Cisco 871 Simple Config



Introduction

I've used IPCop for ages. It rocks, but runs on a PC and so takes up space and uses a fair whack of power, and needs a seperate LAN hub and wireless AP.

I use Cisco hardware at work, and I had the chance of a 871W to use. I use Virgin Media, so have one DHCP-issued IP address, and I wanted a simple config with a LAN with DHCP and a WPA-PSK wireless LAN- basically what a cheapy Netgear-type item will do.

Actually working this all out took a while, so I'm posting the config here for others to use. Feel free to pick holes in it and make suggestions (see the bottom of the page) if you like.

[edit 5/12/2011] I've fixed the dynamic DNS so it actually works, and added NTP client and server.

I'm assuming that you can attach a console cable, and get logged in with full privilege, and know how to drive the IOS command line.

This config will give you a 192.168.1.x LAN with the router at 192.168.1.1. The router will do DNS caching, and assign addresses on the LAN and WLAN with DCHP. SSH remote access is enabled- to change this use 'transport input none' on line vty 0 4.

Note that this isn't doing any packet inspection or QOS- these are available, but I'll be adding those later. It does, however, provide basic NAT and access-control security.

The Config

Anything [in square brackets] is something you need to supply.



version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname [your hostname]
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging message-counter syslog
logging buffered 4096
logging console critical
enable secret [enable secret]
enable password [enable password]
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid [wireless network name]
   authentication open 
   authentication key-management wpa
   guest-mode
   wpa-psk ascii [wpa network key]
!
!
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address [start of exclusion] [end of exclusion]

!
ip dhcp pool pool1
   import all
   network 192.168.1.0 255.255.255.0
   domain-name [your domain name]
   dns-server 192.168.1.1 
   default-router 192.168.1.1 
!
!
ip cef
no ip bootp server
ip domain name [your domain name]
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
username [username] password [password]
! 
!
!

!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
bridge irb
 --More--         !
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed auto
 full-duplex
 
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 !
 encryption mode ciphers tkip 
 !
 ssid [wireless network name]
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
!
interface Dialer0
 no ip address
 no cdp enable
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
no ip http secure-server
 --More--         !
!
ip dns server
ip nat inside source list 101 interface FastEthernet4 overload
!
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
!
!
control-plane
!
bridge 1 protocol dec
 bridge 1 route ip
banner motd ^C Unauthorised access prohibited ^C
!
line con 0
 login authentication local_auth
 no modem enable
 transport output telnet
line aux 0
 login authentication local_auth
 transport output telnet
line vty 0 3
 password [ssh access passsword]
 transport input ssh
!
scheduler max-task-time 5000
end


Enhancments

To add internal hosts and have them resolved by the router:
ip host [hostname] [ip address]
To use no-ip.com for dynamic DNS:
ip ddns update method no-ip
 HTTP
  add http://[no-ip username]:[no-ip password]%40dynupdate.no-ip.com/nic/update%3Fhostname=[no-ip hostname]
   interval maximum 0 2 0 0
   interval minimum 0 1 0 0
!
interface fastethernet4
  ip ddns update hostname [no-ip hostname]
  ip ddns update no-ip
To use an NTP server and offer NTP to your LAN:
ntp master 4
ntp server pool.ntp.org

Copyright Chris Bartram (stymaster[at]piglet-net.net) 2009. If you find this information useful, or wish to comment, please let me know.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 License.