Configuring a Cisco 881W
Posted in
Morning watch, 8 bells (8:08 am)

For an IT guy in today's economy, you have to make good decisions and keep costs down. Not all of us can afford all the high-end equipment we want, and even if we can we can't afford to pay consultants to keep them running. In the interest of sharing what I've learned to help others in my situation, here is how I connected a Cisco 881W router to a DHCP-fed Internet connection.

First, just a little about the 881W. It's best to think of it as two routers inside one box, with a hidden ethernet cable linking them. The normal router and the wireless router are completely separate—they both have their own IOS (Cisco's operating system) and configuration files.

Also, remember that none of the changes you will make are permanent until you write the config to memory. You can mess the config up seven ways from Sunday and just pull the plug, power up and start all over again from the beginning. In fact, I strongly recommend doing it once or twice. Make all your changes and test to make sure it's working perfectly before you do any writing of the config to memory.

When you're ready to start configuring it, plug it into a switch from the FastEthernet0 (FE/0) port. The router's default address is 10.10.10.1 with a netmask of 255.255.255.248, which gives you a usable range of 10.10.10.1 to 10.10.10.6. I don't remember now if it had DHCP configured from the factory, so if you get an address, you're ready to go, but if not, you can set it manually for now (make sure you use one in the network range!), or you can plug into it via the serial cable if you're lucky enough to have a nearby machine that still has a serial port. I went the serial way and used minicom from my Linux laptop to get started.

If you're on the network with the router, you can telnet to it and open up a session. With minicom, just start it up. The default login is cisco and so is the password. You'll get a welcome screen and it's probably telling you that the login you just used is a one-time-only thing. Don't panic if you screw up, just reboot the router and you can use it again.

The first thing you'll want to do is set up a superuser. At the prompt, type
configure terminal (or just conf t), and then
username scurvyjake privilege 15 secret 0 password
substituting your name and password where appropriate.

Cisco's IOS has a lot of built-in help for you. Hit the ?key to get a list of commands or arguments you can use from the context in which you currently are.

Type exit and then show run (to show the running-config). It's paged like less in Linux, hit space to advance through it.

Pretty much all of the work you need to do is under the configure terminal section, so go ahead and type that back in again.

You can set the system's hostname with, you guessed it, the hostname command:
hostname ScurvyRouter

You may have a DHCP pool in a network that you don't want, so use the no version of the command to get rid of it
no ip dhcp pool ccp-pool (my default pool was called ccp-pool)

Create a DHCP pool for your network. I'm assuming you want to give your router the address 10.20.30.1 and serve out DHCP addresses from 10.20.30.100 to 10.20.30.200:
ip dhcp pool myDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server aaa.bbb.ccc.ddd eee.fff.ggg.hhh
lease 1 (for a 1-day DHCP lease timeout)
exit
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254

You should set up some name servers for the router itself:
ip name-server aaa.bbb.ccc.ddd
ip name-server eee.fff.ggg.hhh

You can also set your domain name like so:
ip domain name bogomip.net

Configure your WAN port (FastEthernet4) for DHCP:
interface FastEthernet4
ip address dhcp
ip nat outside
exit

Configure your internal interfaces for trunking so you can move VLAN packets around between the wired and wireless networks:
interface FastEthernet0
switchport mode trunk
exit

Configure your VLAN, and set your router's home address on it:
interface Vlan1
ip address 10.20.30.1 255.255.255.0
ip nat inside
exit

You probably have to fix the default access list (mine was 23) to allow access from your new network:
no access-list 23
access-list 23 permit 10.20.30.0 0.0.0.255 (reverse of normal netmasks!)

Now if you don't overload the FE/4 WAN port you'll never get out, so make sure you run this:
ip nat inside source list 23 interface FastEthernet4 overload

And the last thing you'll really need is your gateway. The easiest way to find this is to plug some other device into your incoming Internet connection and see what it hands you as an address and gateway. We don't care what address and netmask it gives you because the router will get those by itself, but you have to configure the gateway by hand. This is not an off-the-shelf router, and it's not intuitive, but you'll never get out without it:
ip route 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz

Part Two, the Wireless Side

To connect to your wireless router, use the following command while you're connected to the main router:
service-module wlan-ap0 session (hit enter a second time if the prompt doesn't come up)

You will be connected to the access point (AP) side now (remember how I said it was like two separate boxes?). Log in with the same 'cisco' username and password you did earlier.

Configure your new username just like before also:
configure terminal
no username cisco
username scurvyjake privilege 15 secret 0 password
hostname ScurvyAP

FIrst off, your router may have a horribly buggy IOS installed on it. Check to make sure you're not running the awful 12.4.21(a)JA1 version:
exit
show version

If you see 12.4.21(a)JA1 you must replace it with an IOS that actually works. To do this, install a TFTP server (I used TFTP32 on a Windows laptop) on the same network as the Cisco router. Download a working version (I used 12.4.10(b)JDA3) from Cisco's site. Good luck finding it, I wish you all the best. If you do it in less than 20 minutes you are either a savant or have previously spent hours perusing Cisco's site.

Put the new IOS in the TFTP server's directory, then run this from the AP's command line (not in configure terminal mode):
archive download-sw /overwrite /reload tftp://10.20.30.xx/name-of-image-you-downloaded
Let it run the update, it will reboot itself.

Now for the fun stuff: the wireless network! I'm assuming you want to use WPA. You're on your own here if you don't.
configure terminal
interface Dot11Radio0
encryption vlan 1 mode ciphers tkip
ssid My SSID Name
no shutdown (it's probably off by default)
station-role root (I'm assuming this is your only wireless device!)
exit

dot11 ssid My SSID Name
Vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 MyWirelessNetworkPassword
guest-mode
exit

dot11 network-map (I don't remember what this does)

Configure the AP's VLAN address:
interface BVI1
ip address 10.20.30.2 255.255.255.0 (this may take a few seconds)
exit

You will now be able to put the router's internal connection to the AP in trunking mode. To switch back to the router's shell, hit Ctrl 6, then x. Then type:
configure terminal
interface Wlan-GigabitEthernet0
switchport mode trunk
exit

Go back to the AP with the service-module command:
service-module wlan-ap0 session

Add the AP's gateway:
configure terminal
ip default-gateway 10.20.30.1

Configure the radio interface for Vlan1
interface Dot11Radio0.1 (use .2 for VLAN 2, etc)
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
exit

And the ethernet connection for the AP as well:
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
exit

Once you know the AP is working properly, exit config mode and save the configuration to permanent memory:
write memory

Switch back to the router (Ctrl-6, x). To permanently close the AP session you opened, you can issue the command:
service-module wlan-ap0 session clear or just exit and the suspended connection will terminate.

Save the configuration of the router to memory as well:
write mem.

Be advised that the very next thing you'll want to do is configure a firewall. I recommend Cisco Configuration Professional (CCP) to help you get started.

If this helped you get your project going, or saved you from a $200/hour Cisco consultant bill, consider sharing information like this with someone else, or buy me something from my Amazon wishlist or a pizza or something.

21 Mar 2014 Addendum
Last year I took my 881w back to my office so I don't use it at home anymore. I was lamenting the fact that I couldn't use Chromecast with it because Cisco doesn't support UPnP, and I mentioned this on the Chromecast page at Amazon. A very nice user made the following comment that I can't test now, but I leave it here for anyone else that may want to try it:

Nicholas Batchelor says:
If you still need help with getting the Chromecast to work on your Cisco router but you can do this.

Login in to the router
Enter - service-module wlan-ap0 session - to connect to the AP
Login to the AP
Find the Dot11 interface you need to change. I run multiple SSIDs associated with different VLANs so I needed to enter - interface Dot11Radio0.2 - but this may vary for you
Enter - no ip igmp snooping - and - no bridge-group 2 port-protected - where the number 2 matches your subinterface value.

42 Comments »

42 Responses to “Configuring a Cisco 881W”

  1. Cody says:

    I just want to say, i will be trying this out. i just got a 881w off of ebay. ill be using it for fun, and for a home router solution.

    isp(comcast)--->docsis3 modem--->881w~~~>wireless bridge in the computer room--->switch--->pc's

    and isp(comcast)--->docsis3 modem--->881w~~~>wireless laptops, gaming devices etc...

    last night, before i found your article, i was able to console in over serial. usb>serial is a good thing. but cisco needs to upgrade to usb console.

    first thing i did was power on the router and reset it to factory defaults.

    then

    en
    service-module wlan-ap 0 reset default-config
    service-module wlan-ap 0 reset

    after that, to begin testing i connected a current connection to the FE/4 wan port

    and my pc(win7ultx64) to fe/0

    first, no DHCP on the 881w by default. so second i manually set my IP to 10.10.10.4 255.255.255.248
    i am not able to access or ping the router.

    so i do a sh run and it tels me that all the ports are shut
    so i do a no shut on fe/4 and fe/0

    then on fe/4 router#(confit-if)ip address dhcp
    i can then see it is assigned an ip address from my network. 192.168.0.xxx

    from here, i still dont have access to the web interface.

    so i have to go to router#(config) and do
    ip http server
    ip http secure-server
    ip http authentication local

    and doing line vty 0 4

    transport input telnet
    transport input telnet ssh

    from this point i am able to access CP from the WAN address using a seperate machine on the existing network.
    i can do some basic things in there like set the vlan1 ip and subnet
    turn on dhcp etc.

    the wireless tab lets me set the ap hostname

    so i then change my machine back to DHCP while connected to fe/0 and i get an ip address in the 10.10.10.100 10.10.10.150 range which i set in CP from the other computer.

    so from my machine i am able to hit the web interface from 10.10.10.1

    !now this is where i get messed up!
    i am not able to access the AP web interface as i need to replace the IOS

    so via console i do
    int wlan-ap0
    ip address 10.10.10.20 255.255.255.0
    and here i get a conflict saying it is in the range of vlan1
    so i set it to 10.10.20.1 255.255.255.0

    service-module wlan-ap 0 session

    from there i get
    ap#

    from this i need to TFTP back to my desk and get the new IOS loaded but i cannot ping my desk on ip 10.10.10.100 as it says it is un avaialbe

    so i do a ctrl^6 x disconnect

    and at router# i can ping 10.10.10.100 succesfully

    so that is where i am at.

    also, not as important as i will figure it out once i get gui access to the ap.
    i cannot get to the outside world from my dektop--->switch--->wireless bridge~~~>881w--->modem--->isp
    i assume that is because i do not have NAT setup but i dont know.

    any help would be greatly appreciated.

  2. smandrake says:

    The only thing missing from your article was this - since I have residential cable modem service, my ip is dynamic, so for me I had to set my gateway to dhcp:

    ip route 0.0.0.0 0.0.0.0 dhcp

  3. ryan says:

    I can't begin to explain what infinite amounts of time this article has saved me with initial config and deployment of our new 881w. The only problem remaining is that to get 12.4.10(b)JDA3 from Cisco's download site requires a service contract (ugh). Were you able to find a copy on the vast interwebs somewhere? Infinite thanks again from a fellow browncoat.

  4. Scurvy Jake says:

    Thanks, this is exactly why I wrote it!

  5. Jason Beatty says:

    So excited to have found this, it's exactly what I needed to get me started. The only other thing I was curious about is whether or not it's then easy to configure the 881-w to support ASDM connections and do the rest of the wireless stuff via GUI config. Going to search for that now.

  6. David says:

    What you should be setting for your default route is the interface, that way if the ISP changes the default gateway you aren't screwed:

    ip route 0.0.0.0 0.0.0.0 FastEthernet4

  7. GoodThings2Life says:

    @Jason Beatty ... you can use the Cisco Configuration Professional tool for GUI management. It really makes this process a lot simpler for those of us who like the visual picture of things. :)

    @Scurvy Jake ... thanks for this information. It has been a big help! :)

  8. GoodThings2Life says:

    PS-- do you mind sharing what about the default firmware was problematic for you?

  9. eok says:

    Hello, thanks for the great guide.

    I just want to point out that the Cisco 881W can also be configured as a lightweight AP. Some people might be confused as they cannot configure the AP.

    This would be because the AP is set as a lightweight AP.

    To configure the AP as an autonomous AP:
    service-module wlan-ap 0 bootimage autonomous

    To configure the AP as a lightweight AP:
    service-module wlan-ap 0 bootimage unified

  10. Mate Matt says:

    Yarr, she blows!
    What kind of pizza? Definitely saved me an hour or so :)

  11. John says:

    Thanks Scurvy jake for the help,

    I followed everything and most of it is working. The only thing that isn't working is my connection to the internet.

    When I do an ipconfig /all, my wireless IP on my computer is not in the same subnet as my vlan 1. Is this correct?

    Also, my wireless IP on my computer does not have a default gateway. I am guessing this is part of the problem.

    One more thing I noticed under the fa4 port is that it does not have an ip address. The config looks like this.
    interface fastethernet 4
    ip address dhcp
    ip nat outside

    Should the above config be getting an ip address from dhcp?

    I put it in my vlan 1 domain and it didn't work.

    In review,

    ISP-->modem-->881w-->built in AP-->computer
    (fa4 dhcp) vlan 1 ip not in vlan 1

    Sorry if this is confusing, but any help would be awesome.

    thanks,

    Sean

  12. John says:

    I am thinking it my be the ip route 0.0.0.0 0.0.0.0 dhcp that i am missing because my default gateway might be dynamic like smandrake said.

    Has anyone else seen a similar problem?

    I run a troubleshoot on my windows 7 pc and it says my ip address is wrong for my wireless ip address.

  13. John says:

    Tried this and it didn't work. Anybody out there have any idea what I am doing wrong?

  14. Ixnay says:

    Hi Jake, thank you for the wonderful guide, saved me tons of effort and time... :)

    Btw, just to check if you have any issues with you ccp, I was able to launch it the 1st time but subsequently, I can't... It just gives me a blank page whenever I try to launch it, any idea what's wrong with it?

    Once again, thanks for the guide... I truly appreciate it! :)

  15. nbh says:

    I put a space between the wlan-ap 0 see below
    service-module wlan-ap 0 session
    but I get the invalid ^
    When do service-module wlan-ap 0?
    I get
    "autonomous bootimage boot image"
    so that tells me session is not a valid option

    Up a level, when I go "show run" I see that wlan-ap does not have an IP address.

  16. Kenny Bolt says:

    this is my first wireless cisco and your setting were bang on go the router side configured then followed your advice for the ap side. Thanks

  17. Assad says:

    hello friends

    i have configerd my Cisco router 881 but the wireless is not configer i tried bat it wasn't work any one help me

    Thanks

  18. Cashboxxer says:

    This was AWESOME. The only problem I have is with the line: dns-server aaa.bbb.ccc.ddd. Is this for a external DNS Server? Like Google 8.8.8.8? I can't seem to get a External IP.

  19. Mike says:

    Hi,
    Can anybody please post the original configuration of the 881w? I'd like to restore mine but did not back it up.

  20. Jeanne says:

    Thank you so much! After trying myself to plug in all the info (using cisco setup commands, resetting the router, using the newest CCP Express 2.6 interface, resetting the router again, etc), it still did not work. We used a static IP for the router and not enabled DHCP. Had to bring in a Cicso Certified Tech who double-checked my settings and could not see where the problem was. When he mentioned "ip nat..." I gave him your solution. The only commands he had to poke in were these (he was surprised they were not automatic too):

    ip nat outside (for the FastEthernet4)
    ip nat inside (for the Vlan1)
    no access-list...
    access-list...
    ip nat inside source list... overload

    I found that in CCP Express, the ROUTING for the NEXT HOP is where my Gateway numbers needed to be entered (needed since we have a staic IP from our ISP), and that created the ip route line.

    One additional step was to unplug and re-plugged in the cat5 going into our ISPs box. All is working great! Thanks!

  21. Thanks. My bacon was well and truly saved with this guide. I wasn't able to exit the AP ios using CTRL-6 (using a console connection). Quite annoying, but I got back to the router ios with a separate ssh session.

    Also, I couldn't login to the AP until I had given the interface an ip address and I wasn't sure if it should be on the same subnet as the other vlan. I put it on a different subnet and it worked ok.

  22. Ian says:

    Dear Jake: Thank you so much for this blog. I'm having a similar problem to John. I can't connect to the internet wirelessly.
    I hope that someone can help me. I'll try to make it as easy as possible for people to help me. I'll give all the info that I have.

    set up :
    ISPLinksys wired cable modemCisco 881WPC's wireless NIC

    the Linksys wired modem is only a modem. That's all it does. it's NOT a router as well.

    I followed your commands with few modifications. Below I include my configuration script with comments on what I changed and Why I changed it. I did not upgrade the IOS of the AP. I don't have a Cisco log in. I think this precludes me from getting the firmware and updated versions of IOS. I got the DHCP working for the wired part, full connectivity on wired. that's great. thank you for that part. However, I can't connect to the internet wirelessly. I can associate with the wireless AP. I remember getting an APIPA address on my PCs wireless interface. (169.254.x.x) Which means, the DHCP server on the router side can't talk to my PC wirelessly to give it an IP address. I think there is a piece of this config missing. here is the configurations I did. There are 2 versions the first has comments about what i did and questions I have. the second version is a copy and paste script so you can easily configure your 881w exactly as I have to see what is going on.

    Commented version
    ROUTER SIDE:
    !
    ! this is a way you can comment inside of scripts the "!" !tells ios to ignore this part. Look further down I've !provided a comment free version you can just copy paste !directly to your Cisco 881.
    !
    configure terminal
    username scurvyjake privilege 15 secret 0 password
    hostname ScurvyRouter
    no ip dhcp pool ccp-pool
    ip dhcp pool myDHCPpool
    import all
    network 10.20.30.0 255.255.255.0
    default-router 10.20.30.1
    dns-server aaa.bbb.ccc.ddd eee.fff.ggg.hhh
    lease 1 (for a 1-day DHCP lease timeout)
    exit
    ip dhcp excluded-address 10.20.30.1 10.20.30.99
    ip dhcp excluded-address 10.20.30.201 10.20.30.254
    ip name-server 8.8.8.8
    ip name-server 4.2.2.1
    ip domain name
    interface FastEthernet4
    ip address dhcp
    ip nat outside
    no shutdown
    exit
    interface FastEthernet0
    switchport mode trunk
    exit
    !
    !I'm skeptical about the trunk connecting the Wireless to !the Lan.
    !It did not work for me.
    !
    interface Vlan1
    ip address 10.20.30.1 255.255.255.0
    ip nat inside
    exit
    !
    !this is the management ip for your Cisco 881W
    !you can telnet or SSH to this address from your LAN
    ! I don't understand what "ip nat inside" does when it's !on a logical interface instead of a physical one.
    !I hope someone can explain this. It's easier to !understand with a physical interface.
    !for example if you put "ip nat inside" on the physical !interface that connects to the switch you are saying that !the devices that connect to the switch are inside the !"NAT domain." I don't know if that's a real term. I hope !it make sense.
    !but if you have a virtual interface like vlan1 it's less !obvious to what does VLAN1 connect? in my mind, nothing !because it's virtual/logical. it's this nebulous !interface that is used to manage the switch. That's all I !really understand about it. I wish I had more clarity.
    !
    no access-list 23
    access-list 23 permit 10.20.30.0 0.0.0.255
    ip nat inside source list 23 interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ! I changed it to dhcp because if the isp changes your ip !the route will pickup on it and you don't have to !reconfigure your route everytime your public IP address !changes
    ! what is the technical difference between using ip route !0.0.0.0 0.0.0.0 dhcp and using ip route 0.0.0.0 0.0.0.0 !FastEthernet 4? Can I use both? should I use both? why or !why not?
    !

    WIRELESS SIDE
    AP#
    configure terminal
    no username cisco
    username scurvyjake privilege 15 secret 0 password
    hostname ScurvyAP
    interface Dot11Radio0
    encryption vlan 1 mode ciphers aes-ccm
    !
    ! this allows you to use AES encryption instead of TKIP. !AES is more secure.
    ! TKIP = WPA AES = WPA2
    !
    ssid wireless
    !SSID My SSID Name: I changed this because spaces don't !work. When I used My SSID Name, my wireless card reported !there was an "other" network in range. The card reported !this because there were spaces "%20" in the SSID. So to !simplify, I changed it. Elegant is best. The SSID is all !lower case. SSIDs are cAsE sEnSitIvE.
    no shutdown
    station-role root
    exit
    dot11 ssid My SSID Name
    Vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 MyWirelessNetworkPassword
    guest-mode
    exit
    dot11 network-map
    !
    ! go here !http://www.cisco.com/en/US/docs/wireless/access_point/
    !12.3_2_JA/command/reference/cr32main.html#wpmkr2442885
    ! to find out what dot11 network-map does.
    !
    interface BVI1
    ip address 10.20.30.2 255.255.255.0
    exit
    !
    !I skipped configuring Wlan-GigabitEthernet0 as a trunk at !this point. came back to it after finished the AP !configurations.
    !
    ip default-gateway 10.20.30.1
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    !
    !Not sure why we need native here. What does that do !exactly?
    !
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    bridge-group 1 spanning-disabled
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    exit
    interface GigabitEthernet0.1
    encapsulation dot1Q 1 native
    !
    !Not sure why we need native here. What does that do !exactly?
    !
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    exit

    CTRL 6 X

    back in the router

    ScurvyRouter#

    configure terminal
    interface Wlan-GigabitEthernet0
    switchport mode trunk
    exit

    now I expect that I should be able to:
    1.use my laptop's wireless connection to associate with the AP
    2.Connect to the rest of the wired LAN for file sharing.
    3. Be able to connect to the internet wirelessly.

    I'm not able to do this. What is missing? I went searching for answers and I found articles that said you need to bridge the wireless ap and the LAN. How can I do that?
    look here http://whrl.pl/RbZ9GW
    this is the page i'm talking about.
    Do i need a bridge? Do I need a trunk? Why a bridge and not a trunk? Why a trunk and not a bridge?
    can someone explain this?
    I just want to get on the internet wirelessly.
    Thanks for all your time I hope this gets solved.

    Comment free configs:
    ROUTER SIDE:
    select between the lines to copy paste
    __________________________________________________________
    configure terminal
    username scurvyjake privilege 15 secret 0 password
    hostname ScurvyRouter
    no ip dhcp pool ccp-pool
    ip dhcp pool myDHCPpool
    import all
    network 10.20.30.0 255.255.255.0
    default-router 10.20.30.1
    dns-server aaa.bbb.ccc.ddd eee.fff.ggg.hhh
    lease 1 (for a 1-day DHCP lease timeout)
    exit
    ip dhcp excluded-address 10.20.30.1 10.20.30.99
    ip dhcp excluded-address 10.20.30.201 10.20.30.254
    ip name-server 8.8.8.8
    ip name-server 4.2.2.1
    ip domain name
    interface FastEthernet4
    ip address dhcp
    ip nat outside
    no shutdown
    exit
    interface FastEthernet0
    switchport mode trunk
    exit
    interface Vlan1
    ip address 10.20.30.1 255.255.255.0
    ip nat inside
    exit
    no access-list 23
    access-list 23 permit 10.20.30.0 0.0.0.255
    ip nat inside source list 23 interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 dhcp
    __________________________________________________________

    WIRELESS SIDE
    AP#

    Second Selection
    __________________________________________________________
    configure terminal
    no username cisco
    username scurvyjake privilege 15 secret 0 password
    hostname ScurvyAP
    interface Dot11Radio0
    encryption vlan 1 mode ciphers aes-ccm
    ssid wireless
    no shutdown
    station-role root
    exit
    dot11 ssid My SSID Name
    Vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 MyWirelessNetworkPassword
    guest-mode
    exit
    dot11 network-map
    interface BVI1
    ip address 10.20.30.2 255.255.255.0
    exit
    ip default-gateway 10.20.30.1
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    bridge-group 1 spanning-disabled
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    exit
    interface GigabitEthernet0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    exit
    __________________________________________________________
    CTRL 6 X

    back in the router

    ScurvyRouter#

    Third Selection
    __________________________________________________________
    configure terminal
    interface Wlan-GigabitEthernet0
    switchport mode trunk
    exit
    __________________________________________________________

    Thank you so much I hope you can help me or I've helped you.
    Sincerely,
    Ian

  23. Santi says:

    hello thank you very much for your article, apply all your recommendation but I have a problem I can not access my company's VPN using the WIFI, but when I use physical ports work. You can help me.

  24. ovidiu says:

    5 stars for wireless configuration.

  25. Zippy says:

    has any of you tried to configure the 881W so that the wireless users authenticate against a radius server rether then the local database?

  26. Scurvy Jake says:

    I have not, but if anyone else has I'd also love to hear about how it's done!

  27. Zippy says:

    Here is how to configure cisco 881W to use radius for user authentication. These are the steps you will have to add to Jakes original configuration.

    aaa group server radius test
    server-private 192.168.1.1 auth-port 1645 acct-port 1646 key password
    !
    aaa authentication login eap_test group test
    aaa authorization exec default local
    !
    aaa session-id common
    !
    dot11 ssid 881W_Test
    vlan 4
    authentication open eap eap_test
    authentication key-management wpa optional
    guest-mode
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 4 mode ciphers aes-ccm tkip wep128
    !
    broadcast-key vlan 4 change 30
    !
    !
    ssid 881W_Test
    !
    antenna gain 0
    station-role root
    ip radius source-interface BVI1

    I hope this helps

  28. Scurvy Jake says:

    Aaaand you get nothing from that link if you don't have a Cisco account. YMMV.

  29. Zippy says:

    Takes you 10 min to do what? According to your URL you are adding something to your shopping cart

  30. Suge_KNice says:

    Here's a Cisco page (no CCO account needed) that can help folks having tftp connection issues with code upgrades on the AP side of the Cisco 881-W router (I used this Cisco site before moving to Part 2 of this page):

    http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/wlan.html

  31. Ross says:

    Everybody get their 881W working on internet?
    I should received mine soon, looks like I am in for some stress when it arrives, hopefully it wont be too bad. Hopefully 2 antennas will get me by. As a price of $136 from ebay was hard to resist. Specially since I was going to buy the 871W for about the same price.
    Disappointing to see a required service contract is needed from Cisco to upgrade it to 12.4
    Guess I should of done my homework more so. Feel free to give any more advice here as all us 881W are looking. Buh bye for now.

  32. Scurvy Jake says:

    Charging for updates is the most frustrating thing about Cisco hardware next to navigating their website. Especially when the firmware it shipped with was flawed, as was the case with mine.

  33. FNK says:

    First of all thank you... I mean a lot.... I am not ordinary networking person, to start with I am a CCIE Security ( a true one, passed on my fifth attempt)... So enough of bragging about me.....
    The problem I was facing was with Cisco Documentation.its too much segmented/fragmented.. I have all the resources in the world. My CCO account (CCIE priv) gives me everything I want, Images, document, you name it. but it doesnt solve the common problem of a lot of Cisco docs. too much fragmentation.anyways, your doc solved it completely. A-Z... The only problems I had were following:

    The code you mentioned for AP, I had the same code, but it didnt work for me. I didnt had the BRIDGE-GROUP commands on my interfaces... I tried and tried,, found nothing.... I upgraded the code AP to 15.1+ and voila it appeared... Also the second bummer was that I was only using Antenna in slot B (middle one), which turned out to tbe RX only.......I kept wondering, why I am not receiving an IP address from the AP, whereas everything works fine on copper side....the moment i swapped the antenna in slot A (RX/TX) everything worked.

    I used WPA2 and it worked like a charm.

    Time to play now, would be to use certs and radius for authentication..
    Thank you again... your article is wonderful.

  34. umair moughal says:

    Why browsing is possible via HTTPS but no through HTTP???

    I have a cisco 881 router with an integrated AP. Browsing is easily possible through HTTPS but no browsing can be done via HTTP. What can be the possible causes???? The configuration is

    Router

    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname diablo-office
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 *****
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication enable default line enable
    aaa authorization exec default local
    aaa authorization commands 15 default local
    !
    !
    !
    !
    !
    aaa session-id common
    memory-size iomem 10
    !
    ip source-route
    !
    !
    ip dhcp excluded-address 10.0.2.145
    ip dhcp excluded-address 10.0.2.129 10.0.2.130
    ip dhcp excluded-address 10.0.2.153
    !

    ip dhcp pool Office-Pool
    import all
    network 10.0.2.128 255.255.255.240
    default-router 10.0.2.129
    dns-server 4.3.2.2 8.8.8.8
    domain-name diablo.com

    !
    ip dhcp pool Office_Wireless-Pool
    import all
    network 10.0.2.144 255.255.255.248
    default-router 10.0.2.145
    dns-server 4.3.2.2 8.8.8.8
    domain-name restricted
    !
    ip dhcp pool Guest_Wireless-Pool
    import all
    network 10.0.2.152 255.255.255.248
    default-router 10.0.2.153
    dns-server 4.3.2.2 8.8.8.8
    domain-name unknown
    !
    !
    ip cef
    no ip domain lookup
    ip domain name diablo.com
    no ipv6 cef
    !
    !
    license udi pid CISCO881W-GN-A-K9 sn *******
    !
    !
    !
    spanning-tree portfast bpduguard
    username admin secret 5 *******
    !
    !
    ip ssh version 2
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description Office Internet Modem
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    ip unnumbered Vlan1
    arp timeout 0
    !
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    switchport trunk allowed vlan 1-3,1002-1005
    switchport mode trunk
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.0.2.129 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Vlan2
    description Wireless office
    ip address 10.0.2.145 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    !
    interface Vlan3
    description Wireless guest
    ip address 10.0.2.153 255.255.255.248
    ip access-group 120 in
    ip nat inside
    ip virtual-reassembly
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 110 interface FastEthernet4 overload
    !
    access-list 10 permit 10.0.2.128 0.0.0.15

    access-list 110 permit ip 10.0.2.0 0.0.0.255 any

    access-list 120 remark Wireless Guest Restriction
    access-list 120 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

    access-list 120 deny ip 10.0.2.152 0.0.0.7 10.0.0.0 0.255.255.255
    access-list 120 deny ip 10.0.2.152 0.0.0.7 172.16.0.0 0.15.255.255
    access-list 120 deny ip 10.0.2.152 0.0.0.7 192.168.0.0 0.0.255.255
    access-list 120 permit ip 10.0.2.152 0.0.0.7 any
    no cdp run

    !
    !
    !
    !
    !
    control-plane
    !
    banner exec ^C
    -----------------------------------------------------------------------
    This is a proprietary system only for those who are authorized.
    -----------------------------------------------------------------------
    ^C
    !
    line con 0
    no modem enable
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    line vty 0 4
    access-class 10 in
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end

    AP

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname office-ap
    !
    logging rate-limit console 9
    enable secret 5 *****
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication enable default line enable
    aaa authorization exec default local
    aaa authorization commands 15 default local
    !
    aaa session-id common
    !
    !
    dot11 syslog
    dot11 vlan-name guest vlan 3
    dot11 vlan-name office vlan 2
    !
    dot11 ssid guest
    vlan 3
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 *****
    !
    dot11 ssid office
    vlan 2
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 *****
    !
    !
    !
    username admin secret 5 *****
    !
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption mode ciphers aes-ccm
    !
    encryption vlan 2 mode ciphers aes-ccm
    !
    encryption vlan 3 mode ciphers aes-ccm
    !
    ssid guest
    !
    ssid office
    !
    vocera
    antenna gain 0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface Dot11Radio0.2
    encapsulation dot1Q 2[SQ1]
    no ip route-cache
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    bridge-group 2 spanning-disabled
    !
    interface Dot11Radio0.3
    encapsulation dot1Q 3[SQ2]
    no ip route-cache
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    bridge-group 3 spanning-disabled
    !
    interface GigabitEthernet0
    description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
    no ip address
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface GigabitEthernet0.2
    encapsulation dot1Q 2
    no ip route-cache
    bridge-group 2
    no bridge-group 2 source-learning
    bridge-group 2 spanning-disabled
    !
    interface GigabitEthernet0.3
    encapsulation dot1Q 3
    no ip route-cache
    bridge-group 3
    no bridge-group 3 source-learning
    bridge-group 3 spanning-disabled
    !
    interface BVI1
    ip address 10.0.1.130 255.255.255.240
    no ip route-cache
    !
    no ip http server
    no ip http secure-server
    bridge 1 route ip
    !
    access-list 10 permit 10.0.2.128 0.0.0.15
    !
    banner exec ^C
    -----------------------------------------------------------------------
    This is a proprietary system only for those who are authorized.
    -----------------------------------------------------------------------
    ^C
    !
    line con 0
    privilege level 15
    no activation-character
    line vty 0 4
    access-class 10 in
    transport input ssh
    !
    cns dhcp
    end

    - See more at: https://supportforums.cisco.com/message/3868055#3868055

  35. Eric says:

    Thank you for the information. You break it down to the essentials and that was what I was looking for. Thank you.

  36. Robert Franz says:

    You have no idea how many times I've typed "scuvy jake" into my search just to come back to this article.

    My deal is that I'm still getting up to speed on Cisco, and many times I just need my memory jogged on syntax or something.

    The plain english description of what you are doing is what makes this guide much more useful than other similar write ups.

    Using an existing config and this guide, I've deployed several 881w's in the field where they are the sole link back to HQ, using the onboard AP in lightweight mode and a vpn connection to run our Mitel phone system.

    I'd love to send you some free stuff, if you're a consumer of what we sell. If so, send a snail address to my email and I'll get something out to you.

  37. Scurvy Jake says:

    Thank you so much for the kind words! I'm very glad to have helped!

  38. tmg says:

    HI I followed this tutorial on a Cisco 881W-E but the AP keeps rebooting itself every 13mins.

    Without any config on it it seems fine. So clearly there is a bug of some kind but it's not clear what the solution is.

    Has anyone else had a similar problem? Did you find a solution?

    Pause - wait for open files to finish...
    Trying to shutdown Service Module Wlan-GigabitEthernet0

    Pause - wait for open files to finish...
    Trying to shutdown Service Module Wlan-GigabitEthernet0

    Pause - wait for open files to finish...
    Trying to shutdown Service Module Wlan-GigabitEthernet0

    WirelessAP uptime is 12 minutes
    System returned to ROM by power loss
    System image file is "flash:/ap802-k9w7-mx.124-25d.JAX1/ap802-k9w7-mx.124-25d.JAX1"

    cisco AP802GN-E-K9 (revision A0) with 98304K/32768K bytes of memory.
    Processor board ID FCZ#########
    Last reset from power loss
    1 Gigabit Ethernet interface
    1 802.11 Radio(s)

    WirelessAP#
    Pause - wait for open files to finish...
    Trying to shutdown Service Module Wlan-GigabitEthernet0

    IOS Bootloader - Starting system.
    Reading cookie from flash parameter block...done.
    Base Ethernet MAC address: c0:67:af:0b:b4:58
    Initializing Ethernet interface
    Ethernet Interface initialization OK.
    TFTP initialization is done.

    Boot system image.
    Loading "flash:/ap802-k9w7-mx.124-25d.JAX1/ap802-k9w7-mx.124-25d.JAX1"...#############################################################################################################################################################################################################################################

    File "flash:/ap802-k9w7-mx.124-25d.JAX1/ap802-k9w7-mx.124-25d.JAX1" uncompressed and installed, entry point: 0x18003000
    executing...
    Restricted Rights Legend

    *Sep 18 12:58:59.497: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
    *Sep 18 12:59:52.609: %SYS-5-CONFIG_I: Configured from console by console
    *Sep 18 13:00:12.996: %SYS-5-CONFIG_I: Configured from console by console
    *Sep 18 13:00:14.512: %LINK-3-UPDOWN: Interface wlan-ap0, changed state to up
    *Sep 18 13:00:15.512: %LINEPROTO-5-UPDOWN: Line protocol on Interface wlan-ap0, changed state to up
    *Sep 18 13:10:55.914: %SECONDCORE-5-BOOTSTAGE: ROMMON on 2nd core UP
    *Sep 18 13:10:55.930: %SECONDCORE-5-BOOTSTAGE: AP-BOOTLOADER on 2nd core UP
    *Sep 18 13:11:25.245: %SECONDCORE-5-BOOTSTAGE: AP-IOS on 2nd core UP
    *Sep 18 13:13:31.040: %SYS-5-CONFIG_I: Configured from console by console
    *Sep 18 13:20:40.467: %SYS-5-CONFIG_I: Configured from console by console
    *Sep 18 13:20:42.263: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up
    *Sep 18 13:20:44.851: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to down
    *Sep 18 13:24:32.837: %SECONDCORE-5-BOOTSTAGE: ROMMON on 2nd core UP
    *Sep 18 13:24:32.853: %SECONDCORE-5-BOOTSTAGE: AP-BOOTLOADER on 2nd core UP
    *Sep 18 13:25:02.121: %SECONDCORE-5-BOOTSTAGE: AP-IOS on 2nd core UP

  39. Sammy Modi says:

    I have a Cisco 881w router with an integrated AP.. and working fine no issue.... BUT i need to know is..

    How do i configure with two external APs Aironet 1130AG
    1) i need to connect two more external APs (Cisco Aironet 1130AG , AIR-AP1131AG-A-K9) with 881w, which i can place them one in my basements and one it 2nd FL in my home..

    what special config do i need on 881w?
    current 881w as "station-role root"

  40. […] guidance from this site, modified slightly to include WPA 2 with AES encryption to allow for faster wireless N […]

  41. Charlotte says:

    awesome! thank you

Leave a Reply