the.racking.monkey,
Thanks for getting me to re-read that.
So if you want users to end up in one VLAN if they are on the Master and another VLAN when they are on the backup master, it is best that you use "Named" Vlans.
Named VLANs will allow you to define a NAMED vlan on the master controller, and assign that to the Virtual AP. At the local controller level, you can define the Actual VLANs that a named Vlan or Named Vlan pool will be assigned to.
- Vlan numbers are local, but Vlan names are global.
You can create a VLAN name, which will only take a single VLAN or create a VLAN pool, which will allow you to add multiple vlans:
Single VLAN name creation:
(host) (config) #vlan-name nvlan
(host) (config) #vlan nvlan 2
Vlan Pool creation with Name:
(host) (config) #vlan-name nvlanpool pool
(host) (config) #vlan nvlanpool 2,4,5-10
(host) (config) #show vlan mapping
VLAN Name Pool Status VLAN IDs
--------- ----------- --------
nvlan Disabled 2
nvlanpool Enabled 2,4-10
Assign a VLAN pool to a Virtual AP:
(host) (config) #wlan virtual-ap test
(host) (Virtual AP profile "test") #vlan nvlanpool
Here is how it looks on the GUI:
For example, the Virtual AP for schools will have a named VLAN of "students". On the master controller that Named VLAN of "student" will be 888. On the backup master that named Vlan of "student" will be 777. So the vlan Number that a student ends up in will be determined by what controller the AP is on. If you add a local, for example, the vlan name student can be yet another VLAN number.
Caveat#1: Named VLANs cannot be applied to bridged or split-tunneled Virtual APs.
Caveat#2: You also must create the VLANs on the controller before they are assigned to a VLAN name or VLAN pool.
To see any errors, use show profile-errors:
(host) (config) #show profile-errors
Invalid Profiles
----------------
Profile Error
------- -----
ap wired-ap-profile "test" Named VLAN "nvlan" does not exist.
aaa profile "test" User derivation rule "test" is invalid
aaa server-group "test" Named VLAN "nvlan" is removed
aaa derivation-rules user test Named VLAN is invalid
Does that make sense?