Courseiva
WirelessCCNA 200-301

Wireless VLAN Tagging Wrong — Guest SSID on Wrong Network

Presenting Symptom

Clients connecting to the Guest SSID are assigned IP addresses from the corporate VLAN instead of the guest VLAN, and cannot access the internet.

Network Context

A small branch office with a Cisco Catalyst 9300 switch (IOS XE 16.12) and a Cisco 3502I lightweight AP (AIR-AP3502I-B-K9) running IOS 8.10. The AP is connected to the switch via a trunk port. The switch has VLAN 10 (corporate data) and VLAN 20 (guest). The WLC is a virtual WLC (vWLC) on the same subnet as the corporate VLAN. The Guest SSID is configured on the WLC to use VLAN 20, but the switch trunk port is not tagging the guest traffic correctly.

Diagnostic Steps

1

Check the switch trunk port configuration for the AP

show interfaces gigabitEthernet 1/0/1 trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/1     on           802.1q         trunking      10

Port        Vlans allowed on trunk
Gi1/0/1     1-4094

Port        Vlans allowed and active in management domain
Gi1/0/1     1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/1     1,10,20

The trunk is operational and VLANs 10 and 20 are allowed. However, the native VLAN is 10. If the AP is sending untagged guest traffic, it will be placed in VLAN 10 (native) instead of VLAN 20.

2

Check the AP's interface configuration on the switch

show running-config interface gigabitEthernet 1/0/1
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 switchport trunk native vlan 10
!

The native VLAN is set to 10. The AP may be sending guest traffic untagged, which will be placed in VLAN 10. The guest VLAN 20 is allowed but not used for untagged traffic.

3

Check the AP's VLAN configuration on the WLC

show wlan wlan-id 2 (assuming Guest SSID is WLAN ID 2)
WLAN ID = 2
Profile Name = Guest
SSID = Guest
Status = Enabled
...
Interface/Interface Group = guest
...

The WLAN is mapped to interface 'guest'. The WLC must have a dynamic interface for VLAN 20 named 'guest'. This confirms the WLC expects guest traffic to be in VLAN 20.

4

Check the WLC dynamic interface configuration

show interface detailed guest
Interface Name........... guest
...
VLAN Id.................. 20
...
IP Address............... 192.168.20.1
...

The dynamic interface 'guest' is configured with VLAN 20. This is correct. The issue is likely that the AP is not tagging guest traffic with VLAN 20 on the trunk.

5

Check the AP's CAPWAP status and VLAN tagging

show ap config general ap-name
AP Name................... AP3502
...
Country Code.............. US
...
Ethernet VLAN Tagging..... Disabled

If Ethernet VLAN Tagging is disabled, the AP will send all traffic untagged. This causes guest traffic to be placed in the native VLAN (10) instead of VLAN 20. This is the root cause.

Root Cause

The lightweight AP has Ethernet VLAN Tagging disabled. When the AP sends guest traffic, it does not tag it with VLAN 20. The switch trunk port has native VLAN 10, so the untagged guest traffic is placed in VLAN 10 (corporate network) instead of VLAN 20 (guest network).

Resolution

Enable Ethernet VLAN Tagging on the AP and ensure the switch trunk allows VLAN 20. On the WLC, configure the AP to enable VLAN tagging: config ap ethernet-vlan-tagging enable <AP-name> Alternatively, on the switch, change the native VLAN to 20 if all AP traffic should be in VLAN 20, but this is not recommended. Instead, enable tagging on the AP. Also ensure the switch trunk port allows VLAN 20 (already done). After enabling tagging, the AP will tag guest traffic with VLAN 20, and the switch will forward it to the correct VLAN.

Verification

1. Verify AP VLAN tagging is enabled: show ap config general AP3502 | include Ethernet VLAN Tagging Expected: Ethernet VLAN Tagging..... Enabled 2. Verify guest client gets correct IP: On a guest client, run ipconfig (Windows) or ifconfig (Linux/Mac). Expected: IP address in 192.168.20.0/24 range, default gateway 192.168.20.1 3. Verify traffic is in correct VLAN on switch: show mac address-table interface gigabitEthernet 1/0/1 Expected: MAC addresses of guest clients appear in VLAN 20.

Prevention

1. Always enable Ethernet VLAN Tagging on all lightweight APs to ensure proper VLAN segregation. 2. Use a dedicated native VLAN for AP management (e.g., VLAN 1 or a separate management VLAN) and ensure all user traffic is tagged. 3. Document and standardize VLAN assignments for SSIDs to avoid misconfiguration.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why guest users are getting corporate IP addresses. The exam tests understanding of VLAN tagging on APs, trunk ports, and native VLAN behavior. A key fact is that lightweight APs can be configured to tag or not tag traffic; if tagging is disabled, traffic uses the native VLAN.

Exam Tips

1.

Remember that lightweight APs have an 'Ethernet VLAN Tagging' setting; if disabled, all traffic is untagged and uses the switch's native VLAN.

2.

The native VLAN on the switch trunk is critical: untagged traffic goes to the native VLAN. Ensure the native VLAN is not the guest VLAN unless intended.

3.

Know the command 'show ap config general' to check VLAN tagging status on the AP.

Commands Used in This Scenario

show interfaces trunk

Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions