Controllerless Networks

Good day.  I had a fully functional IAP105 (three AP, one of which is virtual controller).  Customer made some changes to their new network deployment and wanted to put all access control on the swtich/vlans instead of me doing that on the AP

Here's what customer has configure on their switches (three ports connecting to APs are trunking vlans 101 and 102).

VLAN101: Employee VLAN 10.1.0.0/24, default gw 10.1.0.1

VLAN102: Guest VLAN 172.31.0.0/24, default gw 172.31.0.1

I configured Employee VLAN > Network Assigned (instead of virtual controller assigned), Static VLAN 101, then configured security access (default access control - allow any any.

For Guest I configured network assigned, Static VLAN 102, then security and access control.  I think this is all I needed to do, but then I went in to the actual AP and gave it the IP that the customer asked me to put on it (stil no IP on the virtual controller under 'system') and the IP I gave the AP itself was 10.1.0.11/24.  I was prompted to reboot, which I did, and a fwe minutes later shut it down and brought it on site.

Now, when I plug this AP in at customer site, I do not see the WLAN come up and lights for the 11N and 11ABG are amber (solid) where they used to be green.

I'm wondering if (a) customer doesn't have trunking and/or dhcp server set up VLAN101 and 102 and/or if I broke things by assigning an IP to the access point itself.

Or, should I take one of the other two AP that I have not touched, configure those with the VLANs above, and NOT put an IP or VLAN on the access point/virtual controller, heat one of those up at the customer, and then that one, since it's first to come up, will be the new virtual controller?  Is there a way to reset these physically, or do I need to console in to it? 

Any and all input would be apprecaited.  Thanks..

OK...so you have 2 networks here.  

VLAN 101 --> 10.1.0.x/24

VLAN 102 --> 172.31.0.x/24

You configured the AP to be on the 10.1.0.x network BUT never told the VC that it should also use that VLAN.  The way it works by default.

AP management and VC traffic is UNTAGGED on the access VLAN (native VLAN in Cisco speak).

Static assigned VLANs on the networks you create are sent TAGGED out of the wired port (trunk port in Cisco speak).  

When you did VLAN 101 for the Employee network, you then binded that network to VLAN 101. 

My assumption is that the uplink switch is set for trunk on VLAN 101 and the 10.1.0.x network is configured on that VLAN in the wired network.  The AP is booting up and trying to communicate on the native VLAN but the wired network doesn't understand it and it isn't going anywhere. 

We have a setting in system settings where you can assign a VLAN to the VC.  That should do it if you set that value to 101.  Your other option is to assign a different subnet for the management traffic and make that the native VLAN on Cisco.  

Thanks so much Seth!  I think you hit the nail on the head.

I might have to do this through console, which, if the devices is powered up, I would think (HOPE!!!) I can use the light blue Cisco console cable to console in to the VC and set the VLAN for 101.  I am confident this is what is need (read: what I didn't set / what I broke).

I'll see what kind of luck I have.  Thanks again, and kudos to come momentarily...

OK.  I changed system vlan to 101, but it wouldn't let me save unless I added and IP address.  What is best practice here, add one IP for VC and then another for each AP?  Or should I just put VC in VLAN 101 and be done with it?  I think customer only wants to give me 3 IP addresses in the 10.1.0.X subnet, so I am hesitant to overstep my bounds (use more than the 3 IP addresses he gave me. 

Attached is a screen cap of the system settings.

Thanks in advance!

Attachment(s)

iap_system.docx   32 KB 1 version

OK.  I'm on site, and corp (employee) works fine.  I'm not able to pull a dhcp ip address on the guest network, though, which is set up very much the same (network assigned IP, static vlan 102). Is there somewhere in the wired port or something else I need to do enable passing of traffic / put an IP address on vlan 102 (172.31.0.X/24)?  Will try to see where I'm misisng something. 

Here is what I have from the CLI that might shed some light.  Thanks in advance...Jeff

<snip>

wired-port-profile
default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rue-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
</snip>
<snip>

wired-port-profile
wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
</snip>

This has been resolved.  Customer originally advised me that they configured Guest vlan on 102, but they actually configured guest vlan on 103.  I configured IAP 105 with vlan 102.  Once I changed this to 103, DHCP worked fine.

Amazing how the magic happens when AP and switchports are configure for the same vlans.

Thanks to all for the help...