Você está na página 1de 8

Command

service password-encryption hostname [Router-Name] enable secret [Some-Password] enable password [Some-Other-Password] aaa new-model aaa authentication login default local aaa authorization exec default local aaa session-id common ip http server ip http secure-server line con 0 password [Some-Password] line vty 0 4 password [Some-Password] ip domain name [Domain-name] no ip domain lookup username [Your-username] privilege 15 password [Your-password] ip dhcp excluded-address [Start-exclude-10] [End-exclude-10] ip dhcp excluded-address [Start-exclude-20] [End-exclude-20] service dhcp ip dhcp pool VLAN10 network [Network10-ID] [Subnet-mask-10] default-router [Gateway-10] import all domain-name [Domain-name] lease 4 ip dhcp pool VLAN20 network [Network20-ID] [Subnet-mask-20] default-router [Gateway-20] import all domain-name [Domain-name] lease 4 vpdn enable interface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username [DSL-Username] password [DSL-Password] ppp ipcp dns request

Purpose
Enable password encryption Configure your router's name Set the enable secret Set the password Enable aaa authentication model Set authentication mode Enable Web server Enable secure Web server (this will generate self-signed SSL cert) Set console password Set TELNET and SSH password Set the router's domain name Turn off router domain lookup Set username and password. Used for Web and CLI access Set the DHCP exclusion range for subnet A Set the DHCP exclusion range for subnet B Enables DHCP services Create VLAN10 interface Set IP and Subnet mask for VLAN10 Set gateway for VLAN10 Import DHCP settings for DNS from your ISP (doesn't work for PPPoE) Set domain name for DHCP clients Set lease time to 4 days Create VLAN20 interface Set IP and Subnet mask for VLAN20 Set gateway for VLAN20 Import DHCP settings for DNS from your ISP (doesn't work for PPPoE) Set domain name for DHCP clients Set lease time to 4 days Enable VPDN for DSL PPPoE configuration Create interface Dialer1 Ask ISP for DHCP assigned address and DNS settings Set Dialer1 interface for the outside NAT interface Use ppp encapsulation Important! Sets packet fragmentation size for 1492 PPPoE Create dialer pool 1 Create dialer group 1 Use password authentication protocol (clear text) Get DNS server info from DSL provider

ppp ipcp address accept access-list 1 permit [Network10-ID] [Reverse-mask-10] access-list 1 permit [Network20-ID] [Reverse-mask-20] dialer-list 1 protocol ip list 1 ip nat inside source list 1 interface Dialer1 overload ip access-list extended Guest-ACL deny ip any [Network10-ID] [Reverse-mask-10] permit ip any any interface FastEthernet4 pppoe enable pppoe-client dial-pool-number 1 no cdp enable ip route 0.0.0.0 0.0.0.0 Dialer1 interface FastEthernet0 switchport access vlan 20 spanning-tree portfast interface FastEthernet1 switchport access vlan 10 spanning-tree portfast interface FastEthernet2 switchport access vlan 10 spanning-tree portfast interface FastEthernet3 switchport access vlan 10 spanning-tree portfast bridge irb interface Dot11Radio0 encryption vlan 10 mode ciphers tkip encryption vlan 20 mode ciphers tkip ssid [WLAN20] vlan 20 authentication open authentication key-management wpa guest-mode wpa-psk ascii [WPA-secret-for-guests] ssid [WLAN10] vlan 10 authentication open authentication key-management wpa wpa-psk ascii [WPA-secret-for-internal] channel [BG-channel] no cdp enable no dot11 extension aironet interface Dot11Radio0.10 encapsulation dot1Q 10

Allow VLAN10 inside of Access List 1 Allow VLAN20 inside of Access List 1 Assign access-list 1 to dialer-list 1 with IP protocol access Tell all internal NAT IP addresses to map to Dialer1 IP Create the Guest-ACL access list. Used to restrict guests. Prevent guests from accessing VLAN10 Let guests access everything else Enter the WAN port configuration Enable PPPoE for DSL dialup Set PPPoE to use Dialer1 Turn off CDP (Cisco Discovery Protocol) on WAN interface Set the default gateway to point to ISP via Dialer1 Enter port 0 Set port to vlan 10 Turn on fast spanning-tree mode Enter port 1 Set port to vlan 10 Turn on fast spanning-tree mode Enter port 2 Set port to vlan 10 Turn on fast spanning-tree mode Enter port 3 Set port to vlan 10 Turn on fast spanning-tree mode Enable wireless bridge mode (important!) Enter physical radio interface 0 (this model has only 1 radio) Set vlan 10 to use TKIP encryption Set vlan 20 to use TKIP encryption Create a virtual WLAN called [WLAN20] Assign WLAN to VLAN20 Use open authentication Use WPA key management Turn on SSID broadcast for this WLAN (only 1 allowed) Set WPA secret for this WLAN Create a virtual WLAN called [WLAN10] Assign WLAN to VLAN10 Use open authentication Use WPA key management Set WPA secret for this WLAN Set to channel 802.11 b/g channel 1 at 2412 MHz Turn off CDP (Cisco Discovery Protocol) on wireless side Turn off Cisco proprietary extensions Create a virtual radio for VLAN10 Assign 802.1q VLAN tag of 10 to this virtual radio

no snmp trap link-status bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding interface Dot11Radio0.20 encapsulation dot1Q 20 no snmp trap link-status bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding interface Vlan10 description Internal Network ip nat inside ip virtual-reassembly bridge-group 10 bridge-group 10 spanning-disabled interface Vlan20 description Guest Network ip nat inside ip virtual-reassembly bridge-group 20 bridge-group 20 spanning-disabled interface BVI20 description Bridge to Guest Network ip address [Gateway-20] [Subnet-mask-20] ip access-group Guest-ACL in ip nat inside ip virtual-reassembly interface BVI10 description Bridge to Internal Network ip address [Gateway-10] [Subnet-mask-10] ip nat inside ip virtual-reassembly bridge 10 route ip bridge 20 route ip

Bind this virtual radio to bridge 10

Set bridge parameters

Create a virtual radio for VLAN20 Assign 802.1q VLAN tag of 20 to this virtual radio Bind this virtual radio to bridge 20

Set bridge parameters

Create VLAN (Virtual Local Area Network) interface 10 Set the description of this VLAN as "Internal Network" Define this as an internal network for NAT Assign this VLAN to bridge 10 Turn off spanning Create VLAN (Virtual Local Area Network) interface 20 Set the description of this VLAN as "Guest Network" Define this as an internal network for NAT Assign this VLAN to bridge 20 Turn off spanning Create bridge interface 20 Set description to "Bridge to Guest Network" Assign IP address and subnet mask for this bridge interface Enforce Guest-ACL access list in the in-bound direction Define this as an internal network for NAT Create bridge interface 10 Set description to "Bridge to Internal Network" Assign IP address and subnet mask for this bridge interface Define this as an internal network for NAT Enable IP routing on Bridge 10 Enable IP routing on Bridge 20

Variable name
[Router-Name] [Domain-name] [Some-Password] [Some-Other-Password] [Your-username] [Your-password] [Resolver1] [Resolver2] [DSL-Username] [DSL-Password] [Network10-ID] [Subnet-mask-10] [Reverse-mask-10] [Start-exclude-10] [End-exclude-10] [Gateway-10] [Network20-ID] [Subnet-mask-20] [Reverse-mask-20] [Start-exclude-20] [End-exclude-20] [Gateway-20] [BG-Channel] [WLAN10] [WPA-secret-for-internal] [WLAN20] [WPA-secret-for-guests]

User defined
Cisco-BH atp-exodus.com ParolaDeLaOradea ParolaDeLaOradea admin ParolaDeLaOradea 192.168.2.2 8.8.8.8 YourDSLUsername YourDSLPassword 192.168.21.0 255.255.255.0 0.0.0.255 192.168.21.50 192.168.21.150 192.168.21.1 10.10.21.1 255.255.255.0 0.0.0.255 10.10.21.2 10.10.21.10 10.10.21.1 1 Atp-Bh Atpexodus01 Atp-admin ParolaDeLaOradea

Description
Name of your router Your domain name Your password This can be same as secret For Web and CLI access For Web and CLI access You must enter a valid DNS server Optional second DNS server (may leave blank) Your DSL username for PPPoE access Your DSL password for PPPoE access Network ID for VLAN10 Subnet mask for VLAN10 ACLs use this reverse form of subnet masks DHCP exclude beginning IP DHCP exclude ending IP Default gateway for VLAN10 Network ID for VLAN20 Subnet mask for VLAN20 ACLs use this reverse form of subnet masks DHCP exclude beginning IP DHCP exclude ending IP Default gateway for VLAN20 802.11 b/g channel setting (1, 6, or 11) Name of wireless LAN for VLAN10 WPA passphrase for VLAN10 Name of wireless LAN for VLAN20 WPA passphrase for VLAN20

Copyright 2006 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.

Replace

Reference Sheet Name: 871W

Command
service password-encryption hostname Cisco-BH enable secret ParolaDeLaOradea enable password ParolaDeLaOradea aaa new-model aaa authentication login default local aaa authorization exec default local aaa session-id common ip http server ip http secure-server line con 0 password ParolaDeLaOradea line vty 0 4 password ParolaDeLaOradea ip domain name atp-exodus.com no ip domain lookup username admin privilege 15 password ParolaDeLaOradea ip dhcp excluded-address 192.168.21.50 192.168.21.150 ip dhcp excluded-address 10.10.21.2 10.10.21.10 service dhcp ip dhcp pool VLAN10 network 192.168.21.0 255.255.255.0 default-router 192.168.21.1 import all domain-name atp-exodus.com lease 4 ip dhcp pool VLAN20 network 10.10.21.1 255.255.255.0 default-router 10.10.21.1 import all domain-name atp-exodus.com lease 4 vpdn enable interface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username YourDSLUsername password YourDSLPassword ppp ipcp dns request

Purpose
Enable password encryption Configure your router's name Set the enable secret Set the password Enable aaa authentication model Set authentication mode Enable Web server Enable secure Web server (this will generate self-signed SSL cert) Set console password Set TELNET and SSH password Set the router's domain name Turn off router domain lookup Set username and password. Used for Web and CLI access Set the DHCP exclusion range for subnet A Set the DHCP exclusion range for subnet B Enables DHCP services Create VLAN10 interface Set IP and Subnet mask for VLAN10 Set gateway for VLAN10 Import DHCP settings for DNS from your ISP (doesn't work for PPPoE) Set domain name for DHCP clients Set lease time to 4 days Create VLAN20 interface Set IP and Subnet mask for VLAN20 Set gateway for VLAN20 Import DHCP settings for DNS from your ISP (doesn't work for PPPoE) Set domain name for DHCP clients Set lease time to 4 days Enable VPDN for DSL PPPoE configuration Create interface Dialer1 Ask ISP for DHCP assigned address and DNS settings Set Dialer1 interface for the outside NAT interface Use ppp encapsulation Important! Sets packet fragmentation size for 1492 PPPoE Create dialer pool 1 Create dialer group 1 Use password authentication protocol (clear text) Get DNS server info from DSL provider

ppp ipcp address accept access-list 1 permit 192.168.21.0 0.0.0.255 access-list 1 permit 10.10.21.1 0.0.0.255 dialer-list 1 protocol ip list 1 ip nat inside source list 1 interface Dialer1 overload ip access-list extended Guest-ACL deny ip any 192.168.21.0 0.0.0.255 permit ip any any interface FastEthernet4 pppoe enable pppoe-client dial-pool-number 1 no cdp enable ip route 0.0.0.0 0.0.0.0 Dialer1 interface FastEthernet0 switchport access vlan 20 spanning-tree portfast interface FastEthernet1 switchport access vlan 10 spanning-tree portfast interface FastEthernet2 switchport access vlan 10 spanning-tree portfast interface FastEthernet3 switchport access vlan 10 spanning-tree portfast bridge irb interface Dot11Radio0 encryption vlan 10 mode ciphers tkip encryption vlan 20 mode ciphers tkip ssid Atp-admin vlan 20 authentication open authentication key-management wpa guest-mode wpa-psk ascii ParolaDeLaOradea ssid Atp-Bh vlan 10 authentication open authentication key-management wpa wpa-psk ascii Atpexodus01 channel 1 no cdp enable no dot11 extension aironet interface Dot11Radio0.10 encapsulation dot1Q 10

Allow VLAN10 inside of Access List 1 Allow VLAN20 inside of Access List 1 Assign access-list 1 to dialer-list 1 with IP protocol access Tell all internal NAT IP addresses to map to Dialer1 IP Create the Guest-ACL access list. Used to restrict guests. Prevent guests from accessing VLAN10 Let guests access everything else Enter the WAN port configuration Enable PPPoE for DSL dialup Set PPPoE to use Dialer1 Turn off CDP (Cisco Discovery Protocol) on WAN interface Set the default gateway to point to ISP via Dialer1 Enter port 0 Set port to vlan 10 Turn on fast spanning-tree mode Enter port 1 Set port to vlan 10 Turn on fast spanning-tree mode Enter port 2 Set port to vlan 10 Turn on fast spanning-tree mode Enter port 3 Set port to vlan 10 Turn on fast spanning-tree mode Enable wireless bridge mode (important!) Enter physical radio interface 0 (this model has only 1 radio) Set vlan 10 to use TKIP encryption Set vlan 20 to use TKIP encryption Create a virtual WLAN called Atp-admin Assign WLAN to VLAN20 Use open authentication Use WPA key management Turn on SSID broadcast for this WLAN (only 1 allowed) Set WPA secret for this WLAN Create a virtual WLAN called Atp-Bh Assign WLAN to VLAN10 Use open authentication Use WPA key management Set WPA secret for this WLAN Set to channel 802.11 b/g channel 1 at 2412 MHz Turn off CDP (Cisco Discovery Protocol) on wireless side Turn off Cisco proprietary extensions Create a virtual radio for VLAN10 Assign 802.1q VLAN tag of 10 to this virtual radio

no snmp trap link-status bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding interface Dot11Radio0.20 encapsulation dot1Q 20 no snmp trap link-status bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding interface Vlan10 description Internal Network ip nat inside ip virtual-reassembly bridge-group 10 bridge-group 10 spanning-disabled interface Vlan20 description Guest Network ip nat inside ip virtual-reassembly bridge-group 20 bridge-group 20 spanning-disabled interface BVI20 description Bridge to Guest Network ip address 10.10.21.1 255.255.255.0 ip access-group Guest-ACL in ip nat inside ip virtual-reassembly interface BVI10 description Bridge to Internal Network ip address 192.168.21.1 255.255.255.0 ip nat inside ip virtual-reassembly bridge 10 route ip bridge 20 route ip

Bind this virtual radio to bridge 10

Set bridge parameters

Create a virtual radio for VLAN20 Assign 802.1q VLAN tag of 20 to this virtual radio Bind this virtual radio to bridge 20

Set bridge parameters

Create VLAN (Virtual Local Area Network) interface 10 Set the description of this VLAN as "Internal Network" Define this as an internal network for NAT Assign this VLAN to bridge 10 Turn off spanning Create VLAN (Virtual Local Area Network) interface 20 Set the description of this VLAN as "Guest Network" Define this as an internal network for NAT Assign this VLAN to bridge 20 Turn off spanning Create bridge interface 20 Set description to "Bridge to Guest Network" Assign IP address and subnet mask for this bridge interface Enforce Guest-ACL access list in the in-bound direction Define this as an internal network for NAT Create bridge interface 10 Set description to "Bridge to Internal Network" Assign IP address and subnet mask for this bridge interface Define this as an internal network for NAT Enable IP routing on Bridge 10 Enable IP routing on Bridge 20