HREAP VLAN ID CHanges

Hello,
I have noticed on a few different occasions that the VLAN ID under VLAN mappings on our APs is changing for some reason when an AP loses connectivity to its primary controller and then reassociates. For instance, at one particular site we have several APs that have their native VLAN set to 97. Then under the VLAN mappings on the AP we have a VLAN 20 ID for our production wireless and a VLAN 998 ID for our guest wireless. When any of these APs lose connectivity to the controller and then reassociates the VLAN ID for guest changes to 99. But VLAN ID 20 does not change. 99 is the VLAN identifier for our controller management interface. All of these APs are running in HREAP local switching mode. Any insight on why the VLAN ID changes would be appreciated.
Thanks!

There are a couple major differences for the primary and secondary controllers. First, the management VLAN identifier on the management interface is a different number on each of the controllers. The primary controller is 99 where as the secondary is 97. Second, the primary controller guest WLAN is using HREAP local switching. The secondary controller guest WLAN is using local mode.

Similar Messages

  • Hreap vlan mapping issues

    wlc 5508 code 7.0.220.0
    AIR-CAP3502E-N-K9
    ap mode: hreap
    vlan mapping native 30
    vlan ssid  x 310.
    each time that for what ever reason my access point goes down(not that my access point resets by itself, if i have to move it), the setting in the vlan mapping  resets to  whatever my native vlan is, in this case 30
    that is native vlan 30
    ssid x vlan 30
    any idea.

    it could be
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
    but it is marked Unreproduceable.  You might try upgrading to the latest 7.2 code if you don't have 'legacy' AP.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • HREAP VLAN Mapping

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    Hi,
    I've searched around to see if someone else has experienced the same issue regarding HREAP AP's losing their VLAN mappings; however I could not find any related topics.
    Scenario
    I've got a 5508 WLC running ver 7.0 with local VLANs assigned as follow:
    VLAN 241 - Data Users
    VLAN 253 - Voice Users
    The HREAP AP's (Cisco 1242AG) running at the remote branches is mapped to the following:
    VLAN 2 - Data Users
    VLAN 253 - Voice
    The Problem...
    HREAP works perfect; users get the local DHCP addresses at the branch office and have no issues with connectivity. Once and a while some of the HREAP AP's will lose the VLAN mapping I've assigned to them. In this case I've mapped VLAN 2 to the SSID for the Data Users, I will get complaints that users can't connect to the network when I go check the HREAP AP's VLAN mapping it defaulted back to VLAN 241 (the same VLAN the local AP's at head office use for the same SSID). Of course with the Voice SSID I don't have this problem as it's using the same VLAN ID as head office.
    Once I've corrected the mapping everything works perfect.
    Why...
    I just want to know why this happens, I've rebooted the AP's to see if they retain the mappings and they did. I've seen in the HREAP design deployment that it is preferred to use the same VLAN ID's of the head office where the WLC is located as for the same to the branch offices where the HREAP AP's are located.
    I can see why as this will resolve my problem, however this network was designed without the knowledge of HREAP being deployed to the remote sites and I would like to minimize change from a LAN perspective.
    Will this be my only solution by standardizing the branch office VLAN ID's the same as the head office network or should I be able to use different VLAN ID's for the branch offices?
    Thanks for your time reading this and for your input. If you know any discussion regarding this, please add the url.
    Regards
    Jurgens

    Hi,
    I'm having the same problem. And I have two WLCs (WISM) with 7.0.220 version.
    I think because of this BUG: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
    Anyone knows how can I solve this problem?
    I Have 42 HREAP APs, and when I have some link problem on the remote Branch and the AP lose for a few seconds Connectivity to the 1º Controller its loses the VLAN Mappings (all turned to the Native VLAN).

  • FlexConnect VLAN assignment changes by itself

    About a year ago I changed the VLAN assignment of a WLAN for LWAPs in a particular AP Group.  The LWAPs in this group are in 5 different locations. All LWAPs are joined to the same controller  Ocassionally I'll get a call saying this WLAN isn't working and when I investigate the issue, I notice that the VLAN assignment has changed.  I change the VLAN assignment and the WLAN works again.  This seems to happen about every 3 months or so.  Whats odd is that it doesn't happen to all of the LWAPs in the AP Group.  It seems to only affect the LWAPs at one site or the other at a time.  Any clues on what could be causing this behavior?
    1142LAPs
    software version 7.3.101.0
    5508WLC
    software version 7.3.101.0
    Cisco Prime Infrastructure
    software version 1.2 (1.2.0.103)

    We can create a command -line to set the WLAN to VLAN mapping and create .Or we can create a script that also uses CLI and simply paste the commands to all AP's.We can check the AP connectivity statistics by looking at the monitor AP.
    For FlexConnect access points, the interface mapping at the controller for WLANs configured for FlexConnect local switching is inherited at the access point as the default VLAN tagging. This can be easily changed per SSID and per FlexConnect access point. Non-FlexConnect access points tunnel all traffic back to the controller, and VLAN tagging is dictated by each interface mapping of the WLAN
    By default, a VLAN is not enabled on the FlexConnect access point. When FlexConnect is enabled, the access point inherits the VLAN ID associated to the WLAN. This configuration is saved in the access point and received after the successful join response.
    By default, the native VLAN is 1. One native VLAN must be configured per FlexConnect access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the RADIUS server, that VLAN is associated to the locally switched WLAN.

  • Why Management VLAN suddenly changed to default VLAN1?

    The problem is certain vlan management on certain switches will suddenly changed to default vlan. Does this have anything to do with configuration because i am sure that the configuration is quite simple.
    Thanks. 

    Hello
    Some switch models  only allow 1 L3 interface per switch
    If you try to create an addtional SVI it will delete the previous one
    Is this what you are querying?
    res
    Paul

  • When/how does VTP issue vlan config changes?

    Hi,
    On my VTP server switch I renamed a vlan. Does this change automatically get sent out after a set period of time or am I supposed to enter a command myself?
    Thanks

    According to:
    http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
    Subset Advertisements
    When you add, delete, or change a VLAN in a Catalyst, the server Catalyst where the changes were made increments the configuration revision and issues a summary advertisement, followed by one or several subset advertisements. A subset advertisement contains a list of VLAN information. If there are several VLANs, more than one subset advertisement may be required to advertise them all.

  • HREAP VLAN configuration

    For no apparent reason hreap access point loses it vlan configuration in vlan mapping. Has anyonr see this?

    Enter the Detail page of the desired access point, select the H REAP tag again, and click VLAN Mapping in order to configure the 802.1Q tagging per locally switched WLAN.

  • Tcl script to change access vlan based on MAC address

    Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
    I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
    Script is attached.  Any help or advice is appreciated!

    Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

  • Changing native vlan

    Is there a good reason to change the default native vlan 1 between two 802.1Q trunks? And is there a rule regarding best practices? thanks.

    With 802.1q trunking, the only significance of the native vlan is the fact that it is not tagged. Most administrators default to vlan 1, but others vary.
    It's discussed in the best practices document, but there's no specific best practice for Native Vlan, as changing it does not have any bearing on network performance or stability. It does talk about the significance of Vlan 1, which may be of interest.
    http://www.cisco.com/en/US/customer/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml
    HTH,
    Bobby

  • Jumpstarting changes with U6:  VLAN tagged interfaces and sysidcfg

    Hello,
    I've been banging my head on U6 for a few days and finally have to give up and cry for help. I can no longer build a jumpstarted server which ends up on a separate VLAN tagged LAN after first reboot.
    I have an existing U5 SPARC jumpstart environment setup. We use VLAN tagging a lot in our environments and by default the only time a non VLAN tagged interface is used is during jumpstart. With the existing jumpstart we are using the following profiles:
    root_password=mypassword
    security_policy=NONE
    timezone=GB
    timeserver=localhost
    terminal=vt100
    network_interface=none {hostname=hostname}
    system_locale=en_GB
    name_service=NONE
    system_locale=CIn the U5 profile we let the jumpstart server obtain its network configuration via DHCP and then obtain the profile above, which excludes all network settings. All the network settings were added as part of a finish script. This worked fine with U5. As far as I can see, with U6 at the point where the sysidcfg is first evaluated it removes the network settings and obviously then kills the jumpstart. So I have had to try a different approach. I have tried both of the following:
    network_interface=PRIMARY { default_route=none protocol_ipv6=no}
    network_interface=PRIMARY { dhcp default_route=none protocol_ipv6=no}However, using either of these causes the ce0, bge0 or whatever to remain defined, instead of the ce200000 and ce206000 interfaces that I have explcitly defined in hostname.ce200000 separately. I also get a number of arp errors on initial reboot, such as
    Nov 20 20:27:29 unknown ip: ip_arp_done: init failed
    Nov 20 20:27:29 unknown /sbin/dhcpagent[44]: configure_v4_lease: cannot set interface flags for ce0: Cannot assign requested addressI don't know if I am barking up the wrong tree but I believe I need to get the server on initial boot (or during finish) to reevaluate a different sysidcfg file. Alternatively, it might need some combination of presence/absence of /reconfigure or /etc/.UNCONFIGURED. I think I might also need to stop /sbin/netstrategy return dhcp specific results (I only use DHCP for jumpstart booting and not for normal boot), but I have no idea how to do that...
    # /sbin/netstrategy
    ufs ce0 dhcpAny help much appreciated!
    thanks
    Paul

    Paul,
    I don't want to suggest that I understand your problem but have you seen the comments about tagged vlans on the Opensolaris LDoms forum?
    Near the bottom of thread [Solaris 10 10/08 (update 6)|http://www.opensolaris.org/jive/thread.jspa?threadID=81505&tstart=0] there is some discussion of tagged vlan support changes with U6.
    It sounds like tagged vlans are going to be a problem with U6.
    have a good weekend,
    Glen

  • Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

    Hi Guy, 
    In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
    we are using guest portal to do the vlan override once user authenticated.
    Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
    but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
    because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
    Kindly advice.
    Regards
    Freemen

    I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
    http://www.java.com/en/download/faq/java_mobile.xml
    The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
    Hope this helps!
    Thank you for rating helpful posts!

  • Changing WPA Username and Password

    Hi Guys,
    I am quite new to Wireless. would appriciate any help on this issue.
    I am using a 891w as autonomous AP. I got some basic config from support forum.. Once configuration was done, i could see the SSID; but it was asking for username which i could not figure out. Here is the config below.
    hostname ap
    no aaa new-model
    dot11 syslog
    dot11 ssid WirelessNetwork
       vlan 1
       authentication open
       authentication key-management wpa
       guest-mode
       mbssid guest-mode
       wpa-psk ascii 7 cisco
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 1 mode ciphers aes-ccm
    encryption mode ciphers aes-ccm
    broadcast-key vlan 1 change 30
    ssid WirelessNetwork
    antenna gain 0
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    encryption vlan 1 mode ciphers aes-ccm
    encryption mode ciphers aes-ccm
    broadcast-key vlan 1 change 30
    ssid Wirelessnetwork
    antenna gain 0
    dfs band 3 block
    channel dfs
    station-role root
    interface Dot11Radio1.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
    no ip address
    no ip route-cache
    interface GigabitEthernet0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    cns dhcp
    end
    Please help me change the username and password for the SSID.
    I hope in the able example the password is cisco.
    Thanks you.

    Hi,
    This should be asking you only the password not the username as you have confired with wpa-psk. What client device are you testing this with? If this is wondows machine please choose your sececurity as WPA-Personal on the wireless profile and then it would asked for the Security Key..You will have to enter your password there. The password from the configuration i can see it as cisco.
    wpa-psk ascii 7 cisco
    Hope thats helos,
    Regards
    Najaf
    Please rate when applicable or helpful !!!

  • Cisco 877W Dual SSID/VLAN Security Issue

    Hi All
    I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST).  The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
    Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
    P.S config has been pared down to basics below
    version 15.1
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ROUTER
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
    no aaa new-model
    dot11 syslog
    dot11 ssid PRIVATE@123
     vlan 100
     authentication open
     authentication key-management wpa
     wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
    dot11 ssid VISITOR@123
     vlan 200
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 03374C0A08392040420C00
    ip source-route
    no ip dhcp conflict logging
    ip dhcp excluded-address 172.16.1.1 172.16.1.10
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    ip dhcp pool GUEST
     utilization mark low 70 log
     network 172.16.1.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 172.16.1.1
    ip dhcp pool PRIVATE
     utilization mark low 70 log
     network 192.168.0.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 192.168.0.1
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 password 7 073F205F5D1E491713
    policy-map type inspect PM-DENYGUEST
     class class-default
      drop
    zone security GUEST
    zone security PRIVATE
    zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
     service-policy type inspect PM-DENYGUEST
    bridge irb
    interface ATM0
     no ip address
     shutdown
     no atm ilmi-keepalive
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     switchport access vlan 100
     no ip address
    interface FastEthernet2
     switchport access vlan 100
     no ip address
    interface FastEthernet3
     no ip address
    interface Dot11Radio0
     no ip address
     encryption vlan 100 mode ciphers aes-ccm
     encryption vlan 200 mode ciphers aes-ccm
     broadcast-key vlan 100 change 30
     broadcast-key vlan 200 change 30
     ssid PRIVATE@123
     ssid VISITOR@123
     mbssid
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    interface Dot11Radio0.100
     encapsulation dot1Q 100 native
     zone-member security PRIVATE
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.200
     encapsulation dot1Q 200
     zone-member security GUEST
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 spanning-disabled
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
    interface Vlan1
     no ip address
    interface Vlan100
     no ip address
     bridge-group 1
    interface Vlan200
     no ip address
     bridge-group 2
    interface Dialer0
     ip address negotiated
     ip access-group 101 out
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp authentication chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 10580A4F1C4005005B
    interface BVI1
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security PRIVATE
    interface BVI2
     ip address 172.16.1.1 255.255.0.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security GUEST
    ip forward-protocol nd
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0
    logging trap debugging
    logging 192.168.0.11
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    line con 0
     exec-timeout 5 0
     no modem enable
     transport output all
    line aux 0
     exec-timeout 0 1
     no exec
     transport output none
    line vty 0 4
     exec-timeout 5 0
     login local
     transport input telnet ssh
     transport output none
    end

    Ignore that. self zone got me. Argh! phew!

  • Management ip address on a different vlan/bridge

    We have several standalone AP's. On our switches we have a data and a guest vlan. Perviously on Aironet AP I configured the ethernet interface with 802.1q trunking and I configure a subinterface with its management ip address. This all worked perfectly.
    No we bought some new one's (SAP2602) which has ios v15.2 (the old ones still have 14.3) and I applied the same config (changed the ip address and hostname of course), but the ip management of the AP does not work (Wireless clients works good, so no problem with 802.1q)
    COnfig (so both on old and new):
    bridge irb
    Interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex full
     speed 100
     no keepalive
     bridge-group 1
     no bridge-group 1 source-learning
     bridge-group 1 spanning-disabled
    interface GigabitEthernet0.90
     encapsulation dot1Q 90
     no ip route-cache
     bridge-group 90
     no bridge-group 90 source-learning
     bridge-group 90 spanning-disabled
    interface GigabitEthernet0.104
     encapsulation dot1Q 104
     ip address 10.104.70.1 255.255.0.0
     no ip route-cache
     bridge-group 104
     no bridge-group 104 source-learning
     bridge-group 104 spanning-disabled
    interface BVI1
     ip address dhcp client-id GigabitEthernet0
     no ip route-cache
    ip default-gateway 10.104.1.1
    Any ideas what's changed between new and old IOS or AP? (I only noticed that in the new AP the command "no ip route-cache") is not enabled anymore.

    I'd suggest to define vlan114 as native vlan and change the bridge group to 1
    interface GigabitEthernet0.104
    encapsulation dot1Q 104 native
    bridge-group1
    Remember to configure the trunk port the ap is connected as native vlan 104.
    Normally the ip address is configured under bvi interface,if still no change you can try it.
    That should work.
    Regards

  • Quesiton about PVID , SA520, Native VLAN

    Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
    I have a scenario where I have a prexisting production LAN of  192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
    I accomplished this to a point.
    I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
    VLAN Recap:
    VLAN 1 , 192.168.75.0/24
    VLAN 10, 192.168.1.0/24
    VLLAN 20, 192.168.20.0/34
    Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
    The Aironets have been configured correctly.
    SSID: Priv is part of VLAN 10
    SSID: Pub is part of VLAN 20
    Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
    Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
    Here's my challenge:
    The original production LAN is connected via an unmanged switch.
    I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
    Any ideas or help on the above?
    What I would do if I had a managed switch on the production LAN:
    If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
    Hiccups when setting up the WAP:
    I would have changed the VLAN 1 on SA520 to 192.168.1.0/24  subnet, and only created a second subnet, but there was a challenge  with that and the WAP's.
    Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
    Could  not broadcast the SSID's successfully and secure via WPA unless the  SSID's were on VLAN's other than 1. The dot11radio0 would go into a  "reset" state.
    Could change the VLAN subinterfaces  of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN  10.  Dot11radio0.20 is a member of VLAN2.
    In any event, it's working, but the rest of the infrastructure is the challenge.
    Here's one of my  WAP configs as an example:
    Building configuration...
    Current configuration : 2737 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname WAP2
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
    no aaa new-model
    no ip domain lookup
    dot11 syslog
    dot11 ssid CASPRIV
       vlan 10
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 107E1B101345425A5D4769
    dot11 ssid CASPUB
       vlan 20
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 132616013B19066968
    username Cisco password 7 0802455D0A16
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 20 mode ciphers aes-ccm
    encryption vlan 10 mode ciphers aes-ccm
    ssid CASPRIV
    ssid CASPUB
    mbssid
    channel 6
    station-role root
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio0.10
    encapsulation dot1Q 10
    ip address 192.168.1.5 255.255.255.0
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface Dot11Radio0.20
    encapsulation dot1Q 20
    ip address 192.168.20.3 255.255.255.0
    no ip route-cache
    bridge-group 20
    bridge-group 20 subscriber-loop-control
    bridge-group 20 block-unknown-source
    no bridge-group 20 source-learning
    no bridge-group 20 unicast-flooding
    bridge-group 20 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    shutdown
    encryption mode ciphers aes-ccm
    ssid CASPRIV
    dfs band 3 block
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface FastEthernet0.10
    encapsulation dot1Q 10
    no ip route-cache
    bridge-group 10
    no bridge-group 10 source-learning
    bridge-group 10 spanning-disabled
    interface FastEthernet0.20
    encapsulation dot1Q 20
    no ip route-cache
    bridge-group 20
    no bridge-group 20 source-learning
    bridge-group 20 spanning-disabled
    interface BVI1
    no ip address
    no ip route-cache
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    bridge 1 route ip
    line con 0
    line vty 0 4
    login local

    Hello Paul,
    You have a lot going on here so forgive me if I miss something.
    PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
    The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
    I do hope this helps with setting your network.

Maybe you are looking for

  • Before reaching the high unit,   'End of file reached' error pops up.

    Following is the <distributed-scheme> of my cache server. <distributed-scheme> <scheme-name>dom-dist</scheme-name> <service-name>DOM-CACHE</service-name> <backup-count>1</backup-count> <backing-map-scheme> <overflow-scheme> <scheme-name>dom-overflow<

  • Framework Structure Issue

    I am creating Distributed App outside the Mac App Store on Mac osX 10.9.5 with XCode 6. I have used Developer ID Application certificate, custom Framework which was Developed by me. I have signed this framework with same Developer ID Application cert

  • Upgraded to new version of os 10.3.1.1779 - I did't connect Internet

    Hi I'm using BlackBerry z10 I upgraded to new version of os 10.3.1.1779 but now also I did't connect Internet with sbi anywhere, Paytm link Wt to do for this kind of problem. Kindly anyone help me Mod Edit: Edited post to new Topic title

  • Mainstage & Logic Crash On Leopard 10.5.2....

    I have discussed with many Leopard user lately... This is what I heard from them 1. with 10.5.1 and Mainstage 1.0.2 I had a pretty **** solid setup, since the 10.5.2 update I'm getting crazy cpu spikes all over the place and its basically feeling a l

  • Podcast library non-functional since upgrade

    Hi, Seven days ago, I updated iTunes. For two days(Sunday and Monday), iTunes would not start, saying it could not find my library (which is on an external hard drive). On Wednesday, it found my library, but not my podcasts. On Thursday, it found my