You are on page 1of 6

Version: 1.

0
CLI template for Cisco 851W/871W standard IOS August 30, 2006

Command Purpose
service password-encryption Enable password encryption
hostname [Router-Name] Configure your router's name
enable secret [Some-Password] Set the enable secret
enable password [Some-Other-Password] Set the password
Basic configuration

aaa new-model Enable aaa authentication model
aaa authentication login default local
aaa authorization exec default local Set authentication mode
aaa session-id common
ip http server Enable Web server
ip http secure-server Enable secure Web server (this will generate self-signed SSL cert)
line con 0
Set console password
password [Some-Password]
line vty 0 4
Set TELNET and SSH password
password [Some-Password]
ip domain name [Domain-name] Set the router's domain name
no ip domain lookup Turn off router domain lookup
username [Your-username] privilege 15 password [Your-password] Set username and password. Used for Web and CLI access
ip dhcp excluded-address [Start-exclude-1] [End-exclude-1] Set the DHCP exclusion range for subnet A
ip dhcp excluded-address [Start-exclude-20] [End-exclude-20] Set the DHCP exclusion range for subnet B
service dhcp Enables DHCP services
DHCP configuration

ip dhcp pool Internal-net Create Internal-net DHCP scope
network [Network1-ID] [Subnet-mask-1] Set IP and Subnet mask for Internal-Net
default-router [Gateway-1] Set gateway for Internal-net
import all Import DHCP settings for DNS from your ISP (doesn't work for PPPoE)
domain-name [Domain-name] Set domain name for DHCP clients
lease 4 Set lease time to 4 days
ip dhcp pool VLAN20 Create VLAN20 interface
network [Network20-ID] [Subnet-mask-20] Set IP and Subnet mask for VLAN20
default-router [Gateway-20] Set gateway for VLAN20
import all Import DHCP settings for DNS from your ISP (doesn't work for PPPoE)
domain-name [Domain-name] Set domain name for DHCP clients
lease 4 Set lease time to 4 days
vpdn enable Enable VPDN for DSL PPPoE configuration
interface Dialer1 Create interface Dialer1
ip address negotiated Ask ISP for DHCP assigned address and DNS settings
ip nat outside Set Dialer1 interface for the outside NAT interface

0.0 Dialer1 Set the default gateway to point to ISP via Dialer1 interface FastEthernet0 Enter port 0 Switch config spanning-tree portfast Turn on fast spanning-tree mode interface FastEthernet1 Enter port 1 spanning-tree portfast Turn on fast spanning-tree mode interface FastEthernet2 Enter port 2 spanning-tree portfast Turn on fast spanning-tree mode interface FastEthernet3 Enter port 3 spanning-tree portfast Turn on fast spanning-tree mode bridge irb Enable wireless bridge mode (important!) interface Dot11Radio0 Enter physical radio interface 0 (this model has only 1 radio) encryption vlan 1 mode ciphers tkip Set vlan 1 to use TKIP encryption encryption vlan 20 mode ciphers tkip Set vlan 20 to use TKIP encryption ssid [WLAN20] Create a virtual WLAN called [WLAN20] vlan 20 Assign WLAN to VLAN20 Basic radio config authentication open Use open authentication authentication key-management wpa Use WPA key management guest-mode Turn on SSID broadcast for this WLAN (only 1 allowed) wpa-psk ascii [WPA-secret-for-guests] Set WPA secret for this WLAN ssid [WLAN1] Create a virtual WLAN called [WLAN1] vlan 1 Assign WLAN to VLAN1 authentication open Use open authentication .0. ip virtual-reassembly encapsulation ppp Use ppp encapsulation ip tcp adjust-mss 1452 Important! Sets packet fragmentation size for 1492 PPPoE dialer pool 1 Create dialer pool 1 dialer-group 1 Create dialer group 1 DSL configuration ppp authentication pap callin Use password authentication protocol (clear text) ppp pap sent-username [DSL-Username] password [DSL-Password] User sign-on for DSL accounts ppp ipcp dns request Get DNS server info from DSL provider ppp ipcp address accept access-list 1 permit [Network1-ID] [Reverse-mask-1] Allow VLAN1 inside of Access List 1 (Used for NAT) access-list 1 permit [Network20-ID] [Reverse-mask-20] Allow VLAN20 inside of Access List 1 (Used for NAT) dialer-list 1 protocol ip list 1 Assign access-list 1 to dialer-list 1 with IP protocol access ip nat inside source list 1 interface Dialer1 overload Tell all internal NAT IP addresses to map to Dialer1 IP ip access-list extended Guest-ACL Create the Guest-ACL access list.0 0. deny ip any [Network1-ID] [Reverse-mask-1] Prevent guests from accessing VLAN1 permit ip any any Let guests access everything else interface FastEthernet4 Enter the WAN port configuration pppoe enable Enable PPPoE for DSL dialup pppoe-client dial-pool-number 1 Set PPPoE to use Dialer1 no cdp enable Turn off CDP (Cisco Discovery Protocol) on WAN interface ip route 0.0.0. Used to restrict guests.

routed WLAN Description saying this is a routed non-bridged interface encapsulation dot1Q 20 Assign 802.1 Create a virtual radio for Internal-net encapsulation dot1Q 1 native Assign 802.1q VLAN tag of 20 to this virtual radio ip address [Gateway-20] [Subnet-mask-20] Assign IP address and subnet mask for this bridge interface ip access-group Guest-ACL in Enforce Guest-ACL access list in the in-bound direction ip nat inside Define this as an internal network for NAT interface Vlan1 Create VLAN (Virtual Local Area Network) interface 1 description Internal Network Set the description of this VLAN as "Internal Network" VLANs ip nat inside Define this as an internal network for NAT ip virtual-reassembly bridge-group 1 Assign this VLAN to bridge 1 bridge-group 1 spanning-disabled Turn off spanning interface BVI1 Create bridge interface 1 description Bridge to Internal Network Set description to "Bridge to Internal Network" Bridges ip address [Gateway-1] [Subnet-mask-1] Assign IP address and subnet mask for this bridge interface ip nat inside Define this as an internal network for NAT ip virtual-reassembly bridge 1 route ip Enable IP routing on Bridge 1 int f0 Enter FastEthernet interface 0 configuration no shut Turn on port Enable interfaces int f1 Enter FastEthernet interface 1 configuration no shut Turn on port int f2 Enter FastEthernet interface 2 configuration no shut Turn on port int f3 Enter FastEthernet interface 3 configuration no shut Turn on port int f4 Enter FastEthernet interface 4 (WAN) configuration no shut Turn on port .Basi authentication key-management wpa Use WPA key management wpa-psk ascii [WPA-secret-for-internal] Set WPA secret for this WLAN channel [BG-channel] Set to channel 802.1q VLAN tag of 1 to this virtual radio no snmp trap link-status bridge-group 1 Bind this virtual radio to bridge 1 Sub-radio config bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source Set bridge parameters no bridge-group 1 source-learning no bridge-group 1 unicast-flooding interface Dot11Radio0.11 b/g channel 1 at 2412 MHz no cdp enable Turn off CDP (Cisco Discovery Protocol) on wireless side no dot11 extension aironet Turn off Cisco proprietary extensions interface Dot11Radio0.20 Create a virtual radio for VLAN20 description Guest wireless LAN .

En int dot0 Enter radio interface 0 configuration no shut Turn on port ip inspect name MYFW tcp Inspect outbound TCP for MYFW ip inspect name MYFW udp Inspect outbound UDP for MYFW ip access-list extended Internet-inbound-ACL Create an ACL called "Internet-inbound-ACL" Firewall config permit udp any eq bootps any eq bootpc Allow DHCP to come in from your ISP so your router can get PPPoE IP permit icmp any any echo permit icmp any any echo-reply Allow ping and trace route to work permit icmp any any traceroute permit gre any any Allow PPTP clients to work from within the network permit esp any any Allow IPSEC to work int dialer1 Go into Dialer 1 interface ip inspect MYFW out Inspect outbound traffic on MYFW ip access-group Internet-inbound-ACL in Restrict inbound traffic to the ACL called "Internet-inbound-ACL" Copyright ©2006 CNET Networks. please visit http://downloads. All rights reserved. To see more downloads and get your free TechRepublic membership. .com.techrepublic. Inc.

168.1 Default gateway for VLAN1 [Network20-ID] 192.1.168.255.2.255.1.1. 6.1 DHCP exclude beginning IP [End-exclude-1] 192.0.com.168.com Your domain name [Some-Password] xxxxxxxxx Your password [Some-Other-Password] xxxxxxxxx This can be same as secret [Your-username] xxxxxxxxx For Web and CLI access [Your-password] xxxxxxxxx For Web and CLI access [DSL-Username] xxxxxxxxx Your DSL username for PPPoE access [DSL-Password] xxxxxxxxx Your DSL password for PPPoE access [Network1-ID] 192.255 ACLs use this reverse form of subnet masks [Start-exclude-1] 192. All rights reserved.255.1 DHCP exclude beginning IP [End-exclude-20] 192.1 Default gateway for VLAN20 [BG-Channel] 1 802. please visit http://downloads.11 b/g channel setting (1. To see more downloads and get your free TechRepublic membership.techrepublic.0 Network ID for VLAN20 [Subnet-mask-20] 255.99 DHCP exclude ending IP [Gateway-1] 192.1.Variable name User defined Description [Router-Name] SomeRouterName Name of your router [Domain-name] YourDomain.0 Network ID for VLAN1 [Subnet-mask-1] 255. or 11) [WLAN1] InternalWLAN Name of wireless LAN for VLAN1 [WPA-secret-for-internal] xxxxxxxxx WPA passphrase for VLAN1 [WLAN20] GuestWLAN Name of wireless LAN for VLAN20 [WPA-secret-for-guests] YourGuestSecret WPA passphrase for VLAN20 Copyright ©2006 CNET Networks.0.168.0 Subnet mask for VLAN20 [Reverse-mask-20] 0.168. .168.0.2.0.2.168.255.99 DHCP exclude ending IP [Gateway-20] 192.168.2. Inc.0 Subnet mask for VLAN1 [Reverse-mask-1] 0.255 ACLs use this reverse form of subnet masks [Start-exclude-20] 192.

Replace Reference Sheet Name: 871W .