Puzzling SSID/VLAN behavior

AP: 1131 12.3(7)JA3
Four VLANS, three mapped to SSIDs all on B/G radio only, A radio shutdown.
170 native, no SSID
110 guest internet only SSID w/DHCP from BBSM. Open Auth
180 secure intranet SSID w/DHCP. WPA2
810 another secure separate intranet SSID, no DHCP. Client IPs managed manually. WPA2
This is the first time I've tried setting up an SSID to a VLAN with no DHCP.
When users connect to the 810 SSID, "show dot11 assoc all" shows them connected to vlan 180, not 810.
This happens both when they use static IP assignments and DHCP.
When I remove vlan/SSID 180 from the B/G radio and move it to the A radio, 810 users show up on vlan 810 as they should.
FWIW, VLAN 810 gets mapped to bridge group 255, unlike all the oter SSIDs which get mapped to bridge groups of the same number, eg. vlan 180 - bridge-group 180.
Anybody seen this or have any idea why this happens?
Thanks,
Mark

>When you see clients associated to the 180 SSID even though they connect to 810, do they actually go in VLAN 180 or VLAN 810 (based on their IP address)? Are they able to communicate on through this connection?
The clients are configured to go onto the vlan 810 SSID. In "show dot11 assoc all" they show up on vlan 180. When the client is configured for DHCP it gets a vlan 180 IP.
When the IP is configured manually it has a vlan 810 IP but still shows up as associated to vlan 180. They are able to communicate somewhat with either IP.
>How similar are your security settings on the two SSIDs, 180 and 810?
Identical. Authentication is handled by ACS which queries AD. There may be a vlan setting in the ACS group mapping influencing this too. I need to dig into that further too.
>which is the BSSID?
BSSID is probably 180, as that's our standard internal SSID and I configured it first.
>Are you using MBSSID?
I have not configured MBSSID and have been wondering if I need to. I don't know enough about how it works yet. I don't want either of these SSIDs broadcast.
Good questions.
Thanks,
Mark

Similar Messages

Cisco 877W Dual SSID/VLAN Security Issue

Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
end

Ignore that. self zone got me. Argh! phew!

WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

Hi
We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
I can't find any recommandations regarding the use of native vlan/ssid vlan
Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
Regards,
Lars Christian

It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
HTH
Rasika
**** Pls rate all useful responses ****

WRVS4400N - ssid vlans are not working

I've been searching high and low and although I've found many results of people having this same exact problem there doesn't seem to be a fix, or at least no one was kind enough to post one.
Background:
I have many vlans but the 3 in question are 10, 20, 30.
10 is for my laptops and desktops with an ip range of 192.168.10.10 - 192.168.10.50.
20 is my home automation network with an orange of 192.168.20.20 - 192.168.20.150
30 is my guest network with a orange of 192.168.30.84 - 192.168.30.89
I have a dell powerconnect configured with vlans as my core switch. I trunked a port on the switch assigning 3 vlans (10,20,30) and connected it to port 1 on the wrvs4400N. On the wrvs4400 I trunked port 1 tagging vlan 10,20,30. For some reason vlan 1 is untagged on port 1 and I don't know why.
I also have a router connected to the powerconnect. Of the 3 vlans I mentioned vlan 10 and vlan 30 are the only ones with interfaces on the router. Vlan 20 is an internal network with a separate router and until I figure this out that router is physically turned off. Also the router currently turned on has no routes configured to connect my vlans. Currently there is no configured way to jump vlans.
I created 4 ssid on the wrvs4400N. Private, home, guest, and wrvs.
private - is assigned to vlan 10
home - is assigned to vlan 20
guest - is assigned to vlan 30
wrvs - is assigned to vlan 1 - this is temporary until I can get this working. I want it so the only way to manage the wireless is to walk over to it and physically plug in.
There are a couple DHCP servers.
Vlan 10 has a windows server 2008 r2 dhcp server.
vlan 20 uses it's powered off router for dhcp
vlan 30 uses the main router connected to the power connect
vlan 1 on the powerconnect uses the main router - this dhcp scope is only used until I'm done with my rebuild since I don't plan on actually using vlan 1 - the scope is 192.168.2.0
dhcp is turned off on the wrvs4400.
on the wrvs4400 I made sure to turn off inter vlan routing, and I enable ssid isolation.
The problem:
No matter what ssid I connect to I get a dhcp response from vlan 10. all my test indicates that I'm actually on vlan 10. I get internet and I can hit all devices on vlan 10. If I connect to ssid guest and change my ip address to match vlan 30 I can not ping the gateway for vlan 30 and I have no internet access. Some times I get something different. Sometimes I get an ip address from vlan 1 on the powerconnect. If I renew my ip address then I'll grab one from vlan 10 but I should be getting one from 30 or none at all for vlan 20. The absolute crazy part is my droid sometimes gets a 192.168.4.x ip address. I don't have a 192.168.4.x network or dhcp scope anywhere on my network! If I physically plug into a port on the power connect I get to the correct network 10 out of 10 times. If I configure vlans on the other 3 ports on the wrvs4400 and physically plug in, I get to the correct network 10 out of 10 times. Over the wireless all hell breaks lose.
I've reset to factory a few times and I've been all inside and out of the wrvs4400. I have no clue what could be wrong with this thing. Please help!!!
More info is available upon request.
Thanks.

Kerwin,
There is a bug with these units- you will need a different unit for your current configuration to work properly. Since you're utilizing other DHCP server in your topology; this isn't the best unit for you. Please call into support center @ 1-866-606-1866 for further requests.
Thanks,
Jasbryan

Multiple SSIDs/VLAN - NPS Authentication

I have recently set up a similar network using Ruckus equipment; however, need to do it now with Cisco...
I have a multiple SSIDs associated to different VLANs broadcasting. I would like to configure a single Radius server pointed to my NPS server and allow for authentication by group to each SSID.
With Ruckus I had to put in a vendor specific custom attribute and then use Roles to allow access by AD Security Group.
Does anyone know how to setup something similar with Cisco? I just need a single group to be able to autheticate to each SSID.
Josh Price

This is pretty straightforward.
Just create a NPS policy for each SSID.
A simple policy could check 3 conditions.
Windows Groups = DOMAIN\GroupABC
Called Station ID = .*:SSIDNAME$
NAS Port ID = Wireless IEEE or Wireless Other
Just change SSIDNAME to whatever the specific SSID is, and obviously the group that you want mapped. The SSID condition uses regex.
Cheers
Peter

Autonymouse AP1121 - Management Vlan and SSID Vlan

Hello,
We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
current switch port config ap is plugged into.
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunk

Do you have sub interfaces for vlan 10 being brigged through the radio interface?
Example config below...
interface Dot11Radio0.10
description Secure Wireless access
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk"

AP1231 multiple SSID & Vlan

Hello,
I configured my AP1231 with 2 SSID wih a vlan assign to each one. The first one is in guest-mode without WEP the second one with WEP mode mandatory 40bits and no guest-mode.
I have no problem to connect to the guest-mode SSID but big problem for the other. Actually, I have to wait 5 minutes in order to be authenticated with the wep ssid..
My config file :
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 101 key 1 size 40bit 7 0C194F1E6E2E transmit-key
encryption vlan 101 mode mandatory
ssid CRI
vlan 101
authentication open
ssid URCA
vlan 7
authentication open
guest-mode
When I'm authenticated there is no problem with connexion but wait for 5minutes is very too long !!
If soemone could help me..
Thanks

I've seen this with multi-band NICS. For me, it turned out that the 3COM NIC always started out looking to connect on the 802.11a band, then eventually timed out and dropped to the 802.11g.
All of that took ~5 minutes or so.
With the Cisco NICs, under the "Advanced" tab in Profile Management, you can select the specific band you'd like to associate with.
I think Broadcom and maybe Linksys will also allow you to restrict the band-scan.
FWIW
Scott

SSID/VLANs for Guest/Staff with 3600 and 2504 Controller

We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?

in the WLAN configuration, you select what interface you want it to be linked to.
In the Controller Tab, on the left, go to interfaces. This is where you create teh interface name, set the VLAN,and the IP address.
Steve

AP 1131 Multiple SSID VLANS

Hi, I have problem with AP 1131, my company needs to create 2 vlans one for admin and the other for visitor each one should be in vlan i have configured the router and switch for this and if the connection through wired cables it works great( it give for each IP from differnet range) now i want the wireless clients to work with this configuration and to have multiple ssid i can c the 2 ssids (admin and visitor) when ever i try to connect to one of them it does not associate to any one.
it is autonoums AP i have no controllers and this will apply to 4 AP
the configuration is:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
ip subnet-zero
no aaa new-model
dot11 vlan-name Admin vlan 20
dot11 vlan-name visitor vlan 30
dot11 ssid Admin
   vlan 20
   max-associations 50
   mbssid guest-mode
dot11 ssid Visitor
   vlan 30
   max-associations 50
   mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 14341B180F0B
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid Admin
ssid Visitor
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
ssid Admin
ssid Visitor
mbssid
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
interface BVI1
ip address 10.1.1.1 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
control-plane
bridge 1 route ip
line con 0
line vty 0 4
login local
end
thanks for your help

Hi alkabeer,
Configure the following:
config)#dot11 ssid Admin
config-ssid)#authentication open
config)#dot11 ssid Visitor
config-ssid)#authentication open

Aironet 1310, SSID & VLANs

Hi Mates,
Please I need your help here, we are small group having an internet wireless sharing over my BR1310, all work fine as one group with one ssid ATHEER & one vlan VLAN1, but I need to use more ssid and vlan, I did some setup and configure BR1310 for another ssid ATHEER1 with vlan2 , I can get connected but never get internet service with ATHEER1, why ?!!! look next please:
Radio0-802.11G
SSID ATHEER :
Device Type Name IP Address MAC Address State Parent VLAN
4500-radio - 192.168.20.16 000e.2e38.94e6 MAC-Associated self 1
SSID ATHEER1 :
Device Type Name IP Address MAC Address State Parent VLAN
4500-radio - 192.168.20.97 000e.2e40.462a MAC-Associated self 2
My Regards
Laser

Hi Saher,
heve a look here:
http://www.cisco.com/en/US/products/ps6545/products_configuration_example09186a00806da6c9.shtml#vlans
Here a short pullout
- - - snipp - - -
Create / Delete VLANs
VLAN Types
The switch ships with a default VLAN to which all the switch ports initially belong. The switch supports a maximum of 32 VLANs, including the default VLAN. Using only the default VLAN might be sufficient based on the size and requirements of your network. We recommend that you first determine your VLAN needs before you create VLANs.
Note: Cisco Catalyst 500 series switches work in VTP Transparent mode. VLAN creation, modification, or deletion done on this switch does not affect the other switches in the domain.
This depends on the type of device that is connected to the switch port:
A switch port applied with one of these port roles can belong only to an access VLAN:
- Desktop
- IP Phone+Desktop
- Printer
- Server
- Guest
- Other
The access VLAN provides the attached device with the specific access designed for that VLAN.
A switch port applied with one of these port roles can send and receive traffic for all VLANs configured on the switch, one of which can be identified as a native VLAN:
- Switch
- Router
- Access Point
On this port, any traffic that is received or sent without the VLAN explicitly identified is assumed to belong to the native VLAN. Both the switch port and the attached device port must be in the same native VLAN.
- - - snapp - - -
I hope that helps.
Best regards,
Frank

Is it possible to configure 2 SSIDs without using multiple VLANs?

I am trying to set up a 1231G to allow normal users to connect using WEP and visitors to connect with no encryption in guest mode. Using one SSID, I can get one or the other to work using the guest-mode command on the SSID, but have the problem that WEP mandatory or optional on the radio interface disables either the normal user or the guest. If I set up 2 separate SSIDs for each of these user groups is it necessary to assign a separate VLAN for each to make this work? The AP is on a network that is not trunked.
Thanks for any help or direction you can give me.
--Sara

Hi Sara,
Hopefully the attached docs will answer your question:
Cisco Aironet 1200 Series
Using VLANs with Cisco Aironet Wireless Equipment
Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
Configuring Multiple SSIDs
vlan vlan-id
(Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
Also this answer from Cisco Aironet 1200 Series FAQ;
Q. How many service set identifiers (SSIDs) can you have per VLAN?
A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
Hope this helps! (sorry to be the bearer of bad news)
Rob
Please remember to rate helpful posts.......

2 SSIDs on the same Vlan?

Hi all -
Newbie question. When I am setting up wireless, will I be able to use 2 different SSIDs on the same vlan?
Example:
dot11 ssid Example1
vlan 2
authentication open eap eap_methods
authentication network-eap eap_methods
dot11 ssid Example2
vlan 2
authentication open eap_methods
authentication network-eap eap_methods

Hi James,
Hopefully the attached docs will answer your question:
Cisco Aironet 1100 Series
Using VLANs with Cisco Aironet Wireless Equipment
Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
Configuring Multiple SSIDs
vlan vlan-id
(Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
Hope this helps!
Rob
Please remember to rate helpful posts.......

Dynamic VLAN assignment and DHCP

Hello
I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?

Yes, DHCP proxy could be the culprit here. In 4.0 it was only a CLI command to enable/disable the proxy feature. In 5.2, I think, and later it is in the GUI
as well.
There is a defect filed against the behavior of the WLC DHCP funtion out there currently. If all of your DHCP is coming from external resources than you can disable proxy. If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled. If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
Sorry I can't provide the defect ID, my CCO account is acting up.
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Setting Locally Switched VLAN Id for HREAP'd ap's?

I am using HREAP on a number of AP's to fulfill a need of my end-users to have wireless devices connect to a locally hosted resource on a sites network. Getting the AP's to operate correctly has not been an issue (for the most part), and getting the "Locally Switched VLAN's" functional was not a problem. However, when I routinely go back through my AP's to check on them or to look t-shoot an unrelated issue I have noticed that some of the AP's have retained the Locally Switched VLAN mapping (i.e.: WLAN Id=5, Profile Name = test ssid, VLAN Id = 123) and some of them resolve the VLAN Id to 1 (for example).
Is the anyone that may have experienced this and can offer or point me towards a resolution?
I am also curious if I can configure the Locally switched vlans directly to my WiSM's instead of to each individual HREAP'd AP?
BTW: I have a wireless environment of 1242, 1252, and 1142 ap's with WiSM's on a 65xx w/ sup720.
Thanks for the help.

I saw similar behavior at a client site running 6.0.181.0 & 6.0.196.0 code, what I found the issue to be was that when you set the native vlan and hit apply the AP took a minute to initate a reboot (or so it appeared) and when I set the VLAN Mappings they weren't actually being applied.
I found if I set the AP to H-REAP and applied that then waited about 3-4 minutes, then enabled VLAN Support and set Native VLAN, apply that, wait 3-4 minutes, then set my VLAN Mappings that the issue went away.
Not sure if that's the same issue your running into but it's worth a shot.. I tried tons of things before discovering that pattern.. Incidentally it didn't seem to behave that way in 4.0 code nor does it seem to behave that way in 7.0 code.
Hope this helps...
Please rate useful posts.
Thanks,
Kayle

Unable to get IP on one ssid of a two ssid autonomus 1141 AP

We recently added a second ssid at a remote site AP but the clients cannot get an IP. They get associated to the AP but no IP.
The ssid we added is using the default vlan 1 which is where the dhcp server is located.
The other ssid vlan 101 is the visistor network and it gets an ip from the ASA. It works just fine.
The AP is connected to a 3560 swtich like so:
interface GigabitEthernet0/48
description link to WAP
switchport trunk encapsulation dot1q
switchport mode trunk
load-interval 30
If we put a static reservation in the dhcp for the client mac address it works fine. But dynamic dhcp does not work.
Attached is the config of the AP.
Vlan 1 is the ssid that does not get a dynamic IP.

Your config looks good, but like Rasika mentioned, I would remove infrastructure-ssid optional just to see if it works... now I would also configure a port on the same switch as the ap is connected to and set that to vlan 1 and make sure that laptop gets an ip address.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Puzzling SSID/VLAN behavior

Similar Messages

Maybe you are looking for