Question : Problem: Config Multiple VLANS on AP to tie into wired network

To All

First thanks for the help the expertise and professionalism on this site are always first class.

We are/have deployed a Cisco 1200 series AP in our infrastructure. The purpose of the AP is to allow the techs to securely access the internal net while allowing guest access only to the internet. Our L3 infrastructure is well established and we have multiple vlans in place, in order to facilitate this i created the vlans successfully on the AP and in our L3 infrastructure. I created VLAN 199 and 200 and tied them to separate SSIDs on the AP and then Assigned VLAN as the native VLAN as that is what we use throughout our existing environment. However we use a separate management vlan in our environment vlan 107 that is tied to a specific static address range. My issue is the in order to manage the AP I would like to use the management vlan and address assignment that we have in place as our native vlans in the enterprise are not configured. Do I need to create a BVI sub-if and configure the IP ADD and related vlan information. Any help wold be appreciated.

Answer : Problem: Config Multiple VLANS on AP to tie into wired network

>  then Assigned VLAN as the native VLAN as that is what we use throughout our existing environment.

Which VLAN was Assigned as the native VLAN?


> I would like to use the management vlan and address assignment that we have in place
> as our native vlans in the enterprise are not configured.

Maybe I'm misunderstanding, but that appears to contradict what was said in the first quote.

And the way I see it, a 'native VLAN' exists without being 'configured' - if you don't specify a native VLAN they are the default VLAN of the device (usually VLAN 1)... Native VLAN traffic is sent untagged through (dot1q) trunks and across bridges, so you should ensure those all match or that traffic could end up getting dropped. i.e. the native VLAN does not have to match across the entire network; only when trunked and/or bridged.

e.g. http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#new2


Also see section 3.3 of the Wireless VLAN deployment guide:
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf

''The access point or the bridge native VLAN (the default VLAN) must be set to the native VLAN of the wired trunk.
This allows the access point or bridge to receive and communicate using the Inter-Access Point Protocol (IAPP) with
other access points or bridges in the same wireless LAN ESS.
It is a requirement that all access points and bridges in an ESS must use the same native VLAN-ID. All Telnet and http
management traffic as well as the Remote Authentication Dial-In User Service (RADIUS) server traffic is routed to the
access point via the native VLAN. Cisco recommends that IT managers restrict user access to the default VLAN of
the access points and bridges by using Layer 3 access control lists (ACLs) and policies on the wired infrastructure side.''

I find http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml#native to be more confusing than helpful, btw.

From the Catalyst Field Manual:
For switches running 802.1Q as the trunking mechanism, the native VLAN of each port on the trunk must match. By default all Catalyst Operating System (COS) ports are in VLAN 1; and the native VLAN on the IOS devices is also configured for VLAN 1, so the native VLAN does match. If you choose to change the native VLAN, use the set vlan command for COS switches or the switchport trunk native vlan command for IOS switches to specify the native VLAN. Remember that the native VLAN must match on both sides of the trunk link for dot1q; otherwise the link will not work. If there is a native VLAN mismatch, Spanning Tree Protocol (STP) places the port in a port VLAN ID (PVID) inconsistent state and will not forward on the link.

Hmmmm... what was the question again? ;-)