Version: 1.

0
CLI template for Cisco 851W/871W standard IOS August 30, 2006

Command Purpose
service password-encryption Enable password encryption
hostname [Router-Name] Configure your router's name
enable secret [Some-Password] Set the enable secret
enable password [Some-Other-Password] Set the password
Basic configuration

aaa new-model Enable aaa authentication model

aaa authentication login default local
aaa authorization exec default local Set authentication mode
aaa session-id common
ip http server Enable Web server
ip http secure-server Enable secure Web server (this will generate self-signed SSL cert)
line con 0
Set console password
password [Some-Password]
line vty 0 4
Set TELNET and SSH password
password [Some-Password]
ip domain name [Domain-name] Set the router's domain name
no ip domain lookup Turn off router domain lookup
username [Your-username] privilege 15 password [Your-password] Set username and password. Used for Web and CLI access
ip dhcp excluded-address [Start-exclude-1] [End-exclude-1] Set the DHCP exclusion range for subnet A
ip dhcp excluded-address [Start-exclude-20] [End-exclude-20] Set the DHCP exclusion range for subnet B
service dhcp Enables DHCP services
DHCP configuration

ip dhcp pool Internal-net Create Internal-net DHCP scope

network [Network1-ID] [Subnet-mask-1] Set IP and Subnet mask for Internal-Net
default-router [Gateway-1] Set gateway for Internal-net
import all Import DHCP settings for DNS from your ISP (doesn't work for PPPoE)
domain-name [Domain-name] Set domain name for DHCP clients
lease 4 Set lease time to 4 days
ip dhcp pool VLAN20 Create VLAN20 interface
network [Network20-ID] [Subnet-mask-20] Set IP and Subnet mask for VLAN20
default-router [Gateway-20] Set gateway for VLAN20
import all Import DHCP settings for DNS from your ISP (doesn't work for PPPoE)
domain-name [Domain-name] Set domain name for DHCP clients
lease 4 Set lease time to 4 days
vpdn enable Enable VPDN for DSL PPPoE configuration
interface Dialer1 Create interface Dialer1
ip address negotiated Ask ISP for DHCP assigned address and DNS settings
ip nat outside Set Dialer1 interface for the outside NAT interface
 ip virtual-reassembly
encapsulation ppp Use ppp encapsulation
ip tcp adjust-mss 1452 Important! Sets packet fragmentation size for 1492 PPPoE
dialer pool 1 Create dialer pool 1
dialer-group 1 Create dialer group 1
DSL configuration

ppp authentication pap callin Use password authentication protocol (clear text)
ppp pap sent-username [DSL-Username] password [DSL-Password] User sign-on for DSL accounts
ppp ipcp dns request Get DNS server info from DSL provider
ppp ipcp address accept
access-list 1 permit [Network1-ID] [Reverse-mask-1] Allow VLAN1 inside of Access List 1 (Used for NAT)
access-list 1 permit [Network20-ID] [Reverse-mask-20] Allow VLAN20 inside of Access List 1 (Used for NAT)
dialer-list 1 protocol ip list 1 Assign access-list 1 to dialer-list 1 with IP protocol access
ip nat inside source list 1 interface Dialer1 overload Tell all internal NAT IP addresses to map to Dialer1 IP
ip access-list extended Guest-ACL Create the Guest-ACL access list. Used to restrict guests.
deny ip any [Network1-ID] [Reverse-mask-1] Prevent guests from accessing VLAN1
permit ip any any Let guests access everything else
interface FastEthernet4 Enter the WAN port configuration
pppoe enable Enable PPPoE for DSL dialup
pppoe-client dial-pool-number 1 Set PPPoE to use Dialer1
no cdp enable Turn off CDP (Cisco Discovery Protocol) on WAN interface
ip route 0.0.0.0 0.0.0.0 Dialer1 Set the default gateway to point to ISP via Dialer1
interface FastEthernet0 Enter port 0
Switch config

spanning-tree portfast Turn on fast spanning-tree mode

interface FastEthernet1 Enter port 1
spanning-tree portfast Turn on fast spanning-tree mode
interface FastEthernet2 Enter port 2
spanning-tree portfast Turn on fast spanning-tree mode
interface FastEthernet3 Enter port 3
spanning-tree portfast Turn on fast spanning-tree mode
bridge irb Enable wireless bridge mode (important!)
interface Dot11Radio0 Enter physical radio interface 0 (this model has only 1 radio)
encryption vlan 1 mode ciphers tkip Set vlan 1 to use TKIP encryption
encryption vlan 20 mode ciphers tkip Set vlan 20 to use TKIP encryption
ssid [WLAN20] Create a virtual WLAN called [WLAN20]
vlan 20 Assign WLAN to VLAN20
Basic radio config

authentication open Use open authentication

authentication key-management wpa Use WPA key management
guest-mode Turn on SSID broadcast for this WLAN (only 1 allowed)
wpa-psk ascii [WPA-secret-for-guests] Set WPA secret for this WLAN
ssid [WLAN1] Create a virtual WLAN called [WLAN1]
vlan 1 Assign WLAN to VLAN1
authentication open Use open authentication
Basi authentication key-management wpa Use WPA key management
wpa-psk ascii [WPA-secret-for-internal] Set WPA secret for this WLAN
channel [BG-channel] Set to channel 802.11 b/g channel 1 at 2412 MHz
no cdp enable Turn off CDP (Cisco Discovery Protocol) on wireless side
no dot11 extension aironet Turn off Cisco proprietary extensions
interface Dot11Radio0.1 Create a virtual radio for Internal-net
encapsulation dot1Q 1 native Assign 802.1q VLAN tag of 1 to this virtual radio
no snmp trap link-status
bridge-group 1 Bind this virtual radio to bridge 1
Sub-radio config

bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address [Gateway-20] [Subnet-mask-20]
ip access-group Guest-ACL in
ip nat inside
interface Vlan1
description Internal Network
VLANs
Set bridge parameters
Create a virtual radio for VLAN20
Description saying this is a routed non-bridged interface
Assign 802.1q VLAN tag of 20 to this virtual radio
Assign IP address and subnet mask for this bridge interface
Enforce Guest-ACL access list in the in-bound direction
Define this as an internal network for NAT
Create VLAN (Virtual Local Area Network) interface 1
Set the description of this VLAN as "Internal Network"

ip nat inside Define this as an internal network for NAT

ip virtual-reassembly
bridge-group 1 Assign this VLAN to bridge 1
bridge-group 1 spanning-disabled Turn off spanning
interface BVI1 Create bridge interface 1
description Bridge to Internal Network Set description to "Bridge to Internal Network"
Bridges

ip address [Gateway-1] [Subnet-mask-1] Assign IP address and subnet mask for this bridge interface
ip nat inside Define this as an internal network for NAT
ip virtual-reassembly
bridge 1 route ip Enable IP routing on Bridge 1
int f0 Enter FastEthernet interface 0 configuration
no shut Turn on port
Enable interfaces

int f1 Enter FastEthernet interface 1 configuration

no shut Turn on port
int f2 Enter FastEthernet interface 2 configuration
no shut Turn on port
int f3 Enter FastEthernet interface 3 configuration
no shut Turn on port
int f4 Enter FastEthernet interface 4 (WAN) configuration
no shut Turn on port
En int dot0 Enter radio interface 0 configuration
no shut Turn on port
ip inspect name MYFW tcp Inspect outbound TCP for MYFW
ip inspect name MYFW udp Inspect outbound UDP for MYFW
ip access-list extended Internet-inbound-ACL Create an ACL called "Internet-inbound-ACL"
Firewall config

permit udp any eq bootps any eq bootpc Allow DHCP to come in from your ISP so your router can get PPPoE IP
permit icmp any any echo
permit icmp any any echo-reply Allow ping and trace route to work
permit icmp any any traceroute
permit gre any any Allow PPTP clients to work from within the network
permit esp any any Allow IPSEC to work
int dialer1 Go into Dialer 1 interface
ip inspect MYFW out Inspect outbound traffic on MYFW
ip access-group Internet-inbound-ACL in Restrict inbound traffic to the ACL called "Internet-inbound-ACL"

Copyright ©2006 CNET Networks, Inc. All rights reserved.

To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.
Variable name User defined Description
[Router-Name] SomeRouterName Name of your router
[Domain-name] YourDomain.com Your domain name
[Some-Password] xxxxxxxxx Your password
[Some-Other-Password] xxxxxxxxx This can be same as secret
[Your-username] xxxxxxxxx For Web and CLI access
[Your-password] xxxxxxxxx For Web and CLI access
[DSL-Username] xxxxxxxxx Your DSL username for PPPoE access
[DSL-Password] xxxxxxxxx Your DSL password for PPPoE access
[Network1-ID] 192.168.1.0 Network ID for VLAN1
[Subnet-mask-1] 255.255.255.0 Subnet mask for VLAN1
[Reverse-mask-1] 0.0.0.255 ACLs use this reverse form of subnet masks
[Start-exclude-1] 192.168.1.1 DHCP exclude beginning IP
[End-exclude-1] 192.168.1.99 DHCP exclude ending IP
[Gateway-1] 192.168.1.1 Default gateway for VLAN1
[Network20-ID] 192.168.2.0 Network ID for VLAN20
[Subnet-mask-20] 255.255.255.0 Subnet mask for VLAN20
[Reverse-mask-20] 0.0.0.255 ACLs use this reverse form of subnet masks
[Start-exclude-20] 192.168.2.1 DHCP exclude beginning IP
[End-exclude-20] 192.168.2.99 DHCP exclude ending IP
[Gateway-20] 192.168.2.1 Default gateway for VLAN20
[BG-Channel] 1 802.11 b/g channel setting (1, 6, or 11)
[WLAN1] InternalWLAN Name of wireless LAN for VLAN1
[WPA-secret-for-internal] xxxxxxxxx WPA passphrase for VLAN1
[WLAN20] GuestWLAN Name of wireless LAN for VLAN20
[WPA-secret-for-guests] YourGuestSecret WPA passphrase for VLAN20

Copyright ©2006 CNET Networks, Inc. All rights reserved.

To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.
 Replace

Reference Sheet Name: 871W