Can you help please. Trunking issue

  • 1
  • Question
  • Updated 3 years ago
  • Answered
I'm using a AP330 with the following config 

security-object STFTsecurity-object STFT security protocol-suite wpa2-aes-psk ascii-key *** 
security-object STFT default-user-profile-attr 10
security-object STFT-Guest
security-object STFT-Guest security protocol-suite wpa2-aes-psk ascii-key *** 
security-object STFT-Guest default-user-profile-attr 30
ssid STFT
ssid STFT security-object STFT
ssid STFT-Guest
ssid STFT-Guest security-object STFT-Guest
hive STFTHIVE password ***
interface wifi1 mode access
interface mgt0 native-vlan 345
interface wifi0 ssid STFT
interface wifi1 ssid STFT
interface wifi0 ssid STFT-Guest
interface wifi1 ssid STFT-Guest
hostname Test
admin root-admin admin password *** 
interface mgt0 ip
ip route net gateway 
user-profile STFT qos-policy def-user-qos vlan-id 110 attribute 10
user-profile STFT-Guest qos-policy def-user-qos vlan-id 666 attribute 30

and a Cisco 2960 switch with the config

interface GigabitEthernet1/0/30
 switchport trunk native vlan 345
 switchport mode trunk

The port is up and trunking yet I cannot ping and my two SSIDs do not issue dhcp from a DHCP server.

Can anybody adise where I'm going wrong?
Photo of tony


  • 2 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Neither of the SSIDs have the ability to talk upstream. You need VLANs 110 and 666 on the trunk, and VLAN 345 should be an access VLAN.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
You haven't specified what the management VLAN for the AP should be (interface mgt0 vlan xxx), so at the moment it will be set to VLAN 1, and as you've specified a native VLAN of 345, management traffic will be 802.1q tagged with VLAN ID 1. Did you intend for the management VLAN to be VLAN 345 (and management traffic to be untagged)? If so, you need interface mgt0 vlan 345 in there. That would explain the inability to PING the AP's management interface.

A 2960 should allow all VLANs on a trunk by default, but it's sensible to manually set the allowed VLAN list using "switchport trunk allowed vlan" (to include all the required VLANs, including the native VLAN). Without knowing the rest of your network configuration, other things may be relevant here (for example VTP). You should also look at your spanning-tree configuration - typically you should set the port to portfast mode.

Best practice would be to also add a "switchport access vlan 345" so that if the port ever stops trunking for some weird reason, it will revert to an access port in this VLAN, but you don't NEED to do this.

It's not obvious from the information you have given why your users aren't getting IP addresses via DHCP. There could be a number of reasons for that from the VLANs being missing from the switches/uplinks to the DHCP server and/or relay configuration not being correct etc.
Photo of tony


  • 2 Posts
  • 0 Reply Likes
Thanks all for your input. I find if I give mgt0 an IP I can ping it's gateway. however when I issue the command int mgt0 vlan 345  I lose the ability to ping the gateway. The switch is set to trunk. All the vlans used in this config have the ip helper-address set as the dhcp-server. However when i removed the int mgt0 vlan 345 the guest internet worked and I was getting the right ip via dhcp. Thanks for both your input. It certainly helped :)