I did just notice something in the config interface wlan-gigabitethernet 0/1/8's window.   I saw a option called port-tagging.

So I enabled it.   I typed:

Router01(config-if)#port-tagging
Router01(config-if-port-tagging)#encapsulation ?
  dot1ad  IEEE 802.1AD Virtual LAN or S-VLAN
  dot1q   IEEE 802.1Q Virtual LAN or S-VLAN

Router01(config-if-port-tagging)#encapsulation dot1q ?
  <1-4094>  VLAN id

Router01(config-if-port-tagging)#encapsulation dot1q 40

Perhaps this was how I enable the dot1q encapsulation?  When I do that though, I cannot ping either of the networks on the WLC.   I tried setting the encapsulation dot1q to VLAN id 1 but that still did not allow me to ping the 10.0.0.0 / 24 addresses.

Andrew,

Thank you for the reply. I should add that we are actively working on fine tuning the configurations on the network equipment (we are a fairly new company) and there is a chance we did break something old while trying to configure something new, or had something configured properly but forgot to save the config file and the WLC rebooted.

I have tested this. I logged into the WLC using a console cable. I issued the command show interfaces summary and here is the output:

(WLC0) >show interface summary


 Number of Interfaces.......................... 3

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management                       1    1        10.0.0.2        Static  Yes    No
virtual                          N/A  N/A      192.0.2.1       Static  No     No
vlan_guests                      1    40       10.0.40.2       Dynamic No     No

(WLC0) >

What I find very frustrating and odd is that from the WLC0, I cannot ping 10.0.40.2.   I cannot ping it at all, despite the fact that the vlan_guests dynamic interface was created on WLC0...even when I tell ping to use the source interface vlan_guests, I still cannot ping 10.0.40.2.   So I think maybe the problem lies with the WLC somewheres.

Here is the information you requested though:

Router01#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   unassigned      YES NVRAM  down                  down
GigabitEthernet0/0/1   <my public IP>  YES TFTP   up                    up
GigabitEthernet0/1/0   unassigned      YES unset  up                    up
GigabitEthernet0/1/1   unassigned      YES unset  up                    up
GigabitEthernet0/1/2   unassigned      YES unset  up                    up
GigabitEthernet0/1/3   unassigned      YES unset  up                    up
GigabitEthernet0/1/4   unassigned      YES unset  down                  down
GigabitEthernet0/1/5   unassigned      YES unset  down                  down
GigabitEthernet0/1/6   unassigned      YES unset  down                  down
GigabitEthernet0/1/7   unassigned      YES unset  down                  down
Wl0/1/8                unassigned      YES unset  up                    up
Loopback0              10.10.10.100    YES NVRAM  up                    up
Vlan1                  10.0.0.1        YES NVRAM  up                    up
Vlan40                 10.0.40.1       YES NVRAM  up                    up

From the router, I can 10.0.40.1, but I cannot ping 10.0.40.2.   This makes me think perhaps the router is fine, just the built-in WLC0 has an issue somewheres.

@Spork Schivago,

What is the router and WLC type your using? That has a lot to do with the configs. Some devices default to dot1q encapsulation like the Cisco 4510, while others you have to specify it like the Cisco 6500.

Off the top I would first suggest not using VLAN 1 at all. This can pose problems later on when trying to scale up your network, and there are many other reasons not to use it. You should move the IP address from vlan 1 to any other number, then shutdown your vlan1 SVI. Then you should do specify a native vlan. Currently because you have not specified one it is using vlan 1. So then your trunk configuration should look something like:

vlan 10
 name DataNet
!
vlan 900
 name NativeID
!
interface vlan 1
 no ip address
 shutdown
!
interface vlan 10
 description Data
 ip address 10.0.0.2 255.255.255.0
 no shutdown
!
interface Wlan-GigabitEthernet0/1/8
 switchport trunk native vlan 900
 switchport trunk allowed vlan 10,40
 switchport mode trunk
end

Then verify the actual status of your trunks by doing a show interface trunk command to see if vlan 10 and 40 are being allowed or being pruned. Also run the show interface command on the wlan-gig0/1/8 interface. That should identify the encapsulation type that is being used. The command would be

show interface wlan-gig0/1/8 switchport

<Sample Output>

Name: WLAN-Gig0/1/8
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 900 (Native-dot1Q)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

So:

move off of vlan 1

add new vlan to trunk

add a native vlan to trunking interface

test – if it doesn’t work then:

show interface wlan-gig0/1/8 switchport

show interface trunking

show logging

I think you're right.

I will add some stuff and I think I know why it broke. The router I have is a Cisco C1111-8PW that has a built-in WLC and a built-in AP. The three extra APs I have are 1832i's. None of them are very heavy duty, if you will. For example, all the web configuration examples I've seen for routers, WLCs, etc have a LOT more features than the web interface pages I see, so I have to do almost everything from the CLI, which isn't bad, but it'd be nice to have a dedicated, stand-alone WLC, and maybe something like the Cisco 3802i's would be nicer.   The router is running IOS XE 16.06.05.   The APs are running Mobility Express 8.8.111.0.   I noticed online, some APs have IOS running.   These are not like this for some reason.   The OS is IOS like, but it's not IOS.

I think I know why things broke. I powered up the other APs. I forgot all about them. I just plugged them into the router's ports and then started configuring them via the WLC's console cable. The APs are on interface GigabitEthernet 0/1/0 - 0/1/2. I bet I have to configure those interfaces on the router as well. I tried, and things did start happening. One was able to obtain an IP address from the DHCP server and got a 10.0.40.0 address, and I was able to reach the outside, but things got real weird when those APs where on a trunk line. They all acted like they were the built-in AP for the WLC. I could see each one, individually, had joined the WLC, but if I moved to the next AP, that one joined and the previous one didn't show. For example,
While on WAP0, the WLC0 shows WAP0 was joined.
But on WAP1, the WLC0 shows WAP0 is not joined, but WAP1 is joined. On WAP1, I had the WLC0 prompt, like I should have with only WAP0.

This confused me a bit. I think I am going to call it a night and then tomorrow, I will implement your suggestions. The way I understand the native VLAN is if a packet comes from that native VLAN, only accept traffic from the VLAN if it's untagged. If that's correct, I am missing something. If the packet is untagged, how does the router know it came from the native VLAN?

Thanks for the help and suggestions on how best to set this up. You guys are great.

Thanks for the update on the hardware. I see that in your original post but didn’t realize that was the router model. It looks similar to the 1811’s and such where it looks to have a router and switchblade/module in it. If you are connecting your AP’s to the switch module you will want them setup as Access Mode, not trunked mode. The only purpose for using a trunking configuration for an AP is if you will be using Flex Connect. That typically isn’t a feature set though unless you have an actual dedicate WLC like 4400, 5500, or 8500. So, for your purposes, I can’t see a reason to use trunking to your AP’s.

As for the native vlan. That is a whole different topic, but basically, the native vlan is to mark traffic that did not come in tagged. The trunks can only forward tagged traffic so if you have data coming from a router first that would otherwise not be tagged that traffic can then be forwarded via the native vlan.

The purpose of my statements towards changing the Native Vlan was mainly because I was suggesting you not use VLAN 1, and if you are not going to use vlan1 then you needed to change the Native VLAN to something other than vlan1. There are many security vulnerabilities to why not to use vlan 1 as well as Cisco’s best practices states to not use it for multiple other reasons.

Cool – hopefully you figure it out, but if not just message back. Good luck!

@tobyarnett,

Thanks for the reply.   I see the WLC and APs are currently in FlexConnect mode.   Is that wrong for my setup?

Here is a list of the VLAN IDs and their mappings on the router:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/0, Gi0/1/1, Gi0/1/2
                                                Gi0/1/3, Gi0/1/4, Gi0/1/5
                                                Gi0/1/6, Gi0/1/7
40   GUESTS                           active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
40   enet  100040     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Here's the VLAN interfaces:

Vlan1 is up, line protocol is up
  Hardware is Ethernet SVI, address is a093.5188.4f74 (bia a093.5188.4f74)
  Description: VLAN interface (Layer 3) with 254 Usable Hosts (10.0.0.1 - 10.0.0.254), network address 10.0.0.0
  Internet address is 10.0.0.1/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 01:02:13, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 6000 bits/sec, 3 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     6407358 packets input, 746600739 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     12422276 packets output, 14963271193 bytes, 0 underruns
     0 output errors, 1 interface resets
     109 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Router01#show interfaces vlan 40
Vlan40 is up, line protocol is up
  Hardware is Ethernet SVI, address is a093.5188.4f74 (bia a093.5188.4f74)
  Description: VLAN interface (Layer 3) with 254 Usable Hosts (10.0.40.1 - 10.0.40.254), network address 10.0.40.0
  Internet address is 10.0.40.1/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 1d22h, output 00:09:43, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1426860 packets input, 111304746 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     3248757 packets output, 4182025556 bytes, 0 underruns
     0 output errors, 1 interface resets
     89 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

I also have a ToR switch that I will be connecting to the router sooner or later, and I will need to setup the various VLANs on that switch as well, but I do not think that will be a problem.

I just want to make sure I'm doing this right here.  I'm catching on with the VLAN stuff, but the tagging stuff still confuses me a bit.   So I am unconfiguring VLAN1 (the default VLAN) on the router and the WLC.   I am creating a VLAN10 on the router and the WLC.   I will assign the management port to VLAN10 on the WLC.   I am going to keep the VLAN40 the way it is.

On the router, I will assign whatever ports that are currently assigned to VLAN1 to VLAN10.   So GigabitEthernet 0/1/0 - 0/1/7 now get assigned to VLAN10.

After this, I think I have to figure out why the APs cannot connect to the WLC, but perhaps that's a better question for the wireless mobility thread.   I know if I assign the management port on the WLC to a VLAN, and then assign the APs to the same VLAN, the APs never join.   I suspect it has something to do with how those interfaces on the router's switch module are configured.   I am going to setup the new VLANs now though and go from there.

@tobyarnett

I have tried configuring at suggested, but after doing so, I cannot reach the WLC at all from the router and vice-versa.   Here is the current configuration of some of the interfaces:

!
interface Loopback0
 description Local Loopback interface with 6 Usable Hosts (10.10.10.97 - 10.10.10.102), network address 10.10.10.96
 ip address 10.10.10.100 255.255.255.248
 ip broadcast-address 10.10.10.103
!
interface GigabitEthernet0/0/0
 mac-address a093.5188.4f01
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 media-type sfp
 negotiation auto
!
interface GigabitEthernet0/0/1
 description Gigabit Ethernet WAN port
 mac-address a093.5188.4f00
 ip address <STATIC PUBLIC IP> <NETMASK>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip nbar protocol-discovery
 ip verify unicast source reachable-via rx allow-default
 ip access-group NO_OUTFACING_SERVICES in
 speed 1000
 no negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 10
 spanning-tree portfast disable
!
interface GigabitEthernet0/1/1
 switchport access vlan 10
 spanning-tree portfast disable
!
interface GigabitEthernet0/1/2
 switchport access vlan 10
 spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
 switchport access vlan 10
!
interface GigabitEthernet0/1/4
 switchport access vlan 10
!
interface GigabitEthernet0/1/5
 switchport access vlan 10
!
interface GigabitEthernet0/1/6
 switchport access vlan 10
!
interface GigabitEthernet0/1/7
 switchport access vlan 10
!
interface Wlan-GigabitEthernet0/1/8
 switchport trunk native vlan 900
 switchport trunk allowed vlan 10,40
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip access-group BLOCK_INTERVLAN_ROUTING in
 shutdown
!
interface Vlan10
 description Enterprise VLAN interface (Layer 3) with 254 Usable Hosts (10.0.0.1 - 10.0.0.254), network address 10.0.0.0
 ip address 10.0.0.1 255.255.255.0
 ip broadcast-address 10.0.0.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan40
 description VLAN interface (Layer 3) with 254 Usable Hosts (10.0.40.1 - 10.0.40.254), network address 10.0.40.0
 ip address 10.0.40.1 255.255.255.0
 ip broadcast-address 10.0.40.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
ip nat inside source list NAT_TRANSLATIONS interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 <GATEWAY> permanent name ETC-BLK2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
ip access-list standard NAT_TRANSLATIONS
 permit 10.0.0.0 0.0.0.255
 permit 10.0.40.0 0.0.0.255
!
ip access-list extended BLOCK_INTERVLAN_ROUTING
 deny   ip 10.0.0.0 0.0.0.255 10.0.40.0 0.0.0.255
 deny   icmp 10.0.0.0 0.0.0.255 10.0.40.0 0.0.0.255
 permit ip any any
ip access-list extended NO_OUTFACING_SERVICES
 deny   tcp any any eq telnet
 deny   tcp any any eq 22
 deny   tcp any any eq www
 deny   tcp any any eq 443
 deny   tcp any any eq finger
 deny   tcp any any eq cmd
 permit ip any any
ip access-list extended NO_WEBCONFIG_SERVICES
 deny   tcp any any eq www
 deny   tcp any any eq 443
 permit ip any any
!
ip access-list match-local-traffic
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
!

Router01#show interfaces wlan-GigabitEthernet 0/1/8 switchport
Name: Wl0/1/8
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 900 (NativeID)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,40
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Priority for untagged frame: 0
Override vlan tag priority: FALSE
Appliance trust: none

Router01#show interface trunk

Port        Mode             Encapsulation  Status        Native vlan
Wl0/1/8     on               802.1q         trunking      900

Port        Vlans allowed on trunk
Wl0/1/8     10,40

Port        Vlans allowed and active in management domain
Wl0/1/8     10,40

Port        Vlans in spanning tree forwarding state and not pruned
Wl0/1/8     10,40

I have tried tagging and not tagging the management interface on the WLC.   I've tried tagging it with VLAN ID 10, and then just untagging it (not assigning it a VLAN), but neither way do it allow me to reach the router from the WLC or vice-versa.   Frustrating.

If I plug an ethernet cable into one of the ports on the router, I am assigned an IP from the Enterprise DHCP pool and I can reach the outside world...any suggestions on what I'm doing wrong?   I suspect it's now something on the WLC, not the router.

@Spork Schivago

The router configs look good. You have the right encapsulation on the trunk interface - the vlan's are up and trunking. I have not worked on this router specifically, but on the 3850 when working on the WLC you have to issue the wireless mobility controller command then you need to specify the vlan that is the management. Is there something in your config that you will need to change to reflect the vlan 1 to vlan 10 change? I would first think to review the WLC configs and make sure everything is linking up. 

As for your Flex Connect configuration: there is nothing wrong with using flex connect, it just can add more complexity to the setup. For simplicity I would probably use Local mode. It is a basic access port type configuration. Flex mode you need to do a trunking setup on the switch port and then additional configs for the AP setup. Flex connect can be great for having multiple SSID's on different localized subnets, but it is just a more complex setup. 

The configs above you have the "spanning-tree portfast disable" command on those three interfaces. Was there a reason for that? Generally on an access port you want to enable spanning-tree portfast. An exception if you had a device sending BPDU's like a generic switch or some versions of older linux systems could send BPDU's (however rare for currect OS types). 

@tobyarnett,

Before I realized I couldn't access the 10.0.40.0 / 24 network from the WLC, we had some issues on the 10.0.0.0 / 24 network.   We would lose packets and after investigating, we noticed the interfaces on the router was dropping unknown packets.   The first thing I did was download the NBAR pack and update it, but that didn't fix the problem.   So, then on the WAN facing interface, I disabled spanning-tree, and on that WAN facing interface, those dropped packets stopped.   So for testing purposes, I disabled the spanning tree on the various access ports.    When re-enabling it, I see this message:

%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on GigabitEthernet0/1/0 but will only
 have effect when the interface is in a non-trunking mode.

I said to myself, well, the AP is one host, but it's kind of like a switch in a way.   The WLC, for instance, has multiple interfaces, on different networks.   So maybe it should be left disabled?   Should I go through and reenable it on all the switch ports?   The ones that are in access mode?   But keep it disabled on the Wlan-GigabitEthernet 0/1/8 trunk port?

Something odd is going on, something I cannot figure out.   The WLC's management interface has the IP address of 10.0.0.2 / 24.   From the router, I can ping this 10.0.0.2 interface.   From the WLC, I cannot ping anything on the router side.   How is that possible?   The router sends an ICMP packet, but the WLC has to respond...from the WLC side, if it cannot reach the 10.0.0.1 VLAN interface that's on the router, how can the router reach the 10.0.0.2 interface that is on the WLC?

I will post my WLC config.   I believe FlexConnect is setup properly.   I was under the impression if I was going to have the WLANs on multiple networks, like I do (the company's WLAN is on the 10.0.0.0 / 24 network, the guest is on the 10.0.40.0 / 24 network, and there's going to be a couple more once I figure it all out), I was supposed to use FlexConnect mode.

Here's a copy of the WLC0's config, with some stuff masked, like usernames and password.

I've attached it as a file because it's so long, but I've decided to post in the thread what I feel is the relevant sections.   Maybe someone can see something I cannot see?

config ap next-preferred-master <MAC ADDRESS OF BUILT-IN WAP (WAP0)>

config interface dhcp management primary 10.0.0.1
config interface vlan management 10
config interface address management 10.0.0.2 255.255.255.0 10.0.0.1
config interface dhcp service-port enable
config interface dhcp dynamic-interface vlan_guests primary 10.0.40.1
config interface create vlan_guests 40
config interface vlan vlan_guests 40
config interface port management 1
config interface address virtual 192.0.2.1
config interface address dynamic-interface vlan_guests 10.0.40.2 255.255.255.0 10.0.40.1
config interface port vlan_guests 1
config flexconnect vlan-name-id template-entry add corning_vlan_template vlan_guests 40
config flexconnect vlan-name-id template-entry add corning_vlan_template vlan_enterprise 10
config flexconnect vlan-name-id create corning_vlan_template
config flexconnect vlan-name-id apply corning_vlan_template
config flexconnect group default-flexgroup predownload mac-master <MAC ADDRESS OF BUILT-IN WAP (WAP0)>
config flexconnect group default-flexgroup predownload enable
config flexconnect group default-flexgroup vlan override-ap enable
config flexconnect group default-flexgroup vlan native 1
config flexconnect group default-flexgroup wlan-vlan wlan 1 add vlan 10
config flexconnect group default-flexgroup wlan-vlan wlan 2 add vlan 40
config flexconnect group default-flexgroup ap add <MAC ADDRESS OF BUILT-IN WAP (WAP0)>
config flexconnect group default-flexgroup avc 1 profile "Corning Electronics" enable
config flexconnect group default-flexgroup avc 1 visibility enable
config flexconnect group default-flexgroup avc 2 profile "Corning Electronics Guest" enable
config flexconnect group default-flexgroup avc 2 visibility enable
config flexconnect group default-flexgroup add
config flexconnect group default-flexgroup radius ap authority info "Cisco A_ID"
config flexconnect group default-flexgroup radius ap authority id <authority ID>
config flexconnect group default-flexgroup radius ap server-key encrypt 1 <password>
config flexconnect group default-flexgroup template-vlan-map add corning_vlan_template

I do not have a radius or a TACACS+ server setup yet, but I was working on setting one up.   I wonder if that's causing some issues.   I'm tempted to do a factory reset and clear the config on the APs and the WLC and try from scratch.   Might be easier than trying to figure out what I did wrong.

So, just to be clear, the management IP address on the WLC is 10.0.0.2 / 24 and the vlan_guests IP is 10.0.40.2.   Two SSIDs, Corning Electronics (which gets assigned to the 10.0.0.0 / 24 network) and Corning Electronics Guest (which gets assigned to the 10.0.40.0 / 24 network).   Currently, I cannot ping the 10.0.40.2 IP from the WLC!   It's almost as if the vlan interface is shutdown.   I also cannot ping anything outside of the WLC, minus the built-in AP IP address.