I am not sure what I did wrong here, but I had this working, and now it doesn't work. I have setup two VLANs on a WLC that's built-in to my router, the C1111-8PW, VLAN1 and VLAN40. VLAN1 is on the 10.0.0.0 / 24 network, VLAN40 is on the 10.0.40.0 / 24 network. The built-in WLC is connected to Wlan-GigabitEthernet 0/1/8 interface. Here is it's running config.
interface Wlan-GigabitEthernet0/1/8 switchport trunk allowed vlan 1,40 switchport mode trunk end
Does that look okay or am I missing something? On the WLC, I cannot ping 10.0.40.1, which is the IP address to VLAN40 on the router.
All the examples I see online seem to show something along the lines of this:
interface gig0/20 Description Connected to the WLC switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,20,60 switchport mode trunk
However, when I try configuring the interface Wlan-GigabitEthernet 0/1/8, there is no switchport trunk encapsulation dot1q. From what I've read, I believe that encapsulation is required for what I'm attempting to do. I cannot seem to figure out how to enable it though.
try a sub interface under that port then add encapsulation there, example below how to
or set it as a trunk too under the sub
no ip address
encapsulation dot1q 100
I did just notice something in the config interface wlan-gigabitethernet 0/1/8's window. I saw a option called port-tagging.
So I enabled it. I typed:
Router01(config-if)#port-tagging Router01(config-if-port-tagging)#encapsulation ? dot1ad IEEE 802.1AD Virtual LAN or S-VLAN dot1q IEEE 802.1Q Virtual LAN or S-VLAN Router01(config-if-port-tagging)#encapsulation dot1q ? <1-4094> VLAN id Router01(config-if-port-tagging)#encapsulation dot1q 40
Perhaps this was how I enable the dot1q encapsulation? When I do that though, I cannot ping either of the networks on the WLC. I tried setting the encapsulation dot1q to VLAN id 1 but that still did not allow me to ping the 10.0.0.0 / 24 addresses.
@Spork Schivago, If this configuration was working before, so no sense to think that the configuration is needed to be modified!
We should troubleshoot in another direction, are you sure that there is no physical problem?
Can you show us the output of #show ip int br
Please don't forget to rate all helpful responses and mark solutions!
Thank you for the reply. I should add that we are actively working on fine tuning the configurations on the network equipment (we are a fairly new company) and there is a chance we did break something old while trying to configure something new, or had something configured properly but forgot to save the config file and the WLC rebooted.
I have tested this. I logged into the WLC using a console cable. I issued the command show interfaces summary and here is the output:
(WLC0) >show interface summary Number of Interfaces.......................... 3 Interface Name Port Vlan Id IP Address Type Ap Mgr Guest -------------------------------- ---- -------- --------------- ------- ------ ----- management 1 1 10.0.0.2 Static Yes No virtual N/A N/A 192.0.2.1 Static No No vlan_guests 1 40 10.0.40.2 Dynamic No No (WLC0) >
What I find very frustrating and odd is that from the WLC0, I cannot ping 10.0.40.2. I cannot ping it at all, despite the fact that the vlan_guests dynamic interface was created on WLC0...even when I tell ping to use the source interface vlan_guests, I still cannot ping 10.0.40.2. So I think maybe the problem lies with the WLC somewheres.
Here is the information you requested though:
Router01#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 unassigned YES NVRAM down down GigabitEthernet0/0/1 <my public IP> YES TFTP up up GigabitEthernet0/1/0 unassigned YES unset up up GigabitEthernet0/1/1 unassigned YES unset up up GigabitEthernet0/1/2 unassigned YES unset up up GigabitEthernet0/1/3 unassigned YES unset up up GigabitEthernet0/1/4 unassigned YES unset down down GigabitEthernet0/1/5 unassigned YES unset down down GigabitEthernet0/1/6 unassigned YES unset down down GigabitEthernet0/1/7 unassigned YES unset down down Wl0/1/8 unassigned YES unset up up Loopback0 10.10.10.100 YES NVRAM up up Vlan1 10.0.0.1 YES NVRAM up up Vlan40 10.0.40.1 YES NVRAM up up
From the router, I can 10.0.40.1, but I cannot ping 10.0.40.2. This makes me think perhaps the router is fine, just the built-in WLC0 has an issue somewheres.
What is the router and WLC type your using? That has a lot to do with the configs. Some devices default to dot1q encapsulation like the Cisco 4510, while others you have to specify it like the Cisco 6500.
Off the top I would first suggest not using VLAN 1 at all. This can pose problems later on when trying to scale up your network, and there are many other reasons not to use it. You should move the IP address from vlan 1 to any other number, then shutdown your vlan1 SVI. Then you should do specify a native vlan. Currently because you have not specified one it is using vlan 1. So then your trunk configuration should look something like:
vlan 10 name DataNet ! vlan 900 name NativeID ! interface vlan 1 no ip address shutdown ! interface vlan 10 description Data ip address 10.0.0.2 255.255.255.0 no shutdown ! interface Wlan-GigabitEthernet0/1/8 switchport trunk native vlan 900 switchport trunk allowed vlan 10,40 switchport mode trunk end
Then verify the actual status of your trunks by doing a show interface trunk command to see if vlan 10 and 40 are being allowed or being pruned. Also run the show interface command on the wlan-gig0/1/8 interface. That should identify the encapsulation type that is being used. The command would be
show interface wlan-gig0/1/8 switchport
Name: WLAN-Gig0/1/8 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 900 (Native-dot1Q) Administrative Native VLAN tagging: enabled Voice VLAN: none
move off of vlan 1
add new vlan to trunk
add a native vlan to trunking interface
test – if it doesn’t work then:
show interface wlan-gig0/1/8 switchport
show interface trunking
I think you're right.
I will add some stuff and I think I know why it broke. The router I have is a Cisco C1111-8PW that has a built-in WLC and a built-in AP. The three extra APs I have are 1832i's. None of them are very heavy duty, if you will. For example, all the web configuration examples I've seen for routers, WLCs, etc have a LOT more features than the web interface pages I see, so I have to do almost everything from the CLI, which isn't bad, but it'd be nice to have a dedicated, stand-alone WLC, and maybe something like the Cisco 3802i's would be nicer. The router is running IOS XE 16.06.05. The APs are running Mobility Express 184.108.40.206. I noticed online, some APs have IOS running. These are not like this for some reason. The OS is IOS like, but it's not IOS.
I think I know why things broke. I powered up the other APs. I forgot all about them. I just plugged them into the router's ports and then started configuring them via the WLC's console cable. The APs are on interface GigabitEthernet 0/1/0 - 0/1/2. I bet I have to configure those interfaces on the router as well. I tried, and things did start happening. One was able to obtain an IP address from the DHCP server and got a 10.0.40.0 address, and I was able to reach the outside, but things got real weird when those APs where on a trunk line. They all acted like they were the built-in AP for the WLC. I could see each one, individually, had joined the WLC, but if I moved to the next AP, that one joined and the previous one didn't show. For example,
While on WAP0, the WLC0 shows WAP0 was joined.
But on WAP1, the WLC0 shows WAP0 is not joined, but WAP1 is joined. On WAP1, I had the WLC0 prompt, like I should have with only WAP0.
This confused me a bit. I think I am going to call it a night and then tomorrow, I will implement your suggestions. The way I understand the native VLAN is if a packet comes from that native VLAN, only accept traffic from the VLAN if it's untagged. If that's correct, I am missing something. If the packet is untagged, how does the router know it came from the native VLAN?
Thanks for the help and suggestions on how best to set this up. You guys are great.
Thanks for the update on the hardware. I see that in your original post but didn’t realize that was the router model. It looks similar to the 1811’s and such where it looks to have a router and switchblade/module in it. If you are connecting your AP’s to the switch module you will want them setup as Access Mode, not trunked mode. The only purpose for using a trunking configuration for an AP is if you will be using Flex Connect. That typically isn’t a feature set though unless you have an actual dedicate WLC like 4400, 5500, or 8500. So, for your purposes, I can’t see a reason to use trunking to your AP’s.
As for the native vlan. That is a whole different topic, but basically, the native vlan is to mark traffic that did not come in tagged. The trunks can only forward tagged traffic so if you have data coming from a router first that would otherwise not be tagged that traffic can then be forwarded via the native vlan.
The purpose of my statements towards changing the Native Vlan was mainly because I was suggesting you not use VLAN 1, and if you are not going to use vlan1 then you needed to change the Native VLAN to something other than vlan1. There are many security vulnerabilities to why not to use vlan 1 as well as Cisco’s best practices states to not use it for multiple other reasons.
Cool – hopefully you figure it out, but if not just message back. Good luck!
Thanks for the reply. I see the WLC and APs are currently in FlexConnect mode. Is that wrong for my setup?
Here is a list of the VLAN IDs and their mappings on the router:
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2 Gi0/1/3, Gi0/1/4, Gi0/1/5 Gi0/1/6, Gi0/1/7 40 GUESTS active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 40 enet 100040 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------
Here's the VLAN interfaces:
Vlan1 is up, line protocol is up Hardware is Ethernet SVI, address is a093.5188.4f74 (bia a093.5188.4f74) Description: VLAN interface (Layer 3) with 254 Usable Hosts (10.0.0.1 - 10.0.0.254), network address 10.0.0.0 Internet address is 10.0.0.1/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 01:02:13, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 6000 bits/sec, 3 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 6407358 packets input, 746600739 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 12422276 packets output, 14963271193 bytes, 0 underruns 0 output errors, 1 interface resets 109 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Router01#show interfaces vlan 40 Vlan40 is up, line protocol is up Hardware is Ethernet SVI, address is a093.5188.4f74 (bia a093.5188.4f74) Description: VLAN interface (Layer 3) with 254 Usable Hosts (10.0.40.1 - 10.0.40.254), network address 10.0.40.0 Internet address is 10.0.40.1/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 1d22h, output 00:09:43, output hang never Last clearing of "show interface" counters never Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1426860 packets input, 111304746 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 3248757 packets output, 4182025556 bytes, 0 underruns 0 output errors, 1 interface resets 89 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
I also have a ToR switch that I will be connecting to the router sooner or later, and I will need to setup the various VLANs on that switch as well, but I do not think that will be a problem.
I just want to make sure I'm doing this right here. I'm catching on with the VLAN stuff, but the tagging stuff still confuses me a bit. So I am unconfiguring VLAN1 (the default VLAN) on the router and the WLC. I am creating a VLAN10 on the router and the WLC. I will assign the management port to VLAN10 on the WLC. I am going to keep the VLAN40 the way it is.
On the router, I will assign whatever ports that are currently assigned to VLAN1 to VLAN10. So GigabitEthernet 0/1/0 - 0/1/7 now get assigned to VLAN10.
After this, I think I have to figure out why the APs cannot connect to the WLC, but perhaps that's a better question for the wireless mobility thread. I know if I assign the management port on the WLC to a VLAN, and then assign the APs to the same VLAN, the APs never join. I suspect it has something to do with how those interfaces on the router's switch module are configured. I am going to setup the new VLANs now though and go from there.
I have tried configuring at suggested, but after doing so, I cannot reach the WLC at all from the router and vice-versa. Here is the current configuration of some of the interfaces:
! interface Loopback0 description Local Loopback interface with 6 Usable Hosts (10.10.10.97 - 10.10.10.102), network address 10.10.10.96 ip address 10.10.10.100 255.255.255.248 ip broadcast-address 10.10.10.103 ! interface GigabitEthernet0/0/0 mac-address a093.5188.4f01 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery media-type sfp negotiation auto ! interface GigabitEthernet0/0/1 description Gigabit Ethernet WAN port mac-address a093.5188.4f00 ip address <STATIC PUBLIC IP> <NETMASK> no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip nbar protocol-discovery ip verify unicast source reachable-via rx allow-default ip access-group NO_OUTFACING_SERVICES in speed 1000 no negotiation auto ! interface GigabitEthernet0/1/0 switchport access vlan 10 spanning-tree portfast disable ! interface GigabitEthernet0/1/1 switchport access vlan 10 spanning-tree portfast disable ! interface GigabitEthernet0/1/2 switchport access vlan 10 spanning-tree portfast disable ! interface GigabitEthernet0/1/3 switchport access vlan 10 ! interface GigabitEthernet0/1/4 switchport access vlan 10 ! interface GigabitEthernet0/1/5 switchport access vlan 10 ! interface GigabitEthernet0/1/6 switchport access vlan 10 ! interface GigabitEthernet0/1/7 switchport access vlan 10 ! interface Wlan-GigabitEthernet0/1/8 switchport trunk native vlan 900 switchport trunk allowed vlan 10,40 switchport mode trunk ! interface Vlan1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip access-group BLOCK_INTERVLAN_ROUTING in shutdown ! interface Vlan10 description Enterprise VLAN interface (Layer 3) with 254 Usable Hosts (10.0.0.1 - 10.0.0.254), network address 10.0.0.0 ip address 10.0.0.1 255.255.255.0 ip broadcast-address 10.0.0.255 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ! interface Vlan40 description VLAN interface (Layer 3) with 254 Usable Hosts (10.0.40.1 - 10.0.40.254), network address 10.0.40.0 ip address 10.0.40.1 255.255.255.0 ip broadcast-address 10.0.40.255 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ! ip nat inside source list NAT_TRANSLATIONS interface GigabitEthernet0/0/1 overload ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 <GATEWAY> permanent name ETC-BLK2 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! ip access-list standard NAT_TRANSLATIONS permit 10.0.0.0 0.0.0.255 permit 10.0.40.0 0.0.0.255 ! ip access-list extended BLOCK_INTERVLAN_ROUTING deny ip 10.0.0.0 0.0.0.255 10.0.40.0 0.0.0.255 deny icmp 10.0.0.0 0.0.0.255 10.0.40.0 0.0.0.255 permit ip any any ip access-list extended NO_OUTFACING_SERVICES deny tcp any any eq telnet deny tcp any any eq 22 deny tcp any any eq www deny tcp any any eq 443 deny tcp any any eq finger deny tcp any any eq cmd permit ip any any ip access-list extended NO_WEBCONFIG_SERVICES deny tcp any any eq www deny tcp any any eq 443 permit ip any any ! ip access-list match-local-traffic logging trap debugging logging facility local2 access-list 100 permit udp any any eq bootpc !
Router01#show interfaces wlan-GigabitEthernet 0/1/8 switchport Name: Wl0/1/8 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 900 (NativeID) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: 10,40 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Priority for untagged frame: 0 Override vlan tag priority: FALSE Appliance trust: none
Router01#show interface trunk Port Mode Encapsulation Status Native vlan Wl0/1/8 on 802.1q trunking 900 Port Vlans allowed on trunk Wl0/1/8 10,40 Port Vlans allowed and active in management domain Wl0/1/8 10,40 Port Vlans in spanning tree forwarding state and not pruned Wl0/1/8 10,40
I have tried tagging and not tagging the management interface on the WLC. I've tried tagging it with VLAN ID 10, and then just untagging it (not assigning it a VLAN), but neither way do it allow me to reach the router from the WLC or vice-versa. Frustrating.
If I plug an ethernet cable into one of the ports on the router, I am assigned an IP from the Enterprise DHCP pool and I can reach the outside world...any suggestions on what I'm doing wrong? I suspect it's now something on the WLC, not the router.
The router configs look good. You have the right encapsulation on the trunk interface - the vlan's are up and trunking. I have not worked on this router specifically, but on the 3850 when working on the WLC you have to issue the wireless mobility controller command then you need to specify the vlan that is the management. Is there something in your config that you will need to change to reflect the vlan 1 to vlan 10 change? I would first think to review the WLC configs and make sure everything is linking up.
As for your Flex Connect configuration: there is nothing wrong with using flex connect, it just can add more complexity to the setup. For simplicity I would probably use Local mode. It is a basic access port type configuration. Flex mode you need to do a trunking setup on the switch port and then additional configs for the AP setup. Flex connect can be great for having multiple SSID's on different localized subnets, but it is just a more complex setup.
The configs above you have the "spanning-tree portfast disable" command on those three interfaces. Was there a reason for that? Generally on an access port you want to enable spanning-tree portfast. An exception if you had a device sending BPDU's like a generic switch or some versions of older linux systems could send BPDU's (however rare for currect OS types).
Before I realized I couldn't access the 10.0.40.0 / 24 network from the WLC, we had some issues on the 10.0.0.0 / 24 network. We would lose packets and after investigating, we noticed the interfaces on the router was dropping unknown packets. The first thing I did was download the NBAR pack and update it, but that didn't fix the problem. So, then on the WAN facing interface, I disabled spanning-tree, and on that WAN facing interface, those dropped packets stopped. So for testing purposes, I disabled the spanning tree on the various access ports. When re-enabling it, I see this message:
%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on GigabitEthernet0/1/0 but will only have effect when the interface is in a non-trunking mode.
I said to myself, well, the AP is one host, but it's kind of like a switch in a way. The WLC, for instance, has multiple interfaces, on different networks. So maybe it should be left disabled? Should I go through and reenable it on all the switch ports? The ones that are in access mode? But keep it disabled on the Wlan-GigabitEthernet 0/1/8 trunk port?
Something odd is going on, something I cannot figure out. The WLC's management interface has the IP address of 10.0.0.2 / 24. From the router, I can ping this 10.0.0.2 interface. From the WLC, I cannot ping anything on the router side. How is that possible? The router sends an ICMP packet, but the WLC has to respond...from the WLC side, if it cannot reach the 10.0.0.1 VLAN interface that's on the router, how can the router reach the 10.0.0.2 interface that is on the WLC?
I will post my WLC config. I believe FlexConnect is setup properly. I was under the impression if I was going to have the WLANs on multiple networks, like I do (the company's WLAN is on the 10.0.0.0 / 24 network, the guest is on the 10.0.40.0 / 24 network, and there's going to be a couple more once I figure it all out), I was supposed to use FlexConnect mode.
Here's a copy of the WLC0's config, with some stuff masked, like usernames and password.
I've attached it as a file because it's so long, but I've decided to post in the thread what I feel is the relevant sections. Maybe someone can see something I cannot see?
config ap next-preferred-master <MAC ADDRESS OF BUILT-IN WAP (WAP0)> config interface dhcp management primary 10.0.0.1 config interface vlan management 10 config interface address management 10.0.0.2 255.255.255.0 10.0.0.1 config interface dhcp service-port enable config interface dhcp dynamic-interface vlan_guests primary 10.0.40.1 config interface create vlan_guests 40 config interface vlan vlan_guests 40 config interface port management 1 config interface address virtual 192.0.2.1 config interface address dynamic-interface vlan_guests 10.0.40.2 255.255.255.0 10.0.40.1 config interface port vlan_guests 1 config flexconnect vlan-name-id template-entry add corning_vlan_template vlan_guests 40 config flexconnect vlan-name-id template-entry add corning_vlan_template vlan_enterprise 10 config flexconnect vlan-name-id create corning_vlan_template config flexconnect vlan-name-id apply corning_vlan_template config flexconnect group default-flexgroup predownload mac-master <MAC ADDRESS OF BUILT-IN WAP (WAP0)> config flexconnect group default-flexgroup predownload enable config flexconnect group default-flexgroup vlan override-ap enable config flexconnect group default-flexgroup vlan native 1 config flexconnect group default-flexgroup wlan-vlan wlan 1 add vlan 10 config flexconnect group default-flexgroup wlan-vlan wlan 2 add vlan 40 config flexconnect group default-flexgroup ap add <MAC ADDRESS OF BUILT-IN WAP (WAP0)> config flexconnect group default-flexgroup avc 1 profile "Corning Electronics" enable config flexconnect group default-flexgroup avc 1 visibility enable config flexconnect group default-flexgroup avc 2 profile "Corning Electronics Guest" enable config flexconnect group default-flexgroup avc 2 visibility enable config flexconnect group default-flexgroup add config flexconnect group default-flexgroup radius ap authority info "Cisco A_ID" config flexconnect group default-flexgroup radius ap authority id <authority ID> config flexconnect group default-flexgroup radius ap server-key encrypt 1 <password> config flexconnect group default-flexgroup template-vlan-map add corning_vlan_template
I do not have a radius or a TACACS+ server setup yet, but I was working on setting one up. I wonder if that's causing some issues. I'm tempted to do a factory reset and clear the config on the APs and the WLC and try from scratch. Might be easier than trying to figure out what I did wrong.
So, just to be clear, the management IP address on the WLC is 10.0.0.2 / 24 and the vlan_guests IP is 10.0.40.2. Two SSIDs, Corning Electronics (which gets assigned to the 10.0.0.0 / 24 network) and Corning Electronics Guest (which gets assigned to the 10.0.40.0 / 24 network). Currently, I cannot ping the 10.0.40.2 IP from the WLC! It's almost as if the vlan interface is shutdown. I also cannot ping anything outside of the WLC, minus the built-in AP IP address.
If it was working before then fine bro it seems its not a configuration problem
Check for #show interface xx
Find any errors like input or output or framing errors.
Also check if the same configuration works on a different ports.