Showing results for 
Search instead for 
Did you mean: 


Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


Multiple Wireless SSIDs and VLAN tagging

I am about to pull what hair I have left out! I have configured many a Cisco switch with VLANs and for some reason, once cell must not be firing today...

I have a client who needs a simple wireless infrastrucrure: one WLAN for company traffic and one WLAN for Guest/Vendor internet access. I have the following equipment:


1 x Engius b/g/n PoE Access point (Forced to use what the client had on hand)

1 x SF 302-08P 8-port PoE Cisco Switch (for access point)

1 x SG500-52 52-port Gbe Cisco Switch

AP SSID config

SSID: Corp. VLAN 1, untagged (WPA2/AES/PSK)

SSID: Guest. VLAN 2, tagged (open)

VLANs (created on both Cisco switches)



8-Port PoE Switch Config

Port1-To AP. Trunk port. Members: vlan1-untagged, vlan2-tagged

Port2-To Sg500 Switch. Trunk port. Members: vlan1-untagged, vlan2-tagged

SG500 Switch Config

Port2-To 8-port PoE switch (other end of the cable coming from port2 above). Trunk port. Members: vlan1-untagged, vlan2-tagged

Port3-To DHCP server. Trunk port. Members: vlan1-untagged, vlan2-tagged

Why can I not get a DHCP address on the guest SSID? I can get a DHCP address on the corp SSID.

Rising star

Hi Mike,

try this first and let me know the result on this switch where your AP is connected via trunk port.

I am assuming you are using dot1.q.

"vlan dot1q tag native"


Tom Watts

Hi Mike and Rizwan, the switch only supports IEEE standards (the only exception is CDP). I would recommend to configure a port on each switch as a VLAN 2 access and verify a computer is able to receive DHCP. If the computer is able to pull the VLAN 2 information from either switch then we know it's not a switch config issue as the original posted information is agreeable for the trunks and tags.

Please rate helpful posts

-Tom Please mark answered for helpful posts


Since these are production switches at the moment and I don't have the resources to give that a try, I think since a device connecting to the SSID on VLAN 1 can obtain an address, this should be answered as it is making the necessary hops to the dhcp server.

David Hornstein
Rising star


Tom beat me to the punch, but i was thinking along the same lines, validate that you can propogate VLAN2 from the DHCP server.

Your description of the switch configuration suggests you really know what you are doing, so i will trust that yiou have configured the switch correctly.

So the DHCP server is VLAN aware...hmm... it better be or it wont understand how to send tagged ethernet traffic for VLAN2.

You said "Port3-To DHCP server. Trunk port. Members: vlan1-untagged, vlan2-tagged "

The switch configuration sounds, spot on. Can you do a wireshark capture on the DHCP server to validate that it is sending out untagged frames on VLAN1 and Tagged frames on VID=2 ? that easy if it works.

please note:  as something to keep in the back of your mind.Sometimes i have had to play with windows registry settings on my PC to see VLAN taggs in a wireshark packet capture.  Or as Tom said , make another port on the SG500 untagged in vlan 2 and see if that PC gets a IP address.

regards Dave


if I turn off tagging on VLAN 2 on the AP and connect to the SSID defined as "untagged VLAN 2", I get an IP address from VLAN 1 just fine...


Thanks everyone, it's still a head scratcher...

I can ping the guest gateway (on vlan2)  from any PC the main network (vlan 1) yet, I cannot ping it from either of the switches.

And as much as I would love for all CLI commands to be available as they are on the enterprise switches, they don't seem to be as I would normally add dot1q manually to each port and the command doesn't work on either of these switches:

switchport trunk encapsulation dot1q

Mike, as stated before, the switch only supports dot1q. It does not support ISL. Dot1q states there must be a native vlan 1 (vlan 1) then all additional vlans are tagged. The difference between these switches and a Catalyst switch, Catalyst switch does not require vlan tagging specified on the port, by default all vlan will go through the port. Your port configuration is currently correct with the details provided.

One thing you might be running in to, the SG500X is layer2/3 by default. If you have assigned the vlan interfaces an IP address, the SG500 is running layer 3, which would then need the DHCP relay.

Please rate helpful posts

-Tom Please mark answered for helpful posts

Here are a few images of the Web interface:

PoE Switch (Cisco SF302-08P)

SG500-52 Switch

I guess I could always flip it over to a layer 3 and route from there?!?

Hi Mike,

Based on what you have stated so far and the configuration screen shots of the switch you should be up and running.  What are you using as the gateway and AP (model, brand)?  Also are the switch's in L2 or L3?


Jason Nickle