Configuring a Cisco 881W
Posted in
Morning watch, 8 bells (8:08 am)

For an IT guy in today's economy, you have to make good decisions and keep costs down. Not all of us can afford all the high-end equipment we want, and even if we can we can't afford to pay consultants to keep them running. In the interest of sharing what I've learned to help others in my situation, here is how I connected a Cisco 881W router to a DHCP-fed Internet connection.

First, just a little about the 881W. It's best to think of it as two routers inside one box, with a hidden ethernet cable linking them. The normal router and the wireless router are completely separate—they both have their own IOS (Cisco's operating system) and configuration files.

Also, remember that none of the changes you will make are permanent until you write the config to memory. You can mess the config up seven ways from Sunday and just pull the plug, power up and start all over again from the beginning. In fact, I strongly recommend doing it once or twice. Make all your changes and test to make sure it's working perfectly before you do any writing of the config to memory.

When you're ready to start configuring it, plug it into a switch from the FastEthernet0 (FE/0) port. The router's default address is 10.10.10.1 with a netmask of 255.255.255.248, which gives you a usable range of 10.10.10.1 to 10.10.10.6. I don't remember now if it had DHCP configured from the factory, so if you get an address, you're ready to go, but if not, you can set it manually for now (make sure you use one in the network range!), or you can plug into it via the serial cable if you're lucky enough to have a nearby machine that still has a serial port. I went the serial way and used minicom from my Linux laptop to get started.

If you're on the network with the router, you can telnet to it and open up a session. With minicom, just start it up. The default login is cisco and so is the password. You'll get a welcome screen and it's probably telling you that the login you just used is a one-time-only thing. Don't panic if you screw up, just reboot the router and you can use it again.

The first thing you'll want to do is set up a superuser. At the prompt, type
configure terminal (or just conf t), and then
username scurvyjake privilege 15 secret 0 password
substituting your name and password where appropriate.

Cisco's IOS has a lot of built-in help for you. Hit the ?key to get a list of commands or arguments you can use from the context in which you currently are.

Type exit and then show run (to show the running-config). It's paged like less in Linux, hit space to advance through it.

Pretty much all of the work you need to do is under the configure terminal section, so go ahead and type that back in again.

You can set the system's hostname with, you guessed it, the hostname command:
hostname ScurvyRouter

You may have a DHCP pool in a network that you don't want, so use the no version of the command to get rid of it
no ip dhcp pool ccp-pool (my default pool was called ccp-pool)

Create a DHCP pool for your network. I'm assuming you want to give your router the address 10.20.30.1 and serve out DHCP addresses from 10.20.30.100 to 10.20.30.200:
ip dhcp pool myDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server aaa.bbb.ccc.ddd eee.fff.ggg.hhh
lease 1 (for a 1-day DHCP lease timeout)
exit
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254

You should set up some name servers for the router itself:
ip name-server aaa.bbb.ccc.ddd
ip name-server eee.fff.ggg.hhh

You can also set your domain name like so:
ip domain name bogomip.net

Configure your WAN port (FastEthernet4) for DHCP:
interface FastEthernet4
ip address dhcp
ip nat outside
exit

Configure your internal interfaces for trunking so you can move VLAN packets around between the wired and wireless networks:
interface FastEthernet0
switchport mode trunk
exit

Configure your VLAN, and set your router's home address on it:
interface Vlan1
ip address 10.20.30.1 255.255.255.0
ip nat inside
exit

You probably have to fix the default access list (mine was 23) to allow access from your new network:
no access-list 23
access-list 23 permit 10.20.30.0 0.0.0.255 (reverse of normal netmasks!)

Now if you don't overload the FE/4 WAN port you'll never get out, so make sure you run this:
ip nat inside source list 23 interface FastEthernet4 overload

And the last thing you'll really need is your gateway. The easiest way to find this is to plug some other device into your incoming Internet connection and see what it hands you as an address and gateway. We don't care what address and netmask it gives you because the router will get those by itself, but you have to configure the gateway by hand. This is not an off-the-shelf router, and it's not intuitive, but you'll never get out without it:
ip route 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz

Part Two, the Wireless Side

To connect to your wireless router, use the following command while you're connected to the main router:
service-module wlan-ap0 session (hit enter a second time if the prompt doesn't come up)

You will be connected to the access point (AP) side now (remember how I said it was like two separate boxes?). Log in with the same 'cisco' username and password you did earlier.

Configure your new username just like before also:
configure terminal
no username cisco
username scurvyjake privilege 15 secret 0 password
hostname ScurvyAP

FIrst off, your router may have a horribly buggy IOS installed on it. Check to make sure you're not running the awful 12.4.21(a)JA1 version:
exit
show version

If you see 12.4.21(a)JA1 you must replace it with an IOS that actually works. To do this, install a TFTP server (I used TFTP32 on a Windows laptop) on the same network as the Cisco router. Download a working version (I used 12.4.10(b)JDA3) from Cisco's site. Good luck finding it, I wish you all the best. If you do it in less than 20 minutes you are either a savant or have previously spent hours perusing Cisco's site.

Put the new IOS in the TFTP server's directory, then run this from the AP's command line (not in configure terminal mode):
archive download-sw /overwrite /reload tftp://10.20.30.xx/name-of-image-you-downloaded
Let it run the update, it will reboot itself.

Now for the fun stuff: the wireless network! I'm assuming you want to use WPA. You're on your own here if you don't.
configure terminal
interface Dot11Radio0
encryption vlan 1 mode ciphers tkip
ssid My SSID Name
no shutdown (it's probably off by default)
station-role root (I'm assuming this is your only wireless device!)
exit

dot11 ssid My SSID Name
Vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 MyWirelessNetworkPassword
guest-mode
exit

dot11 network-map (I don't remember what this does)

Configure the AP's VLAN address:
interface BVI1
ip address 10.20.30.2 255.255.255.0 (this may take a few seconds)
exit

You will now be able to put the router's internal connection to the AP in trunking mode. To switch back to the router's shell, hit Ctrl 6, then x. Then type:
configure terminal
interface Wlan-GigabitEthernet0
switchport mode trunk
exit

Go back to the AP with the service-module command:
service-module wlan-ap0 session

Add the AP's gateway:
configure terminal
ip default-gateway 10.20.30.1

Configure the radio interface for Vlan1
interface Dot11Radio0.1 (use .2 for VLAN 2, etc)
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
exit

And the ethernet connection for the AP as well:
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
exit

Once you know the AP is working properly, exit config mode and save the configuration to permanent memory:
write memory

Switch back to the router (Ctrl-6, x). To permanently close the AP session you opened, you can issue the command:
service-module wlan-ap0 session clear or just exit and the suspended connection will terminate.

Save the configuration of the router to memory as well:
write mem.

Be advised that the very next thing you'll want to do is configure a firewall. I recommend Cisco Configuration Professional (CCP) to help you get started.

If this helped you get your project going, or saved you from a $200/hour Cisco consultant bill, consider sharing information like this with someone else, or buy me something from my Amazon wishlist or a pizza or something.

21 Mar 2014 Addendum
Last year I took my 881w back to my office so I don't use it at home anymore. I was lamenting the fact that I couldn't use Chromecast with it because Cisco doesn't support UPnP, and I mentioned this on the Chromecast page at Amazon. A very nice user made the following comment that I can't test now, but I leave it here for anyone else that may want to try it:

Nicholas Batchelor says:
If you still need help with getting the Chromecast to work on your Cisco router but you can do this.

Login in to the router
Enter - service-module wlan-ap0 session - to connect to the AP
Login to the AP
Find the Dot11 interface you need to change. I run multiple SSIDs associated with different VLANs so I needed to enter - interface Dot11Radio0.2 - but this may vary for you
Enter - no ip igmp snooping - and - no bridge-group 2 port-protected - where the number 2 matches your subinterface value.

51 Comments »

51 Responses to “Configuring a Cisco 881W”

  1. Sas says:

    finally figured it out.... i had vmware virtual networking dhsp server running on the laptop i was using to configure the 881w... so instead of getting ip from 881w the ethernet adapter was getting it's ip from the vmware dhcp server

    😐

    so much time wasted...

    oh well... it's all a learning experience.

Leave a Reply