Managment VLAN - SSID mapping

Similar Messages

• Autonymouse AP1121 - Management Vlan and SSID Vlan

  Hello,
  We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
  current switch port config ap is plugged into.
  interface FastEthernet1/0/48
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 500
  switchport mode trunk

  Do you have sub interfaces for vlan 10 being brigged through the radio interface?
  Example config below...
  interface Dot11Radio0.10
  description Secure Wireless access
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk"

• VWLC clients getting DHCP address from management VLAN

  Hi,
  We have a strange scenario whereby some wireless employees are obtaining addresses from the management VLAN.
  Some details:
  DHCP managed by MS DHCP 2008 R2 (in remote data centre)
  Cisco vWLC AIR-CTVM-K9 running v7.6.110.0
  AP's are a mix of 2602 and 3702 (46 and 2 of each respectively)
  SSID's are employee, guest, and production devices (all mapped to their own interface with relevant VLAN tag as per normal)
  AP's all in FlexConnect mode as per vWLC caveats
  Some employees are receiving addresses in the wireless management VLAN. This network only has six DHCP addresses available as it is solely for AP's, WLC and HSRP gateway. Obviously this gets exhausted very quickly leaving us with a scenario where clients are not obtaining DHCP addresses.
  I understand that with FlexConnect mode, it will assign IP's from the native VLAN. What I don't understand is why most clients receive addresses in the correct VLAN, but a handful do not, and then cannot get an address from DHCP. Obviously the ideal scenario would be to put the AP's into local mode but unless this has changed in a SW release then I don't believe it's possible...
  My question is: How do I get ALL the employees to obtain addresses from their interface and not the management VLAN?
  Thanks in advance.

  Hi,
  I think we need a closer look to your configurarion to eliminate some possibilities:
  - What is the WLAN security you choose?
  - What is the interface that is configured under the WLAN?
  - Does your WLAN have local switching enabled?
  - If your security is using RADIUS server, do you have AAA override enabled under the WLAN config?
  - If your security is using RADIUS server, do you send any attributes to the users?
  - You have eliminate that clients that got management vlan IPs are always on same AP or they can be on any AP.
  HTH
  Amjad

• Dynamic VLAN/SSID assignment using 4402/MS IAS

  Greetings,
  In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
  This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
  We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
  Any input/information would be greatly appreciated.
  Joe

  Shaun,
  My LAG - etherchannel interface
  interface Port-channel8
  description WLC-portchannel
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  end
  My 2 WLC Fiber ports:
  Current configuration : 382 bytes
  interface GigabitEthernet7/47
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  2200-3A#sh run int g7/48
  Building configuration...
  Current configuration : 382 bytes
  interface GigabitEthernet7/48
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
  One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
  interface FastEthernet4/48
  description AP-PoE
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1-1004
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  end
  Jim

• Wireless AP Management VLAN and BVIs

  Hi All,
  I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
  I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
  Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
  Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP01
  no ip source-route
  no ip cef
  dot11 syslog
  dot11 ssid <Guest secure network SSID>
     vlan 30
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii <key>
  dot11 ssid <Internal Secure SSID>
     vlan 10
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii <key>
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   shutdown
   encryption vlan 10 mode ciphers aes-ccm tkip
   encryption vlan 30 mode ciphers aes-ccm tkip
   ssid <Guest secure network SSID>
   ssid <Internal Secure SSID>
   antenna gain 0
   packet retries 64 drop-packet
   channel 2437
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 port-protected
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  interface Dot11Radio0.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 subscriber-loop-control
   bridge-group 30 spanning-disabled
   bridge-group 30 block-unknown-source
   no bridge-group 30 source-learning
   no bridge-group 30 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   encryption vlan 10 mode ciphers aes-ccm tkip
   encryption vlan 30 mode ciphers aes-ccm tkip
   ssid <Guest secure network SSID>
   ssid <Internal Secure SSID>
   antenna gain 0
   peakdetect
   no dfs band block
   packet retries 64 drop-packet
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 port-protected
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  interface Dot11Radio1.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 subscriber-loop-control
   bridge-group 30 spanning-disabled
   bridge-group 30 block-unknown-source
   no bridge-group 30 source-learning
   no bridge-group 30 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 spanning-disabled
   no bridge-group 10 source-learning
  interface GigabitEthernet0.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 spanning-disabled
   no bridge-group 30 source-learning
  interface GigabitEthernet0.100
   encapsulation dot1Q 100
   no ip route-cache
   bridge-group 100
   bridge-group 100 spanning-disabled
   no bridge-group 100 source-learning
  interface GigabitEthernet0.101
   encapsulation dot1Q 999 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   no ip address
   no ip route-cache
   shutdown
  interface BVI100
   mac-address <Actual ethernet address>
   ip address 10.33.100.101 255.255.255.0
   no ip route-cache
  ip default-gateway 10.33.100.254
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  bridge 100 protocol ieee
  bridge 100 route ip
  line con 0
   logging synchronous
  line vty 0 4
   transport input ssh
  end
  As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
  With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
  The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
  Hope you can help! Thanks for any advice in advanced.
  Many thanks,
  Martin.

  Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
  There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something.

• WAP 321 Management VLAN

  HI, I want to use the management VLAN254 for my 4 WAP321. but after changing the management vlan in the unit from 20 th 254 I lost contact with the unit.
  The switch I use is a Cisco 2960. Here's the config of the port :
  interface FastEthernet0/23
  switchport trunk native vlan 254
  switchport trunk allowed vlan 5,20,254,1002-1005
  switchport mode trunk
  spanning-tree portfast
  Vlan 5 and 20 are my two SSID Vlan
  I was able to connect to the unit when the management vlan was set to 20  with an IP of 192.168.254.51 but since I chaged the vlan in the unit can't connect to it, I can't even ping it from the switch ...
  Any ideas ?

  Hi Tom,
  Got it back to work by setting the native Vlan in my 2960 to vlan 20
  I also have an issue with my 2nd wireless network, vlan 20 if I don't set the untagged vlan to 20 I can't reach that network. but no problem with my wireless network with vlan 5 which is the first one. It looks like the vlan tagging only work for the first network. Is this a normal behaviour of that AP ?
  Ben

• Managment VLAN 1

  Hi Everyone,
  I m working with a leading ISP in India.The issue is that our engineering team has come up with the plan of migrating all management vlans for metro and other switches to vlan1.Presently we are using spearate vlans for management.Somethig like below.
  Aggregation router#show runn inter gi0/2.137
  Building configuration...
  Current configuration : 250 bytes
  interface GigabitEthernet0/2.137
  description Connectivity for ABC
  encapsulation dot1Q 137
  ip address 203.154.26.97 255.255.255.240
  ip policy route-map ABC
  no cdp enable
  end
  Switch 1 end:(2950)
  interface Vlan137
  ip address 203.154.26.101 255.255.255.240
  no ip route-cache
  ip default-gateway 203.154.26.97
  switch 2:(2950)
  interface Vlan137
  ip address 203.154.26.103 255.255.255.240
  no ip route-cache
  ip default-gateway 203.154.26.97
  The router inter gi0/3 is connected to the trunk port on summit switch and a wireless device provides connectivity to the switch 1 and further another oen to switch 2.
  The entire pasth is on layer 2.
  Please suggest as to how can i migrate to mgmt vlan 1.
  Can it be something like
  inter gi0/2.1
  encapsulation dot1q 1
  ip addres
  since 2950s dont support more thane one active mgmt vlan wat can be the best way of migration???

  This is a tricky proposition. Best way you mean without getting disconnected, right? Cause when you start to change the mgmt interface via telnet, you are risking of getting disconnected once the mgmt inteface is change. for example, you know that there can only be one active interface vlan on 2950 for mgmt purpose. If you are changing the interface vlan from vlan 237 to vlan 1, if they will have the same ip address, you'll have to shut down one of them. Let's say you are able to do that, then how will you bring up the other interface with getting disconnected? remember you are telneted in. the best way will be to console in when you make changes on the mgmt vlan. You'll probably have to walk to the switch anyway if you made the change via telnet. changing the mgmt vlan will not affect the switch's ability to switch packets.

• 1200: Native VLAN & Management VLAN

  I want to keep the management VLAN and native VLAN seperate. Is this the correct setup when using VLAN 999 as the native VLAN and VLAN 100 for the management VLAN.
  Management VLAN 100 (10.100.0.0/24)
  ### Trunk SW ###
  description "AP"
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport trunk allowed vlan
  switchport mode trunk
  switchport nonegotiate
  speed 100
  duplex full
  ### AP ###
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 99 key 1 size 128bit 7 3831CB248113D952741376BEC352 transmit-key
  encryption vlan 99 mode wep mandatory
  encryption vlan 11 mode ciphers tkip
  ssid xoxoxo
  vlan 11
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ssid xxx
  vlan 99
  authentication network-eap eap_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  station-role root
  interface Dot11Radio0.11
  encapsulation dot1Q 11
  no ip route-cache
  bridge-group 11
  bridge-group 11 subscriber-loop-control
  bridge-group 11 block-unknown-source
  no bridge-group 11 source-learning
  no bridge-group 11 unicast-flooding
  bridge-group 11 spanning-disabled
  interface Dot11Radio0.99
  encapsulation dot1Q 99
  no ip route-cache
  bridge-group 99
  bridge-group 99 subscriber-loop-control
  bridge-group 99 block-unknown-source
  no bridge-group 99 source-learning
  no bridge-group 99 unicast-flooding
  bridge-group 99 spanning-disabled
  interface dot11radio 0.999
  encapsulation dot1q 999 native
  interface dot11radio 0.100
  encapsulation dot1q 100
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  ntp broadcast client
  interface FastEthernet0.11
  encapsulation dot1Q 11
  no ip route-cache
  bridge-group 11
  no bridge-group 11 source-learning
  bridge-group 11 spanning-disabled
  interface FastEthernet0.99
  encapsulation dot1Q 99
  no ip route-cache
  bridge-group 99
  no bridge-group 99 source-learning
  bridge-group 99 spanning-disabled
  interface fastethernet 0.999
  encapsulation dot1q 999 native
  interface fastethernet 0.100
  encapsulation dot1q 100
  interface BVI100
  ip address 10.100.0.110 255.255.255.0
  no ip route-cache
  ip default-gateway 10.100.0.1

  This looks correct to me. Do you have a non_root bridge on their other side?
  Are you able to trunk all 4 VLANS with this config?

• 1300 bridge with native and management vlan in different vlans

  Hello,
  We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
  regards,
  Rutger

  Too answer my own question:
  I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
  Rutger

• Management VLAN on a WAP371.

  Hello,
  When I try and configure the WAP371 to use my management VLAN, I lose control of the WAP.   I am connecting it to my 3750-X stack, and I have the port it is connected to configured as an 802.1Q trunk, and the 3750-X shows the port up as an 802.1Q trunk.   I have configured VLAN 501 as the management VLAN and when I configure the management VLAN on the WAP371 to use VLAN 501, and I set an appropriate static IP for this VLAN, and an appropriate default gateway, I can no longer communicate with the WAP371.   I do know it is properly using VLAN tags, as the other SSIDs are communicating with hosts on the respective VLANs associated with each SSID.   I have tried leaving the untagged VLAN support on, I have turned it off.   I am out of ideas on what else to try.   If anyone else has successfully configured the WAP371 to use a tagged VLAN I  would love to hear about what was needed.
  Thx
  Bryan

  My name Eric Moyers. I am an Engineer in the Small Business Support Center.
  I am sorry to hear that you are experiencing this issue. 
  What is the management VLAN that is used on the other parts of your network? I would suggest calling in to open a case with one of our phone engineers so that we can work with you.
  Eric Moyers
  .:|:.:|:. CISCO | Eric Moyers | Cisco Technical Support |
  Wireless and Surveillance Subject Matter Expert
  Please rate helpful Posts and Let others know when your Question has been answered.

• 3702i AP's not Joining WLC - Layer 3 discovery request not received on management VLAN

  Hi Guys, 
  This is a follow up post to this thread: https://supportforums.cisco.com/discussion/12400481/3702i-not-joint-2504
  Have been playing around with my AP's and made sure the time is correct on all the devices ( WLC and Switch). I have also moved the AP's to the same Vlan as the management IP of the WLC. 
  if I move the AP's to the same Vlan as the WLC they join and are happy, as soon as I move them to a different Vlan they cant join and there time goes back to the default plus they do not seem to save the WLC details to flash but still remember the test names I give them.
  it appears that option 43 is working fine as I can see it look for the WLC IP and I have done some trouble shooting on the WLC and it looks like it see's the AP but doesn't except it.
  please see below for the boot up of the AP and the WLC logs: 
  AP 
  IIOS Bootloader - Starting system.
  *** deleted for breverity ***** 
  Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1"...#########################
  File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1" uncompressed and installed, entry point: 0x2003000
  executing...
  Secondary Bootloader - Starting system.
  Montserrat Board
  *** deleted for breverity ***** 
  Boot CMD: 'boot  flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1;flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1'
  Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1"...###############################################
  File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1" uncompressed and installed, entry point: 0x1003000
  executing...
                *** deleted for breverity ***** 
  cisco AIR-CAP3702I-Z-K9 (PowerPC) processor (revision A0) with 376810K/134656K bytes of memory.
  Processor board ID FGL1838X4T1
  PowerPC CPU at 800Mhz, revision number 0x2151
  Last reset from power-on
  LWAPP image version 8.0.110.0
  1 Gigabit Ethernet interface
  2 802.11 Radios
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: F4:4E:05:B7:1E:84
  Part Number                          : 73-15243-01
  PCA Assembly Number                  : 000-00000-00
  PCA Revision Number                  :
  PCB Serial Number                    : FOC18343WPR
  Top Assembly Part Number             : 068-05054-03
  Top Assembly Serial Number           : FGL1838X4T1
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP3702I-Z-K9
  % Please define a domain-name first.
  Press RETURN to get started!
  *Mar  1 00:00:19.295: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
  *Mar  1 00:00:19.755: Registering HW DTLS
  *Mar  1 00:00:19.763: APAVC: Initial WLAN Buffers Given to System is  2500
  *Mar  1 00:00:19.815: APAVC:  WlanPAKs 42878 RadioPaks  42270
  *Mar  1 00:00:22.127: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:26.055: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
  *Mar  1 00:00:26.167: Loading Power Tables from ram:/Q2.bin. Class = A
  *Mar  1 00:00:26.167:  record size of 3ss: 1168 read_ptr: 4F9698E
  *Mar  1 00:00:31.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
  *Mar  1 00:00:31.251: Loading Power Tables from ram:/Q5.bin. Class = Z
  *Mar  1 00:00:31.251:  record size of vht: 2904 read_ptr: 4F9698E
  *Mar  1 00:00:31.407: Wait until the stile protocol list is initialized.
  *Mar  1 00:00:32.651: Start STILE Activation
  *Mar  1 00:00:34.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Mar  1 00:00:35.447: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2014 by Cisco Systems, Inc.
  Compiled Fri 19-Dec-14 11:20 by prod_rel_team
  *Mar  1 00:00:35.447: %SNMP-5-COLDSTART: SNMP agent on host Test_1 is undergoing a cold start
  *Mar  1 00:00:36.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
  *Mar  1 00:00:37.787: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
  *Mar  1 00:00:37.939: %SSH-5-ENABLED: SSH 2.0 has been enabled
  *Mar  1 00:00:37.939: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Mar  1 00:00:47.567: %LINK-6-UPDOWN: Interface BVI1, changed state to down
  *Mar  1 00:00:48.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
  *Mar  1 00:00:50.431: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
  *Mar  1 00:00:50.431: DPAA Initialization Complete
  *Mar  1 00:00:50.431: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
  *Mar  1 00:00:51.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:53.435: %LINK-6-UPDOWN: Interface BVI1, changed state to up
  *Mar  1 00:00:53.867: Currently running a Release Image
  *Mar  1 00:00:54.287: Incorrect certificate in SHA2 PB !
  *Mar  1 00:00:54.287: Using SHA-1 signed certificate for image signing validation.
  *Mar  1 00:00:54.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
  *Mar  1 00:00:59.787: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.2, mask 255.255.255.0, hostname Test_1
  *Mar  1 00:01:02.707: APAVC: Succeeded to activate all the STILE protocols.
  *Mar  1 00:01:02.707: APAVC: Registering with CFT
  *Mar  1 00:01:02.707: APAVC: CFT registration of delete callback succeeded
  *Mar  1 00:01:02.707: APAVC: Reattaching  Original Buffer pool for system use
  *Mar  1 00:01:02.707: Pool-ReAtach: paks 42878 radio42270
  %Default route without gateway, if not a point-to-point interface, may impact performance
  *Mar  1 00:01:10.103: AP image integrity check PASSED
  *Mar  1 00:01:10.187: Incorrect certificate in SHA2 PB !
  *Mar  1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:01:11.591: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
  *Mar  1 00:01:12.691: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:01:13.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:01:13.947: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:01:14.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  *Mar  1 00:01:20.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 CLI Request Triggered
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:01:31.215: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
  *Mar  1 00:02:11.599: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
  *Mar  1 00:02:11.603: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
  *Mar  1 00:02:11.611: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:02:12.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:02:12.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:02:12.647: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
  *Mar  1 00:02:12.655: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:02:13.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:02:13.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Mar  1 00:02:13.699: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:02:14.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  Not in Bound state.
  *Mar  1 00:02:44.719: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
  *Mar  1 00:02:49.839: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.3, mask 255.255.255.0, hostname Test_1
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:02:55.719: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
  Not in Bound state.
  *Mar  1 00:03:59.219: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
  *Mar  1 00:04:04.343: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.4, mask 255.255.255.0, hostname Test_1
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:04:10.223: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
  WLC: 
  isco Controller) >show time
  Time............................................. Tue Jan 27 17:44:47 2015
  Timezone delta................................... 0:0
  Timezone location................................ (GMT +8:00) HongKong, Bejing, Chongquing
  NTP Servers
      NTP Polling Interval.........................     3600
       Index     NTP Key Index                  NTP Server                  NTP Msg Auth Status
         1              0                             150.101.176.226       AUTH DISABLED
  (Cisco Controller) >show ap join stats summary  
  Incorrect input! Use 'show ap join stats summary [all/<ap-mac>]'
  (Cisco Controller) >show ap join stats summary all 
  Number of APs.............................................. 2 
  Base Mac             AP EthernetMac       AP Name                 IP Address         Status
  f4:4e:05:aa:a6:a0    f4:4e:05:94:c3:98    APf44e.0594.c398        10.1.1.22          Joined    
  f4:4e:05:b6:ce:f0    N A                  Test_1                  10.1.20.7          Not Joined
  (Cisco Controller) >show ap join stats detailed f4:4e:05:b6:ce:f0
  Sync phase statistics
  - Time at sync request received............................ Not applicable
  - Time at sync completed................................... Not applicable
  Discovery phase statistics
  - Discovery requests received.............................. 45
  - Successful discovery responses sent...................... 21
  - Unsuccessful discovery request processing................ 24
  - Reason for last unsuccessful discovery attempt........... Layer 3 discovery request not received on management VLAN
  - Time at last successful discovery attempt................ Jan 27 17:45:49.705
  - Time at last unsuccessful discovery attempt.............. Jan 27 17:45:49.705
  Join phase statistics
  - Join requests received................................... 0
  - Successful join responses sent........................... 0
  - Unsuccessful join request processing..................... 0
  - Reason for last unsuccessful join attempt................ Not applicable
  - Time at last successful join attempt..................... Not applicable
  - Time at last unsuccessful join attempt................... Not applicable
  Configuration phase statistics
  --More-- or (q)uit
  - Configuration requests received.......................... 0
  - Successful configuration responses sent.................. 0
  - Unsuccessful configuration request processing............ 0
  - Reason for last unsuccessful configuration attempt....... Not applicable
  - Time at last successful configuration attempt............ Not applicable
  - Time at last unsuccessful configuration attempt.......... Not applicable
  Last AP message decryption failure details
  - Reason for last message decryption failure............... Not applicable
  Last AP disconnect details
  - Reason for last AP connection failure.................... Not applicable
  - Last AP disconnect reason................................ Not applicable
  Last join error summary
  - Type of error that occurred last......................... Lwapp discovery request rejected
  - Reason for error that occurred last...................... Layer 3 discovery request not received on management VLAN
  - Time at which the last join error occurred............... Jan 27 17:45:49.705
  AP disconnect details
  - Reason for last AP connection failure.................... Not applicable
                                                                             Ethernet Mac : 00:00:00:00:00:00  Ip Address : 10.1.20.7
  (Cisco Controller) >show interface summary 
   Number of Interfaces.......................... 4
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  ap                               LAG  20       10.1.20.231     Dynamic No     No   
  guest                            LAG  30       10.1.30.231     Dynamic No     No   
  management                       LAG  10       10.1.1.231      Static  Yes    No   
  virtual                          N/A  N/A      1.1.1.1         Static  No     No   
  SWITCH
  witch#show run
  Building configuration...
  *** deleted for breverity ***** 
  no aaa new-model
  clock timezone AWST 8
  system mtu routing 1500
  ip routing
  ip dhcp pool WAP_Pool
     network 10.1.20.0 255.255.255.0
     default-router 10.1.20.1 
     option 43 hex f104.0a01.01e7
  ip dhcp pool Clients
     network 10.1.30.0 255.255.255.0
     default-router 10.1.30.1 
     dns-server 203.0.178.191 
  ip dhcp pool test
     network 10.1.1.0 255.255.255.0
     default-router 10.1.1.1 
  crypto pki trustpoint TP-self-signed-4082587776
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-4082587776
   revocation-check none
   rsakeypair TP-self-signed-4082587776
  *** deleted for breverity ***** 
  *** deleted for breverity ***** !
  interface FastEthernet0/3
   description *** WLC ****
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface FastEthernet0/4
   description **** AP *****
   switchport access vlan 20
   switchport mode access
   spanning-tree portfast
  interface FastEthernet0/5
   description **** AP ****
   switchport access vlan 20
   switchport mode access
   spanning-tree portfast
  interface FastEthernet0/6
  i*** deleted for breverity ***** !
  interface Vlan10
   description *** Managment ***
   ip address 10.1.1.230 255.255.255.0
  interface Vlan20
   description *** WIRELESS APS ***
   ip address 10.1.20.1 255.255.255.0
  interface Vlan30
   ip address 10.1.30.1 255.255.255.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.1.1.1
  ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  l*** deleted for breverity ***** 
  ntp clock-period 36028827
  ntp source FastEthernet0/1
  ntp server 121.0.0.42
  ntp server 202.127.210.37
  end
  I have also placed a Device in Vlan 20 and it is able to ping the WLC and the WLC can ping it s routing is working. 
  Thanks 

  Hey Scott, 
  I gave that a shot and still no luck, log's from AP boot up:
  IIOS Bootloader - Starting system.
  flash is writable
  Tide XL MB - 40MB of flash
  Xmodem file system is available.
  flashfs[0]: 67 files, 9 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 41158656
  flashfs[0]: Bytes used: 20894208
  flashfs[0]: Bytes available: 20264448
  flashfs[0]: flashfs fsck took 20 seconds.
  Base Ethernet MAC address: f4:4e:05:b7:1e:84
  Ethernet speed is 100 Mb - FULL Duplex
  Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1"...#########################
  File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1" uncompressed and installed, entry point: 0x2003000
  executing...
  Secondary Bootloader - Starting system.
  Montserrat Board
  40MB format
  Tide XL MB - 40MB of flash
  Xmodem file system is available.
  flashfs[0]: 67 files, 9 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 41158656
  flashfs[0]: Bytes used: 20894208
  flashfs[0]: Bytes available: 20264448
  flashfs[0]: flashfs fsck took 21 seconds.
  flashfs[1]: 0 files, 1 directories
  flashfs[1]: 0 orphaned files, 0 orphaned directories
  flashfs[1]: Total bytes: 12257280
  flashfs[1]: Bytes used: 1024
  flashfs[1]: Bytes available: 12256256
  flashfs[1]: flashfs fsck took 1 seconds.
  Base Ethernet MAC address: f4:4e:05:b7:1e:84
  Boot CMD: 'boot  flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1;flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1'
  Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1"...###############################################
  File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1" uncompressed and installed, entry point: 0x1003000
  executing...
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2014 by Cisco Systems, Inc.
  Compiled Fri 19-Dec-14 11:20 by prod_rel_team
  Montserrat Board
  40MB format
  Tide XL MB - 40MB of flash
  Initializing flashfs...
  flashfs[2]: 67 files, 9 directories
  flashfs[2]: 0 orphaned files, 0 orphaned directories
  flashfs[2]: Total bytes: 40900608
  flashfs[2]: Bytes used: 20894208
  flashfs[2]: Bytes available: 20006400
  flashfs[2]: flashfs fsck took 14 seconds.
  flashfs[2]: Initialization complete.
  flashfs[4]: 0 files, 1 directories
  flashfs[4]: 0 orphaned files, 0 orphaned directories
  flashfs[4]: Total bytes: 11999232
  flashfs[4]: Bytes used: 1024
  flashfs[4]: Bytes available: 11998208
  flashfs[4]: flashfs fsck took 0 seconds.
  flashfs[4]: Initialization complete.
  Copying radio files from flash: to ram:
  Copy in progress...CCCCC
  Copy in progress...CCC
  Copy in progress...CCCC
  Copy in progress...CCCC
  Copy in progress...CC
  Copy in progress...CCCC
  Copy in progress...CC
  Copy in progress...CCCCC
  Copy in progress...CCCC
  Copy in progress...CC
  Uncompressing radio files...
  ...done Initializing flashfs.
  Radio0  present 8764 8000 0 A8000000 A8010000 0
  Rate table has 650 entries (20 legacy/224 11n/406 11ac)
  POWER TABLE FILENAME = ram:/Q2.bin
  Radio1  present 8864 8000 0 80000000 80100000 4
  POWER TABLE FILENAME = ram:/Q5.bin
  Radio2 not present 0 0 0 0 0 8
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-CAP3702I-Z-K9 (PowerPC) processor (revision A0) with 376810K/134656K bytes of memory.
  Processor board ID FGL1838X4T1
  PowerPC CPU at 800Mhz, revision number 0x2151
  Last reset from power-on
  LWAPP image version 8.0.110.0
  1 Gigabit Ethernet interface
  2 802.11 Radios
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: F4:4E:05:B7:1E:84
  Part Number                          : 73-15243-01
  PCA Assembly Number                  : 000-00000-00
  PCA Revision Number                  :
  PCB Serial Number                    : FOC18343WPR
  Top Assembly Part Number             : 068-05054-03
  Top Assembly Serial Number           : FGL1838X4T1
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP3702I-Z-K9
  % Please define a domain-name first.
  Press RETURN to get started!
  *Mar  1 00:00:19.295: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
  *Mar  1 00:00:19.755: Registering HW DTLS
  *Mar  1 00:00:19.763: APAVC: Initial WLAN Buffers Given to System is  2500
  *Mar  1 00:00:19.815: APAVC:  WlanPAKs 42878 RadioPaks  42270
  *Mar  1 00:00:22.127: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:26.055: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
  *Mar  1 00:00:26.167: Loading Power Tables from ram:/Q2.bin. Class = A
  *Mar  1 00:00:26.167:  record size of 3ss: 1168 read_ptr: 4F9698E
  *Mar  1 00:00:31.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
  *Mar  1 00:00:31.251: Loading Power Tables from ram:/Q5.bin. Class = Z
  *Mar  1 00:00:31.251:  record size of vht: 2904 read_ptr: 4F9698E
  *Mar  1 00:00:31.407: Wait until the stile protocol list is initialized.
  *Mar  1 00:00:32.651: Start STILE Activation
  *Mar  1 00:00:34.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Mar  1 00:00:35.447: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2014 by Cisco Systems, Inc.
  Compiled Fri 19-Dec-14 11:20 by prod_rel_team
  *Mar  1 00:00:35.447: %SNMP-5-COLDSTART: SNMP agent on host Test_1 is undergoing a cold start
  *Mar  1 00:00:36.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
  *Mar  1 00:00:37.787: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
  *Mar  1 00:00:37.939: %SSH-5-ENABLED: SSH 2.0 has been enabled
  *Mar  1 00:00:37.939: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Mar  1 00:00:47.567: %LINK-6-UPDOWN: Interface BVI1, changed state to down
  *Mar  1 00:00:48.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
  *Mar  1 00:00:50.431: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
  *Mar  1 00:00:50.431: DPAA Initialization Complete
  *Mar  1 00:00:50.431: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
  *Mar  1 00:00:51.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:53.435: %LINK-6-UPDOWN: Interface BVI1, changed state to up
  *Mar  1 00:00:53.867: Currently running a Release Image
  *Mar  1 00:00:54.287: Incorrect certificate in SHA2 PB !
  *Mar  1 00:00:54.287: Using SHA-1 signed certificate for image signing validation.
  *Mar  1 00:00:54.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
  *Mar  1 00:00:59.787: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.2, mask 255.255.255.0, hostname Test_1
  *Mar  1 00:01:02.707: APAVC: Succeeded to activate all the STILE protocols.
  *Mar  1 00:01:02.707: APAVC: Registering with CFT
  *Mar  1 00:01:02.707: APAVC: CFT registration of delete callback succeeded
  *Mar  1 00:01:02.707: APAVC: Reattaching  Original Buffer pool for system use
  *Mar  1 00:01:02.707: Pool-ReAtach: paks 42878 radio42270
  %Default route without gateway, if not a point-to-point interface, may impact performance
  *Mar  1 00:01:10.103: AP image integrity check PASSED
  *Mar  1 00:01:10.187: Incorrect certificate in SHA2 PB !
  *Mar  1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:01:11.591: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
  *Mar  1 00:01:12.691: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:01:13.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:01:13.947: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:01:14.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  *Mar  1 00:01:20.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 CLI Request Triggered
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:01:31.215: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
  *Mar  1 00:02:11.599: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
  *Mar  1 00:02:11.603: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
  *Mar  1 00:02:11.611: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:02:12.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:02:12.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:02:12.647: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
  *Mar  1 00:02:12.655: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:02:13.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:02:13.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Mar  1 00:02:13.699: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:02:14.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  Not in Bound state.
  *Mar  1 00:02:44.719: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
  *Mar  1 00:02:49.839: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.3, mask 255.255.255.0, hostname Test_1
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:02:55.719: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
  Not in Bound state.
  *Mar  1 00:03:59.219: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
  *Mar  1 00:04:04.343: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.4, mask 255.255.255.0, hostname Test_1
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:04:10.223: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP

• Dynamic VLAN/SSID assignment w/IPv6

  I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
  https://supportforums.cisco.com/thread/339396
  This works great for IPv4.  This does not appear to work for IPv6.
  I have CT2504 WLCs running v7.0.116.0 and AP 3502s.  I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments.  Based on who you authenticate as, you are placed on the appropriate VLAN.
  However, IPv6 does not function properly.  I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
  If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine.  I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
  If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to.  Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
  One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments.  This is ugly and doesn't scale (16 max SSIDs).
  Has anyone else experienced this and know of a solution?
  For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi.  Rather disappointing.

  this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
  see this thread:
  https://supportforums.cisco.com/thread/2157621?tstart=60
  not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
  as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2  wireless unicast. By unicasting the RA, clients on the same WLAN, but a  different VLAN, do not receive the incorrect RA."
  lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
  so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same)

• Best Practices for management VLAN

  Hi guys,
  I have a client with a data center where they have lots of VLANs running off a 3750 (main switch) and then they have a 3550 and a 2950 running off from this main 3750.
  They have lots of VLANs configured and I see that Vlan1 is not being used. Currently, all the IPs of the switches and routers belong to one of the customer Vlan's.
  I've read that this is bad practice and that a management VLAN should be created. But I think I've also read that when it comes to management Vlans, one needs to stay away from Vlan1
  So I am not sure how to tackle this.
  any help?
  thanks

  Here is a very good discussion which should answer all your questions.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc12936/14
  http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009

• Why does management VLAN ID matter in Cisco AP541n configuration?

  is working on configure AP541n AP,  is able to connect to the AP wired, assign AP static IP with proper subnet mask & default gateway,
  when it's done, everything looks perfectly, but since I changed the management VLAN ID from 1 to 2, I can't even connect to the AP wired from the PC, why does the change matter?
  thanks.

  Hi,
  When working with access points in IOS mode also known as autonomous the access point requiers that you configure an Ip address on the BVI1 which is linked to the bridge group 1 and set us untagged.
  Now when working with VLANS if the access point has an ip address on vlan x then you will need to confiugre this as the native vlan and with the bridgroup 1.
  If you do not do this then you will see the issue you are reporting.
  In other words if the access point will have an ip address for vlan 30 the the native vlan on the ap will need to be vlan 30 and vlan or the subnet for vlan one linked to the bridge group 1
  Sent from Cisco Technical Support iPhone App

• Management VLAN Design and Implementation

  Greetings, friends.  I'm having trouble getting a clear picture of how a management VLAN ought to look.  I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches.  I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
  Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
  Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
  There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN.  Are you able to point me in the right direction to find such documentation?  Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
  What is the best practice for accessing the management VLAN?  Inter-VLAN routing + ACLs?  Multi-homed PCs or servers?  Additional PCs to be used as access stations?
  Thank you for your wisdom, experience, and advice!
  Kevin

  1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
  2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
  3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
  4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall,  but the hardcore customer insist on a second pc connected to the management lan.
  Points to consider are as always,
  Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
  Find the right balance between security, costs, easy of access for the business your in.
  Cheers,
  Michel