Cisco 861W router

I got a little bit tired of my D-Link router requiring the occasional reboot to get the access point working, so I decided to go a bit wild and buy a Cisco business-class router. The one I chose was the 861W. This page is going to describe my various experiences getting the new router up and running.

Unpacking:

First of all, unpacking…. It comes in a big box, and it’s relatively heavy. Big heavy things are the sure indication of a quality product, right? well let’s hope so.

Using Cisco CP Express:

The router comes with a CD-ROM containing installation software. There are several ways to configure the router, ranging from command-line terminal sessions, to something called CP Express, and to something even better than CP Express called simply “CP”. The quick start recommends using CP Express, so I go with that.

It needs a password. Well gee, that’s the one thing Cisco forgot to write down anywhere. Searching the printed documentation that came with the router, I got lucky and found the following in the Cisco Regulatory Compliance and Safety Information Roadmap:

The default username and password is Cisco. They are case sensitive.

Well, they were almost right. It is case sensitive, but it’s “cisco”, not “Cisco”.

Okay, back to business. Now we have CP Express up and running and it’s asking us questions that sound like the usual things a router asks: what IP address do you want to use, how do I connect to the WAN, what DHCP settings to use, etc. This all seems very good. I get it all configured and press the magic <Ok> button at the end. It tells me it’s updating the router configuration and exits. It does not update the configuration. No settings are changed. Try it two or three times more, no difference.

Using Cisco Configuration Professional:

So, I move away from the toy “CP Express” to the much more ominous-sounding “CP”. Who wants the use the “express” version of the software, anyway? We’re professionals here.

Well, CP loads up, displays a progress bar, opens two Windows Explorer windows, opens a third thing off screen, and sits there. I go off to the kitchen and get a bite to eat. It’s still sitting there. I watch some youtube. Still sitting there. Progress bar keeps moving across the screen (who was it who first decided progress bars should move even when the software is stuck, anyway?). It’s obviously not doing anything.

Maybe it has something to do with that window that’s 95% off-screen. I open up the windows task manager and start killing processes until I figure out which one it is. It’s called “IEC2” . I don’t know what it is or what it does, or why it’s 95% off the screen. I can’t move it. I try to get clever and resize the screen but that doesn’t work either. I reboot the laptop again. Still stuck with a progress bar that indicates progress even when no progress is happening.

Took a break…. played some warcraft… did some work….

The next step I setup a virtual machine to run the Cisco CP software in so that I could try to configure it from a controlled environment. On a plain ordinary windows XPSP2 VM, the CP tool also failed. After wasting another hour scouring the Internet, I realized that this thing needs a particular version of Adobe Flash installed. Yes, that’s right:

YOU NEED ADOBE FLASH TO CONFIGURE THE ROUTER

If you don’t have flash installed, does the CP software warn you? No. it just sits there with a blank screen. If that isn’t pure stupidity, I don’t know what is. You also need java, which is slightly more understandable, but also a pain in the butt.

So, now we’ve got the CP software installed, running, and able to detect the router.

The next step, I try to enable the internal access point. It acts like it configures it, but the AP is not visible from any wireless devices. Don’t know what’s going on there.

Next, I try to change the router’s default IP address from 10.10.10.1 to something more sensible. Software warns me that it’ll lose connection if I change the IP address (well, duh!, but thanks for the warning). After changing the IP Address, the software immediately hangs. While it was smart enough to warn me that the connection will drop, it seems that the CP software itself isn’t smart enough to realize this and hangs waiting for a reply from the (now at a different address) router. Eventually after a few minutes it’ll time out.

Unfortunately now it can’t talk to the router. Although the router is at the new IP Address and responding to pings, it doesn’t respond to telnet or web connections. Could it be that I need to write the configuration to flash and restart the router to restart telnet and web on the new IP? I don’t know, and I’m a little bit worried about bricking the router if I write a known bad configuration to flash.

Fixing the access-control list:

Got out the serial cable and a USB-to-serial adapter to try to figure out what the heck was going on with the router that refused to talk to the new IP address.

The answer was fairly simple once I examined the configuration. There’s an access-control-list that specified which IP addresses are allowed to access the telnet and web interfaces. The ACL was not updated when the router’s IP address changed. Therefore we had a router that was configured on one network, but only allowing connections from a different network. The fix was fairly straightforward — from the serial terminal:

config
ip access-list standard 23
permit 192.168.0.0 0.0.0.255
exit
exit


The above is of course for a network 192.168.0.0 with a netmask 255.255.255.0. Note that the second argument to the permit directive is sort of the inverse of the netmask — it’s a mask of clients that you wish to allow.

Once I proved the router was working and talking to everyone I expected it to, the next step was to write the configuration to the startup configuration, so the router would be setup correctly on power loss:

copy running-config startup-config

Getting the access point up and running

Okay, so now let’s have a look at the internal access point.

The AP works like a separate device inside of the same box. It has it’s own IP address. It has it’s own configuration file. If you follow my CLI examples below, make sure that you’re telnet’d into the AP and not into the router.

The access point gave itself an IP address using DHCP. I don’t like dynamic IP addresses for my access points, so for our first step, let’s change it to a static IP. I used the CLI for a quick change (make sure you telnet into the AP, not the router):

config
interface BVI1
ip address 192.168.0.123 255.255.255.0
exit
exit

(of course, the telnet connection drops when we do this, because we just changed the IP address. We’re smart enough to know this, even without Cisco CP to warn us)

Ok, just as an example, we see the internal AP now set to 192.168.0.123. Simple enough, I’m starting to like the CLI way more than the crappy GUI tools.

Now lets play along with the GUI interface to the access point. Surprisingly it doesn’t suck the CPExpress and CP did. We can get to the GUI by using the IP address of the access point (in my example above, 192.168.0.123; probably different in your environment) in our web browser. It’s a much simpler design than CP/CPExpress. It doesn’t have the ridiculous pop-up window, and I’m guessing it doesn’t need Adobe Flash to work.

The AP will ask for a name and password. Even though I set the username and password on the AP, and verified it was set to what I wanted using the CLI, the access point GUI still expected a name and password of “cisco”. I couldn’t find any place in the GUI to change this. So, let’s fix this, again using the CLI on the AP (make sure you telnet into the AP, not the router):

config
ip http authentication local
exit
exit


I kinda figured this out by looking at the router’s configuration file, which had way more stuff in it than the AP’s configuration file. My guess was that since the ap lacked a ‘http authentication’ setting, it was defaulting to cisco/cisco. Telling it ‘ip http authentication local’ configures the http server to use the local username and password for authentication, which I think is what everyone wants.

Ok, back to the AP GUI. Like I said, it doesn’t suck as bad as the other cisco GUIs. In fact, it’s downright usable. You can click on the ‘express security’ link and setup your SSID and WEP or other authentication.

The wireless radio by default is disabled. You’ll want to change that. It can be done in the GUI by clicking network interfaces (notice Radio0-802.11N is ‘disabled’ and ‘down’). Then click Radio0-802.11N. Then select the ‘settings’ tab. Click the ‘enable’ radio button. All the way down at the bottom of the screen is an ‘Apply’ button. Congrats, we’ve just turned the AP on. We can get out our laptop, check the WiFi, and find a new network available.

Now, once all of this is working, it’s time to save it to the startup configuration (make sure you telnet into the AP, not the router):

copy running-config startup-config

Observations on Day 2

Okay, we’ve made some progress and I think I have enough experience to make some conclusions:

1. The Cisco CP and CP Express software are junk and have major usability problems.
2. The Cisco AP web GUI is usable with some minor flaws.
3. The Cisco CLI (command-line interface) is by far better than any of the GUIs.
4. The Cisco CLI is easy to learn, at least for someone with average experience to command-line operating systems (and by ‘average’, I mean I’ve been doing this for 25 years).

I would suggest that anyone who wants to use one of these routers invest some time in learning the CLI. Although I figured out what I needed to do by stumbling around and the occasional google query, it might be handy to pick up a book and read up ahead of time. So far the router feels more configurable and more powerful than the other routers that I’ve used (D-Link, Netgear, Linksys, and DDWRT). It’s going to take some time to learn the full potential of what I can do, and how to do it.

For a very quick intro to the Cisco CLI, I’d recommend this link: http://www.cisco.com/warp/cpropub/45/tutorial.htm. It helped me considerably with some of the simple commands like setting IP addresses, writing the startup configration, etc.

Setting up a DNS proxy

All of my other routers had a DNS proxy built-in. The local computers send DNS requests to the router, which forwards those requests upstream to the ISP’s DNS servers. There’s a variety of flavors of this from simple forwarding to caching to actually running a local DNS server.

Scouring CP and CP Express for this (why did I try the GUI tools again? why?) there’s no explanation for how to set this up on the Cisco router. Some googling reveals some simple CLI commands can be used to setup the DNS proxy:

config
ip name-server 68.87.69.146
ip name-server 68.87.85.98
ip dns server
exit


Note that 68.87.69.146 and 68.87.85.98 are comcast’s DNS servers for my area. You’ll want to substitute the DNS server addresses for your ISP. There should be a way to learn the ISP’s settings from DHCP, but I’m not sure how — if somebody knows, please reply to this post.

Observations at Month 1

It’s now been about a month and the router has performed pretty much flawlessly. I even took some time to experiment with snmp monitoring and wrote up a SNMP monitoring tool for windows.

Related Stuff

• Scott’s Router Monitor. A small taskbar application to monitor Cisco routers. I wrote it because I didn’t much care for the web-based monitoring tool that came with the router. The tool will show you packets in/out, cpu utilization, and memory utilization.
• Cisco Router Cheat Sheet. Snippets of useful IOS stuff.