CLI template for Cisco 851W/871W standard IOS

Command
service password-encryption hostname [Router-Name] enable secret [Some-Password] enable password [Some-Other-Password] aaa new-model aaa authentication login default local aaa authorization exec default local aaa session-id common ip http server ip http secure-server line con 0 password [Some-Password] line vty 0 4 password [Some-Password] ip domain name [Domain-name] no ip domain lookup username [Your-username] privilege 15 password [Your-password] ip dhcp excluded-address [Start-exclude-1] [End-exclude-1] ip dhcp excluded-address [Start-exclude-20] [End-exclude-20] service dhcp ip dhcp pool Internal-net network [Network1-ID] [Subnet-mask-1] default-router [Gateway-1] import all domain-name [Domain-name] lease 4 ip dhcp pool VLAN20 network [Network20-ID] [Subnet-mask-20] default-router [Gateway-20] import all domain-name [Domain-name] lease 4 access-list 1 permit [Network1-ID] [Reverse-mask-1] access-list 1 permit [Network20-ID] [Reverse-mask-20] ip nat inside source list 1 interface FastEthernet4 overload ip access-list extended Guest-ACL deny ip any [Network1-ID] [Reverse-mask-1] permit ip any any interface FastEthernet4 ip address [WAN-IP] [WAN-SM]

Version: 1.0 August 30, 2006

Purpose
Enable password encryption Configure your router's name Set the enable secret Set the password Enable aaa authentication model Set authentication mode Enable Web server Enable secure Web server (this will generate self-signed SSL cert) Set console password Set TELNET and SSH password Set the router's domain name Turn off router domain lookup Set username and password. Used for Web and CLI access Set the DHCP exclusion range for subnet A Set the DHCP exclusion range for subnet B Enables DHCP services Create Internal-net DHCP scope Set IP and Subnet mask for Internal-Net Set gateway for Internal-net Import DHCP settings for DNS from your ISP (doesn't work for PPPoE) Set domain name for DHCP clients Set lease time to 4 days Create VLAN20 interface Set IP and Subnet mask for VLAN20 Set gateway for VLAN20 Import DHCP settings for DNS from your ISP (doesn't work for PPPoE) Set domain name for DHCP clients Set lease time to 4 days Allow VLAN1 inside of Access List 1 (Used for NAT) Allow VLAN20 inside of Access List 1 (Used for NAT) Tell all internal NAT IP addresses to map to FastEthernet4 IP Create the Guest-ACL access list. Used to restrict guests. Prevent guests from accessing VLAN1 Let guests access everything else Enter the WAN port configuration Ask ISP for DHCP assigned address and DNS settings

P config - static

DHCP Server

Basic configuration

ISP con

ip tcp adjust-mss 1460 ip nat outside no cdp enable ip route 0.0.0.0 0.0.0.0 [WAN-GW] interface FastEthernet0 spanning-tree portfast interface FastEthernet1 spanning-tree portfast interface FastEthernet2 spanning-tree portfast interface FastEthernet3 spanning-tree portfast bridge irb interface Dot11Radio0 encryption vlan 1 mode ciphers tkip encryption vlan 20 mode ciphers tkip ssid [WLAN20] vlan 20 authentication open authentication key-management wpa guest-mode wpa-psk ascii [WPA-secret-for-guests] ssid [WLAN1] vlan 1 authentication open authentication key-management wpa wpa-psk ascii [WPA-secret-for-internal] channel [BG-channel] no cdp enable no dot11 extension aironet interface Dot11Radio0.1 encapsulation dot1Q 1 native no snmp trap link-status bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding interface Dot11Radio0.20 description Guest wireless LAN - routed WLAN encapsulation dot1Q 20 ip address [Gateway-20] [Subnet-mask-20] ip nat inside interface Vlan1

Important! Sets packet fragmentation size for 1492 PPPoE Set FastEthernet4 interface for the outside NAT interface Turn off CDP (Cisco Discovery Protocol) on WAN interface Set the default gateway to point to ISP via DHCP Enter port 0 Turn on fast spanning-tree mode Enter port 1 Turn on fast spanning-tree mode Enter port 2 Turn on fast spanning-tree mode Enter port 3 Turn on fast spanning-tree mode Enable wireless bridge mode (important!) Enter physical radio interface 0 (this model has only 1 radio) Set vlan 1 to use TKIP encryption Set vlan 20 to use TKIP encryption Create a virtual WLAN called [WLAN20] Assign WLAN to VLAN20 Use open authentication Use WPA key management Turn on SSID broadcast for this WLAN (only 1 allowed) Set WPA secret for this WLAN Create a virtual WLAN called [WLAN1] Assign WLAN to VLAN1 Use open authentication Use WPA key management Set WPA secret for this WLAN Set to channel 802.11 b/g channel 1 at 2412 MHz Turn off CDP (Cisco Discovery Protocol) on wireless side Turn off Cisco proprietary extensions Create a virtual radio for Internal-net Assign 802.1q VLAN tag of 1 to this virtual radio Bind this virtual radio to bridge 1

Sub-radio config

Basic radio config

Switch config

Set bridge parameters

Create a virtual radio for VLAN20 Description saying this is a routed non-bridged interface Assign 802.1q VLAN tag of 20 to this virtual radio Assign IP address and subnet mask for this bridge interface Define this as an internal network for NAT Create VLAN (Virtual Local Area Network) interface 1

ANs

VLANs

description Internal Network ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled interface BVI1 description Bridge to Internal Network ip address [Gateway-1] [Subnet-mask-1] ip nat inside ip virtual-reassembly bridge 1 route ip int f0 no shut int f1 no shut int f2 no shut int f3 no shut int f4 no shut int dot0 no shut ip inspect name MYFW tcp ip inspect name MYFW udp ip access-list extended Internet-inbound-ACL permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit gre any any permit esp any any interface FastEthernet4 ip inspect MYFW out ip access-group Internet-inbound-ACL in interface Dot11Radio0.20 ip access-group Guest-ACL in ip inspect MYFW out

Set the description of this VLAN as "Internal Network" Define this as an internal network for NAT Assign this VLAN to bridge 1 Turn off spanning Create bridge interface 1 Set description to "Bridge to Internal Network" Assign IP address and subnet mask for this bridge interface Define this as an internal network for NAT Enable IP routing on Bridge 1 Enter FastEthernet interface 0 configuration Turn on port Enter FastEthernet interface 1 configuration Turn on port Enter FastEthernet interface 2 configuration Turn on port Enter FastEthernet interface 3 configuration Turn on port Enter FastEthernet interface 4 (WAN) configuration Turn on port Enter radio interface 0 configuration Turn on port Inspect outbound TCP for MYFW Inspect outbound UDP for MYFW Create an ACL called "Internet-inbound-ACL" Allow ping and trace route to work Allow PPTP clients to work from within the network Allow IPSEC to work Go into FastEthernet4 interface Inspect outbound traffic on MYFW Restrict inbound traffic to the ACL called "Internet-inbound-ACL" Create a virtual radio for VLAN20 Enforce Guest-ACL access list in the in-bound direction Inspect outbound traffic on MYFW

Firewall config

Enable interfaces

Bridges

Copyright 2006 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.

Variable name
[Router-Name] [Domain-name] [Some-Password] [Some-Other-Password] [Your-username] [Your-password] [WAN-IP] [WAN-SM] [WAN-GW] [Network1-ID] [Subnet-mask-1] [Reverse-mask-1] [Start-exclude-1] [End-exclude-1] [Gateway-1] [Network20-ID] [Subnet-mask-20] [Reverse-mask-20] [Start-exclude-20] [End-exclude-20] [Gateway-20] [BG-Channel] [WLAN1] [WPA-secret-for-internal] [WLAN20] [WPA-secret-for-guests]

User defined
Valmansi valmansi.com pepe123 Qazxcdew3037 admin Qazxcdew3037 192.168.1.2 255.255.255.0 192.168.1.1 192.168.10.0 255.255.255.0 0.0.0.255 192.168.10.1 192.168.10.99 192.168.10.1 192.168.2.0 255.255.255.0 0.0.0.255 192.168.2.1 192.168.2.99 192.168.2.1 1 valmansi Qazxcdew3037 GuestWLAN YourGuestSecret

Description
Name of your router Your domain name Your password This can be same as secret For Web and CLI access For Web and CLI access This is the IP assigned to you by ISP This is the subnetmask assigned to you by ISP This is the gateway assigned to you by ISP Network ID for VLAN1 Subnet mask for VLAN1 ACLs use this reverse form of subnet masks DHCP exclude beginning IP DHCP exclude ending IP Default gateway for VLAN1 Network ID for VLAN20 Subnet mask for VLAN20 ACLs use this reverse form of subnet masks DHCP exclude beginning IP DHCP exclude ending IP Default gateway for VLAN20 802.11 b/g channel setting (1, 6, or 11) Name of wireless LAN for VLAN1 WPA passphrase for VLAN1 Name of wireless LAN for VLAN20 WPA passphrase for VLAN20

Copyright 2006 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.

Replace

Reference Sheet Name: 871W