I have been racking my brain since last night and all morning with this problem…luckily it's not in a production environment yet.
I have done many searches and have come up with the same responses regarding Cisco APs and multiple SSIDs, and I think I have tried everything there is, but obviously I haven't.
In this environment, there is a Cisco 3550 as the core router.
The AP in question is a AIR-LAP1142N-A-K9 which has been configured for autonomous mode (this facility doesn't have a wifi manager), and it is sitting on a Cisco 2960 POE switch.
**2950 POE Switchport config for applicable ports**:
interface GigabitEthernet1/0/12
description WiFi
switchport access vlan 101
switchport trunk native vlan 11
switchport trunk allowed vlan 11,102,228,700
switchport mode trunk
end
interface GigabitEthernet1/0/28
description LINK TO CORE
switchport trunk allowed vlan 10,11,101-106,228,700,1002-1005
switchport mode trunk
end
**Cisco 3550 Switchport config for applicable port:**
interface GigabitEthernet0/9
description Link to 2960-MB-POE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11,101-106,228,700,1002-1005
switchport mode trunk
end
All other VLANS are working as designed/intended. VLAN 700 is guest wifi, and it is pulling DHCP from 3550. All other VLANS (except for VLAN in question) are pulling DHCP from MS Server 2008
From AP, I can ping core router IP (192.168.228.1) on VLAN, so trunking is working. I can also ping all the way to MS 2008 DHCP server, so trunking is good all the way to server
I can associate with AP (can see my MAC address in AP when run "sho dot11 associations" command) and if I set my IP address to a static IP address, the sho dot11 associations command shows my IP address
I can associate with AP and get IP address for VLAN 102
I cannot get an IP address for VLAN 228
I have tried it with forwarders set up identical as all other VLANS (to get DHCP from server), and that's not working either, so I left it at DHCP from core.
VLANs are set on cisco 3550 as the following
interface Vlan102
description VLAN102
ip address 192.168.102.1 255.255.255.0
ip helper-address 192.168.9.98
ip helper-address 192.168.9.103
ip helper-address 192.168.9.85
no ip redirects
no ip unreachables
no ip proxy-arp
interface Vlan228
desciption VLAN228
ip address 192.168.228.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
For testing, DHCP is set up as this (on core 3550)
ip dhcp pool vlan228
network 192.168.228.0 255.255.255.0
default-router 192.168.228.1
dns-server 8.8.8.8 8.8.4.4
lease 0 8
Based on everything above, to me it means that there is something wrong with my AP config. My best guess is that it has something to do with sub-interfaces or bridge groups. If that's not it, the it could be the routing on 3550, but this would be the first time in my experience that I would have to tell the core router about a vlan that was created on it. Any help would be most appreciated.
--------BEGIN AP CONFIGURATION----------
Current configuration : 4949 bytes
!
! Last configuration change at 09:58:29 GMT-0 Wed Jul 23 2014
! NVRAM config last updated at 09:56:11 GMT-0 Wed Jul 23 2014
! NVRAM config last updated at 09:56:11 GMT-0 Wed Jul 23 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP12345
!
!
logging rate-limit console 9
no logging console
enable secret 5 passwordhasbeenremoved
!
no aaa new-model
clock timezone GMT -0 0
clock summer-time GMT-0 recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip cef
ip domain name myorganization.com
ip name-server 192.168.x.x
ip name-server 192.168.x.x
!
!
!
!
dot11 mbssid
dot11 syslog
dot11 vlan-name VLANNAME1 vlan 102
dot11 vlan-name VLANNAME2 vlan 228
dot11 vlan-name MANAGEMENT vlan 11
!
dot11 ssid SSID1
vlan 102
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 passwordhasbeenremoved
!
dot11 ssid SSID2
vlan 228
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 passwordhasbeenremoved
!
!
dot11 guest
!
!
!
username user1 privilege 15 secret 5 passwordremoved
username user2 privilege 15 secret 5 passwordremoved
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 102 mode ciphers aes-ccm
!
encryption vlan 228 mode ciphers aes-ccm
!
ssid SSID1
!
ssid SSID2
!
antenna gain 0
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local 8
channel 2412
station-role root
infrastructure-client
!
interface Dot11Radio0.11
encapsulation dot1Q 11 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.102
encapsulation dot1Q 102
no ip route-cache
bridge-group 102
bridge-group 102 subscriber-loop-control
bridge-group 102 spanning-disabled
bridge-group 102 block-unknown-source
no bridge-group 102 source-learning
no bridge-group 102 unicast-flooding
!
interface Dot11Radio0.228
encapsulation dot1Q 228
no ip route-cache
bridge-group 228
bridge-group 228 subscriber-loop-control
bridge-group 228 spanning-disabled
bridge-group 228 block-unknown-source
no bridge-group 228 source-learning
no bridge-group 228 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 102 mode ciphers aes-ccm
!
encryption vlan 228 mode ciphers aes-ccm
!
ssid SSID1
!
ssid SSID2
!
antenna gain 0
peakdetect
no dfs band block
channel 5745
station-role root
!
interface Dot11Radio1.11
encapsulation dot1Q 11 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.102
encapsulation dot1Q 102
no ip route-cache
bridge-group 102
bridge-group 102 subscriber-loop-control
bridge-group 102 spanning-disabled
bridge-group 102 block-unknown-source
no bridge-group 102 source-learning
no bridge-group 102 unicast-flooding
!
interface Dot11Radio1.228
encapsulation dot1Q 228
no ip route-cache
bridge-group 228
bridge-group 228 subscriber-loop-control
bridge-group 228 spanning-disabled
bridge-group 228 block-unknown-source
no bridge-group 228 source-learning
no bridge-group 228 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 spanning-disabled
no bridge-group 11 source-learning
!
interface GigabitEthernet0.102
encapsulation dot1Q 102
no ip route-cache
no cdp enable
bridge-group 102
bridge-group 102 spanning-disabled
no bridge-group 102 source-learning
!
interface GigabitEthernet0.228
encapsulation dot1Q 228
no ip route-cache
no cdp enable
bridge-group 228
bridge-group 228 spanning-disabled
no bridge-group 228 source-learning
!
interface BVI1
ip address 192.168.9.133 255.255.255.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 192.168.9.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
privilege level 15
line vty 0 4
login local
transport input ssh
line vty 5 15
login
transport input ssh
!
sntp server 165.193.126.229
sntp server 216.171.112.36
sntp server 206.246.122.250
end
------------------END AP CONFIGURATION---------------
Best Answer
I forgot to set up the correct vlan on the POE switch...see previous comment for more detail. This is resolved with me feeling foolish.