuming you want to use WPA. You're on your own here if you don't.
configure terminal
interface Dot11Radio0
encryption vlan 1 mode ciphers tkip
ssid My SSID Name
no shutdown (it's probably off by default)
station-role root (I'm assuming this is your only wireless device!)
exit
dot11 ssid My SSID Name
Vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 MyWirelessNetworkPassword
guest-mode
exit
dot11 network-map (I don't remember what this does)
Configure the AP's VLAN address:
interface BVI1
ip address 10.20.30.2 255.255.255.0 (this may take a few seconds)
exit
You will now be able to put the router's internal connection to the AP in trunking mode. To switch back to the router's shell, hit Ctrl 6, then x. Then type:
configure terminal
interface Wlan-GigabitEthernet0
switchport mode trunk
exit
Go back to the AP with the service-module command:
service-module wlan-ap0 session
Add the AP's gateway:
configure terminal
ip default-gateway 10.20.30.1
Configure the radio interface for Vlan1
interface Dot11Radio0.1 (use .2 for VLAN 2, etc)
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
exit
And the ethernet connection for the AP as well:
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
exit
Once you know the AP is working properly, exit config mode and save the configuration to permanent memory:
write memory
Switch back to the router (Ctrl-6, x). To permanently close the AP session you opened, you can issue the command:
service-module wlan-ap0 session clear or just exit and the suspended connection will terminate.
Save the configuration of the router to memory as well:
write mem.
Be advised that the very next thing you'll want to do is configure a firewall. I recommend Cisco Configuration Professional (CCP) to help you get started.
If this helped you get your project going, or saved you from a $200/hour Cisco consultant bill, consider sharing information like this with someone else, or buy me something from my Amazon wishlist or a pizza or something.
I just want to say, i will be trying this out. i just got a 881w off of ebay. ill be using it for fun, and for a home router solution.
isp(comcast)--->docsis3 modem--->881w~~~>wireless bridge in the computer room--->switch--->pc's
and isp(comcast)--->docsis3 modem--->881w~~~>wireless laptops, gaming devices etc...
last night, before i found your article, i was able to console in over serial. usb>serial is a good thing. but cisco needs to upgrade to usb console.
first thing i did was power on the router and reset it to factory defaults.
then
en
service-module wlan-ap 0 reset default-config
service-module wlan-ap 0 reset
after that, to begin testing i connected a current connection to the FE/4 wan port
and my pc(win7ultx64) to fe/0
first, no DHCP on the 881w by default. so second i manually set my IP to 10.10.10.4 255.255.255.248
i am not able to access or ping the router.
so i do a sh run and it tels me that all the ports are shut
so i do a no shut on fe/4 and fe/0
then on fe/4 router#(confit-if)ip address dhcp
i can then see it is assigned an ip address from my network. 192.168.0.xxx
from here, i still dont have access to the web interface.
so i have to go to router#(config) and do
ip http server
ip http secure-server
ip http authentication local
and doing line vty 0 4
transport input telnet
transport input telnet ssh
from this point i am able to access CP from the WAN address using a seperate machine on the existing network.
i can do some basic things in there like set the vlan1 ip and subnet
turn on dhcp etc.
the wireless tab lets me set the ap hostname
so i then change my machine back to DHCP while connected to fe/0 and i get an ip address in the 10.10.10.100 10.10.10.150 range which i set in CP from the other computer.
so from my machine i am able to hit the web interface from 10.10.10.1
!now this is where i get messed up!
i am not able to access the AP web interface as i need to replace the IOS
so via console i do
int wlan-ap0
ip address 10.10.10.20 255.255.255.0
and here i get a conflict saying it is in the range of vlan1
so i set it to 10.10.20.1 255.255.255.0
service-module wlan-ap 0 session
from there i get
ap#
from this i need to TFTP back to my desk and get the new IOS loaded but i cannot ping my desk on ip 10.10.10.100 as it says it is un avaialbe
so i do a ctrl^6 x disconnect
and at router# i can ping 10.10.10.100 succesfully
so that is where i am at.
also, not as important as i will figure it out once i get gui access to the ap.
i cannot get to the outside world from my dektop--->switch--->wireless bridge~~~>881w--->modem--->isp
i assume that is because i do not have NAT setup but i dont know.
any help would be greatly appreciated.
The only thing missing from your article was this - since I have residential cable modem service, my ip is dynamic, so for me I had to set my gateway to dhcp:
ip route 0.0.0.0 0.0.0.0 dhcp
I can't begin to explain what infinite amounts of time this article has saved me with initial config and deployment of our new 881w. The only problem remaining is that to get 12.4.10(b)JDA3 from Cisco's download site requires a service contract (ugh). Were you able to find a copy on the vast interwebs somewhere? Infinite thanks again from a fellow browncoat.
Thanks, this is exactly why I wrote it!
So excited to have found this, it's exactly what I needed to get me started. The only other thing I was curious about is whether or not it's then easy to configure the 881-w to support ASDM connections and do the rest of the wireless stuff via GUI config. Going to search for that now.
What you should be setting for your default route is the interface, that way if the ISP changes the default gateway you aren't screwed:
ip route 0.0.0.0 0.0.0.0 FastEthernet4
@Jason Beatty ... you can use the Cisco Configuration Professional tool for GUI management. It really makes this process a lot simpler for those of us who like the visual picture of things.
@Scurvy Jake ... thanks for this information. It has been a big help!
PS-- do you mind sharing what about the default firmware was problematic for you?
Hello, thanks for the great guide.
I just want to point out that the Cisco 881W can also be configured as a lightweight AP. Some people might be confused as they cannot configure the AP.
This would be because the AP is set as a lightweight AP.
To configure the AP as an autonomous AP:
service-module wlan-ap 0 bootimage autonomous
To configure the AP as a lightweight AP:
service-module wlan-ap 0 bootimage unified
Yarr, she blows!
What kind of pizza? Definitely saved me an hour or so
Thanks Scurvy jake for the help,
I followed everything and most of it is working. The only thing that isn't working is my connection to the internet.
When I do an ipconfig /all, my wireless IP on my computer is not in the same subnet as my vlan 1. Is this correct?
Also, my wireless IP on my computer does not have a default gateway. I am guessing this is part of the problem.
One more thing I noticed under the fa4 port is that it does not have an ip address. The config looks like this.
interface fastethernet 4
ip address dhcp
ip nat outside
Should the above config be getting an ip address from dhcp?
I put it in my vlan 1 domain and it didn't work.
In review,
ISP-->modem-->881w-->built in AP-->computer
(fa4 dhcp) vlan 1 ip not in vlan 1
Sorry if this is confusing, but any help would be awesome.
thanks,
Sean
I am thinking it my be the ip route 0.0.0.0 0.0.0.0 dhcp that i am missing because my default gateway might be dynamic like smandrake said.
Has anyone else seen a similar problem?
I run a troubleshoot on my windows 7 pc and it says my ip address is wrong for my wireless ip address.
Tried this and it didn't work. Anybody out there have any idea what I am doing wrong?
Hi Jake, thank you for the wonderful guide, saved me tons of effort and time...
Btw, just to check if you have any issues with you ccp, I was able to launch it the 1st time but subsequently, I can't... It just gives me a blank page whenever I try to launch it, any idea what's wrong with it?
Once again, thanks for the guide... I truly appreciate it!
I put a space between the wlan-ap 0 see below
service-module wlan-ap 0 session
but I get the invalid ^
When do service-module wlan-ap 0?
I get
"autonomous bootimage boot image"
so that tells me session is not a valid option
Up a level, when I go "show run" I see that wlan-ap does not have an IP address.
this is my first wireless cisco and your setting were bang on go the router side configured then followed your advice for the ap side. Thanks
hello friends
i have configerd my Cisco router 881 but the wireless is not configer i tried bat it wasn't work any one help me
Thanks
This was AWESOME. The only problem I have is with the line: dns-server aaa.bbb.ccc.ddd. Is this for a external DNS Server? Like Google 8.8.8.8? I can't seem to get a External IP.
Hi,
Can anybody please post the original configuration of the 881w? I'd like to restore mine but did not back it up.
Thank you so much! After trying myself to plug in all the info (using cisco setup commands, resetting the router, using the newest CCP Express 2.6 interface, resetting the router again, etc), it still did not work. We used a static IP for the router and not enabled DHCP. Had to bring in a Cicso Certified Tech who double-checked my settings and could not see where the problem was. When he mentioned "ip nat..." I gave him your solution. The only commands he had to poke in were these (he was surprised they were not automatic too):
ip nat outside (for the FastEthernet4)
ip nat inside (for the Vlan1)
no access-list...
access-list...
ip nat inside source list... overload
I found that in CCP Express, the ROUTING for the NEXT HOP is where my Gateway numbers needed to be entered (needed since we have a staic IP from our ISP), and that created the ip route line.
One additional step was to unplug and re-plugged in the cat5 going into our ISPs box. All is working great! Thanks!
Thanks. My bacon was well and truly saved with this guide. I wasn't able to exit the AP ios using CTRL-6 (using a console connection). Quite annoying, but I got back to the router ios with a separate ssh session.
Also, I couldn't login to the AP until I had given the interface an ip address and I wasn't sure if it should be on the same subnet as the other vlan. I put it on a different subnet and it worked ok.