Multiple VLAN's and -A- Bridging on AP1240AG, ver123-8.JA2

Similar Messages

• Multiple VLANs over 1300 series bridges

  Hi
  I am looking to connect a small external building to a main campus building by wireless bridge. The building i want to connect currently has two vlans, can the 1300 series bridges carry multiple vlans over the wireless bridge link? If so can anyone point me towards s document that explains it?
  Many thanks
  Simon

  Hi Simon,
  Yes they can, here is a link, i hope it helps you, look at the "Bridge configuration" title.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  Regards,
  Milton Tizoc.

• Multiple VLAN's and relaying DHCP on two stacked SGE2000-G5 Switches

  We have been set the task of securing a small managed office system which is currently set up with a standard switch allowing each of the offices (containing different companies) to see each other, and in some cases, access each others documents across the network.
  Obviously this is a far from adequate set up and our aim is to isolate each office using VLAN's but share a common internet connection provided by the managed offices.  We have two Cisco SGE2000-G5 layer 3 switches but we are new to Cisco equipment and VLAN's so we are not quite sure on how to implement this.  DHCP would need to be provided by a Router, there is no Server.  We are open to suggestions on the Router as we have yet to purchase one.
  I hope someone can be of assistance.
  Many thanks,
  Jim

  We will be using the SGE2000-G5 switch which supports Layer3.  You suggested the following routers the other day, do these support Option 82?
  wireless
  RV120W - good feature set wireless
  WRVS4400N - has gigabit speed ports as well as simplied webGUI
  RV220W - most features with gigabit spped ports
  wired
  RV042 - dual WAN with port-based vlans
  RVS4000 - Gigabit speed ports
  Thanks,
  Jim

• Bridging multiple VLAN with sg 200-08 and wap321

  Hi all
  Equipment:
  ASA 5505
  2x gs 200-08
  2x wap321
  Is there a possibility, to bridge 2 VLAN between one and another side with two WAP 321 and use the AP's also as WDS Bridge to extend the Wireless Network?
  I need to extend the Range of the WLAN but also want to use 2 different VLAN on both sides of the network. There is no Possibility to establish a wired Connection, so i try to use the AP's in "workgroup bridge" mode, but i always can use only one VLAN on the other side.
  Thanks for any help

  Hi Luis
  The Problem is, there is no wired connection between the WAP321.
  The topology is like this:
  VLAN1------ASA5505--  --SG200-08---------WAP321             WAP321--------SG200-8-------VLAN1
                                               I                                                                                                 I
  VLAN2---------------------------                                                                                               -----------VLAN2
  VLAN1 and VLAN2 are also available in the WLAN on 2 Different SSID's:
  SSID: inside -> VLAN1
  SSID: outside -> VLAN2
  If i understand the Cluster mode right,there is a wired connection required between the WAP321 .
  In meantime i tried to connect the WAP321 over WDS, but always only VLAN1 is available on the "right" side of the Network.
  Is there a Possibility, to Bridge multiple VLAN's over a WDS connection?
  Best Regards
  Dominique

• Encrypting Aironet 1410 bridge link using multiple VLANs

  I've looked at the documentation available for Aironet 1400 series, and still would like to see a single document showing an example of
  the best encryption/authentication available for bridge links using multiple VLANs.
  As I understand it, 1400 series can support WPA-PSK using AES, which would work for me.  I just can't picture how to integrate chapters 9 and 10 for the 'WEP and WEP Features' + 'Configuring Authentication Types' instructions.
  I'm looking either for an example config, or a step-by-step that did all steps consecutively.
  Thanks

  What doc are you refering to?  If you want to encrypt the link from root bridge to non-root bridge, then WPA/TKIP-PSK is what you should use.  Here is a link to how to setup your link ssid to WPA: http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15auth.html#wp1044935
  Don't worry about the example they show on the WEP, just use the configuration from the above link for your encryption.
  Configuring a VLAN
  Configuring your bridge to support VLANs is a five-step process:
  1. Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN. <-- Use WPA-PSK
  5. Assign the bridge's SSID to the native VLAN.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15vlan.html
  Here is an example of vlan 1 (native) will be your management and your wireless link.  vlan 10 & 20 will pass through the link.
  BR# configure terminal
  BR(config)# interface dot11radio0.1
  BR(config-subif)# encapsulation dot1q 1 native
  BR(config-subif)# bridge group 1
  BR(config-subif)# exit
  BR(config)# interface fastEthernet0.1
  BR(config-subif)# encapsulation dot1q 1 native
  BR(config-subif)# bridge group 1
  BR(config)# interface fastEthernet0.10
  BR(config-subif)# encapsulation dot1q 10
  BR(config-subif)# bridge group 10
  BR(config)# interface fastEthernet0.20
  BR(config-subif)# encapsulation dot1q 20
  BR(config-subif)# bridge group 20
  BR(config-subif)# exit
  BR(config)# interface dot11radio0
  BR(config-if)# ssid batman
  BR(config-ssid)# vlan 1
  BR(config-ssid)# infrastructure-ssid
  BR(config-ssid)# end

• Multiple scopes and multiple VLANS

  What am I missing her, probably a lot?  Goal: Create 3 scopes within WS 2012R2. 1. Default network (192.168.1.0…Range .100-.254) 2. Network for IP Camera system (192.168.2.0…Range .100-.254) 3. Guest Network (192.168.3.0…Range .100-.254). 
  Scopes are already created and the default network is operational.
  Equipment:  WS 2012R2(DNS 192.168.1.5), Cisco RV042(Internet Gateway 192.168.1.2), Qty. 2 ISP’s modems bridged feeding the RV, Cisco SF200-24FP (192.168.2.1 Poe for IP cams), Netgear JGS524E (Not Managed, Default network switch).
  Configuration:  the RV is checked as a gateway, with multiple subnets engaged and the subnets have been added. DHCP Relay is engaged and pointed at the DNS Server IP. Port configuration: Ethernet Ports 1&2 VLAN1, Port 3 VLAN2,
  Port 4 VLAN3.
  Problem:  When I connect PC to either VLAN 2 or 3, I do not get a DHCP of 2.100, or a 3.100 I get a 1.100. 
  Basically why does the server not issue the proper IP when I am connected to VLAN 2 or 3? 
  So if I static my machine to 2.100 with gateway 192.168.2.1, and DNS 192.168.1.5 I connect to the network, cannot surf and get error “cannot communicate with primary DNS server 192.168.1.5”.  In closing how does the server know that IP range
  2.100-.254 is suppose VLAN 2?

  Hi,
  Please try to perform a network capture on the DHCP server.
  We can check the giaddr field in the DHCP DISCOVER message. This field contains the Relay agent's IP address, DHCP server uses this field to find the suitable scope for the client. This field should be set to the IP address of the VLAN interface.(The
  gateway of the VLAN).
  If this field is set to any IP address in subnet 192.168.1.0, the client will get the IP address from your fist scope.
  If this field is set correctly, please check if there is any related warning in the event viewer of the server.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• AP1300 Bridging Multiple Vlans with Dot1q

  I have a pair of AIR-BR1310G-E-K9 to do ptp bridging. Topology is like this:
  host-switch-rootAP---nonRootAP-switch-host
  We have multiple vlans and have followed this doco:
  <http://www.cisco.com/en/US/docs/wireless/access_point/1300/12.3_7_JA/configuration/guide/b37vlan.html>
  The native vlan is all good and can ping across end-to-end. However, the when I attach a host to the switch in another vlan i.e. user vlan - there is no connectivity. Essentially, we want to dot1q over the ptp bridge setup.
  running version:
  c1310-k9w7-mx.124-10b.JA1
  appreciate any input.
  Ajaz

  yes. standard trunk config on both switches:
  5SL_SWITCH#srif 0/24
  Building configuration...
  Current configuration : 186 bytes
  interface FastEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  switchport nonegotiate
  spanning-tree portfast trunk
  end
  5SL_SWITCH#show interfaces trunk
  Port Mode Encapsulation Status Native vlan
  Fa0/24 on 802.1q trunking 1
  Port Vlans allowed on trunk
  Fa0/24 1,100
  Port Vlans allowed and active in management domain
  Fa0/24 1,100
  Port Vlans in spanning tree forwarding state and not pruned
  Fa0/24 1,100
  5SL_SWITCH#
  11SL_SWITCH#srif 0/24
  Building configuration...
  Current configuration : 186 bytes
  interface FastEthernet0/24
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,100
  switchport mode trunk
  switchport nonegotiate
  spanning-tree portfast trunk
  end
  11SL_SWITCH#show interfaces trunk
  Port Mode Encapsulation Status Native vlan
  Fa0/24 on 802.1q trunking 1
  Port Vlans allowed on trunk
  Fa0/24 1,100
  Port Vlans allowed and active in management domain
  Fa0/24 1,100
  Port Vlans in spanning tree forwarding state and not pruned
  Fa0/24 1,100
  11SL_SWITCH#
  furthermore the vlans exist in the db and when i trunk between the switches - I can ping the SVI's.
  Do you want me to post the AP config?

• Bridge with clients & multiple VLANs on 1242 AP

  Hi,
  I am trying to set up a test as per the attached diagram. I am looking to use 2x 1242 access points to bridge to a remote part of the network.
  I currently have 2 VLANs on the network, all network devices are on VLAN 1 for management and client access is on VLAN 2.
  What I am trying to achieve is to bridge between the two access points and also have clients connect to VLAN 2 on each access point.
  Firstly, are the 1242's capable of this or would I need to look at a 1300 Bridge?
  I have attached a copy of the base config I have on both AP's, the only difference between them is the root or non-root role.
  My bridge link currently works and I can ping across it on VLAN 1 but I cannot get a client to connect to the SSID on VLAN2. Although the SSID is set to guest mode I cannot see it being broadcast and if I manually try and connect nothing happens.
  Is there anything basic I am missing here or can anyone offer advice on bridging multiple VLANs with 1242 AP's?
  Thanks,
  Paul

  Ooops....forgot to add the attachments first time.
  Thanks,
  Paul.

• Multiple vlans configuration issue with RV016 router and SG 300-10MP witch

  Hi,
  I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
  Router (RV016 10/100 16-Port VPN Router) as gateway mode:
  IP : 172.16.0.1/24
  DHCP Server :
  IP : 172.16.0.2/24 GW: 172.16.0.1
  2 subnets :
  172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
  172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
  Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
  IP 172.16.0.254 (vlan 8 default)
  Vlan 1 : 172.16.1.1
  Vlan 2 : 172.16.2.1
  1 device connected on each vlan
  a workstation on the vlan 1
  a laptop on the vlan 2
  In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
  But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
  I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
  I hope the explanations are clear enough and my English too
  Any help will be highly appreciated,
  Zoubeir

  Hi Eric, the small business group doesn't support the ASA config, but  I can help with the switch.
  A couple things I notice in your description-
  48 port (192.168.1.254) and the other 24P (192.168.1.253)  we have a  second vlan 20 set up on the 24P switch (192.168.2.253)  we have ports  1-12 set for vlan20 (untagged and trunk), the remaining ports on on the  default vlan 1.
  The connection between the switches, is it 1u, 2t?
  The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
  We have the 24p and 48p switches connect using GE1 and GE1.  We are unable to ping a device on vlan 20 ( on the 24p switch
  The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
  We have a static route set on the 24p switch (0.0.0.0 192.168.1.0). 
  Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
  -Tom
  Please rate helpful posts

• Complex NAT and ACL issue with multiple VLANS

  Hello Forum. 
  We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
  From outside the firewall, people need to be able to get to the webserver via http, https and a custom  port (3390). From outside the firewall, no one needs DNS access.
  From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
  The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
  WHAT WORKS:
  Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
  Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
  I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

  Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

• Need help configuring multiple VLANs and SSIDs

  Hi,
  We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
  We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
  We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
  We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
  Here are some specifics on how the traffic needs to route:
  1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
  2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
  3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
  4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
  Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
  The SGE2000P has the following IP addresses assigned to the VLANS:
  10.7.3.252 - VLAN 100
  10.7.40.254 - VLAN 1000
  192.168.254.254 - VLAN 1100
  Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
  Thank you!
  Gary Smith

  Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
  With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This results in the same configuration as:
  interface FastEthernet0/1
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport trunk allowed vlan 100
  With the exception of CDP packets being sent advertising the Voice VLAN.
  With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
  Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
  I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
  HTH
  Andy

• DHCP Setup across multiple VLANs on RV325 - DHCP Server only working on VLAN 1

  I have multiple VLAN subnets defined on my RV325 - when I try and utilize a DHCP Server on each VLAN, it only seems to be issuing IP Addresses to clients on VLAN ID 1.  When I first set this up months ago, I thought I had tested it providing IP Addresses via the other subnets.  Now that I am trying to do so, it isn't working "as expected".  Example - I am using VLAN 25 as the GuestWireless subnet utilizing a separate 802.11n WAP that is set to Bridge connections to the IP Address of the VLAN interface.  Devices are able to connect to the WAP, but end up with a self-assigned IP Address 169.x.x.x address.  There has to be an easy fix to this, but I seem to be "stuck" figuring out what it is…pointers/redirects appreciated.  Thanks!

  Thanks - I've already reviewed that information before I posted.  I've been working with DHCP since the mid-90's, so I'm comfortable with the settings/configuration I need to leverage to make this work via other means using various Network-based OSes.
  I'm wondering if there are other options in configuring this device that can impact the ability to dynamically serve IP addresses on a VLAN/subnet-by-VLAN/subnet basis.
  As I did more testing, I discovered when I reserved an IP Address via the IP & MAC Binding option within the DHCP Settings, those devices would receive their static reservations and work as expected, so the problem seems to be leveraging the DHCP Pool for devices connecting to VLANs other that VLAN 1.
  Any ideas as to why the DHCP Pool's are "non-functioning" for the other VLANs is greatly appreciated...
  Each VLAN is setup with a separate DHCP Server configuration as shown below:
  VLAN ID = 1 (Default, Inter VLAN Routing = Enabled, LAN1-6 = Untagged, LAN7=Tagged, LAN8=Excluded, LAN9-14 Untagged)
  Device IP Address = 172.16.xxx.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 172.16.xxx.100
  Range End = 172.16.xxx.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  Correctly serving IP Addresses via DHCP (both static and dynamic) to Wired devices & Wireless devices connecting through WAP (set to Bridge)
  VLAN ID = 25 (GuestWireless, Inter VLAN Routing = Disabled, LAN1-LAN7 = Excluded, LAN8 = Untagged, LAN9-14 = Excluded)
  Device IP Address = 172.16.yyy.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 172.16.yyy.100
  Range End = 172.16.yyy.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  NOT serving dynamic IP Addresses via DHCP to Wired devices & Wireless devices connecting through WAP (set to Bridge)
  Static DHCP Reservations setup via IP & MAC Binding settings DO WORK in terms of providing the assigned static IP Address to the client.  Inbound/Outbound traffic to Internet works for devices with Static DHCP Reservations.
  VLAN ID = 100 (Voice, Inter VLAN Routing = Disabled, LAN1-6 Excluded, LAN7 = Untagged, LAN8-14 = Excluded)
  Device IP Address = 192.168.zzz.1
  Subnet Mask = 255.255.255.0
  DHCP Mode = DHCP Server
  Remote DHCP Server = 0.0.0.0
  Client Lease Time = 1440 min
  Range Start = 192.168.zzz.100
  Range End = 192.168.zzz.199
  DNS Server = Use DNS as Below
  Static DNS 1 = 208.67.222.222
  Static DNS 2 = 208.67.220.220
  WINS Server = 0.0.0.0
  NOT serving dynamic IP Addresses via DHCP to Wired devices & Wireless devices connecting through WAP set to Bridge
  Static DHCP Reservations setup via IP & MAC Binding settings DO WORK in terms of providing the assigned static IP Address to the client.  Inbound/Outbound traffic to Internet works for devices with Static DHCP Reservations.

• Creating multiple vlans on a 877

  Hi,
  I want to create a default, voice and access vlan on a 877, but just one vlan comes up. On the other two vlan inetrfaces is the protocol down. I guess this has something to do with bridging. I've tried that already, but I can't find documentation about this. Can someone tell me how to bring up the other two vlan interfaces?

  You need a trunk in case you are passing multiple VLANs on the port. However, in your configuration you do not need a trunk because each port is assigned to one VLAN.
  IN order for all VLANs to go UP all you interface should be Physically and Porotcol UP. Check that all your Fast Ethernet Interfaces are UP.
  Let me know how it goes,

• L2 Integration of Multiple VLANs

  I have reviewed the ACI L2 and L3 Connectivity White Paper.  Using the instructions,  I have successfully integrated an a VLAN from from the outside into ACI.  I used the Extend BD approach.   In looking at the instructions,  it appears that creating an External Bridge Domain is required for each L2 VLAN from the outside.   Is there a way to use the same physical port (VLAN trunk port from downstream switch) to bring in multiple VLANs in to ACI.
  I would like to use only one port for all VLANs to be imported.
  Is this possible ?   If so,  what would be the configuration steps ?
  thanks,

  The question that should be asked is what are you trying to accomplish?
  1. Either you have external endpoints that need to be members of the same EPG as fabric hosted endpoints
  or
  2. You have external endpoints that you need to apply policy between everything else inside the fabric.
  If this is the first case what you should be extending the EPG, not the bridge domain.  By extending the Bridge Domain you're essentially mapping all the external traffic for that BD into one VLAN which will be represented by an External EPG you'd create on the APIC.  This is useful in the case where you have all external users coming into the fabric you want to treat together using contracts between external users and internal EPGs. 
  Ex.
  External Users <C> Web_EPG <C> App_EPG <C> DB_EPG
  C = Contract
  If it's the second case above, and you have end points both inside the fabric and external that need to belong to the same EPG and have the same policies applied endpoints internal or external to ACI, you'll want to extend the EPG as detailed in the first method of the L2/L3 Connectivity guide.
  Regards,
  Robert

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf