@pieterh - Thanks for the reply and that document was very helpful. I think the switchport configuration that the MAP is plugging into via GigabitEthernet0 is correct with Native Vlan, Allowed vlan etc.  When I plug in the switch to the AP is it suppose to think this is now a RAP connected device or know via the port configuration that is  just for client traffic (How to prevent this loop).  What about the below settings on the switchport.  Does the AP GigabitEthernet0 that the switch connects to need vlan information. I don't have GUI to our WLC just CLI.

BPDU, make STP  BLK one interconnect to prevent L2 Loop

>>> I don't have GUI to our WLC just CLI. <<<
-> in the document both config using gui AND config using CLI  ae used!

e.g. (some of the ) CLI commands needed:

9124EWC(config)#wireless profile mesh default-mesh-profile
9124EWC(config-wireless-mesh-profile)#description "default mesh profile"
9124EWC(config-wireless-mesh-profile)#ethernet-bridging
9124EWC(config-wireless-mesh-profile)#ethernet-vlan-transparent
9124EWC(config-wireless-mesh-profile)#method authentication MESH_Authentication
9124EWC(config-wireless-mesh-profile)#method authorization MESH_Authorization

but read the section carefully also about use of "vlan transparent" and adjust to your needs

Special callout to the option VLAN Transparent:

This feature determines how a mesh access point handles VLAN tags for Ethernet bridged traffic:

If VLAN Transparent is enabled, then VLAN tags are not handled and packets are bridged as untagged packets.
No configuration of Ethernet ports is required when VLAN transparent is enabled. The Ethernet port passes both tagged and untagged frames without interpreting the frames.
If VLAN Transparent is disabled, then all packets are handled according to the VLAN configuration on the port (trunk, access, or normal mode).
If the Ethernet port is set to Trunk mode, then Ethernet VLAN tagging must be configured.

important is you first connect the MAP to the same switch as the LAN where the controller is connected, but to a specific staging port
after the AP is configured as MAP, then you can move it to the destination switch

1. Connect the MAP AP to the Switch1 for staging. The AP joins the EWC and shows in the AP list. Change its name to something like AP9124_MAP and configure it as Mesh Role in the Mesh tab. Click Update & Apply to Device:

Switch1:

interface GigabitEthernet1/0/2
 description AP9124_MAP_Staging
 switchport trunk native vlan 100
 switchport trunk allowed vlan 100,101
 switchport mode trunk
 end

2. Disconnect the AP from Switch1 and connect to Switch2 as per the Network Diagram. The MAP joins the EWC via wireless interface through the RAP.

Switch2:

interface GigabitEthernet0/1
 description AP9124_MAP
 switchport trunk native vlan 100
 switchport trunk allowed vlan 100,101
 switchport mode trunk
 end

@pieterh Your information is very helpful and think I am getting closer to this working.

Ethernet Bridging enabled, Backhaul with client access status enabled, Mesh Ethernet Bridging STP BPDUAllowed Disabled, 

Mesh Ethernet Bridging VLAN Transparent Mode Disabled

Switch port config below I am connecting my MAP to.  Is there any advantage to using interface GigabitEthernet0/1 as it is free? 

interface FastEthernet0/4
description MAP - 
switchport trunk allowed vlan 10,99,400,410,411,430,440
switchport trunk native vlan 410
switchport mode trunk

Does the WLC set the configuration on the GigabitEthernet0 port of the Mesh AP? I am guessing that this is the port the network cable goes from on AO - Injector - Switchport?  Here is the config it has on it below. 

Mesh AP

Interface GigabitEthernet0

no ip route-cache

duplex full

bridge-group 1

bridge-group 1 spanning-disabled

no bridge group 1 unicast-flooding

@pieterh All of our AP's (2 RAP's, 2 MAPS) Have the below configuration on ethernet ports. Vlan Tagging Information For AP. Is this correct for what we are tryint to do? 

Vlan Tagging Information For AP

Ethernet 0
Mode: ACCESS
Access Vlan 0
Ethernet 1
Mode: ACCESS
Access Vlan 0
Ethernet 2
Mode: ACCESS
Access Vlan 0
Ethernet 3
Mode: ACCESS
Access Vlan 0

>>> Does the WLC set the configuration on the GigabitEthernet0 port of the Mesh AP? <<<
yes the controller will configure the ethernet port of the AP

>>> Switch port config below I am connecting my MAP to.  Is there any advantage to using interface GigabitEthernet0/1 as it is free? 
       interface FastEthernet0/4
<<<

I advise to use a Gigabit port / uplink port on the switch (if possible)
but you can use any interface on your switch for either the staging port, and on the destination switch
 

>>>
Vlan Tagging Information For AP

Ethernet 0
Mode: ACCESS
Access Vlan 0
Ethernet 1
Mode: ACCESS
Access Vlan 0
Ethernet 2
Mode: ACCESS
Access Vlan 0
Ethernet 3
Mode: ACCESS
Access Vlan 0

 <<<
this I do not understand?
does your accesspoints have FOUR ethernet ports ? what model is that?
if you mean these are the four switchports that the AP's connect to, then the configuration should change like below,
using the vlan's you use in your network

Switch1: 

interface GigabitEthernet1/0/1
 description AP9124_RAP 
 switchport trunk native vlan 410
 switchport trunk allowed vlan 10,99,400,410,411,430,440
 switchport mode trunk
 end

Switch2: 

interface GigabitEthernet0/1
 description AP9124_MAP
 switchport trunk native vlan 410
 switchport trunk allowed vlan 10,99,400,410,411,430,440
 switchport mode trunk
 end

@pieterh - Thanks for this information as it is helping me understand and should be closer to resolving this issue.  

1. Our RAP set up seems all set with no issues, it's just the MAP piece of this we need to get right.

2. I will use Interface GigabitEthernet 0/1 on the switch for connecting the MAP AP

3. Switches we use are Cisco 2960-C (8 and 24 port switches).  I think the configuration of the port we agree on.

4. If WLC sets the configuration of GigabitEthernet0 (Which I think is the port the network goes from to our injector-switch) on access point.  I see mode and access as two options under interface name-access point section.  Would I set this to trunk and Vlan ID 410?

5. On our WLC with have AP Vlan Trunking set to disable. I feel like for our set up this should be enabled? yes/No

6. To use VLAN tagging (i.e., pass multiple VLANs over the mesh link), you must disable the "VLAN Transparent" option in the WLC's global or specific mesh configuration settings. WE do have this disabled. 

@pieterh - Does not look like it will let me change the Ethernet AP Port 0 to trunk or native Vlan, gives me a failed because Vlan trunking is disabled on AP.   When I connect the AP to Gi0/1, everything is fine until I get the link light then all goes astray.  Like the sequence is looping around constantly.  All RAP's, MAPS get knocked offline and lose connection to WLC, then a few minutes later is able to reconnect again.  However, another few minutes and it happens again where system goes down.  How do you just keep the wireless backhaul connection and tell the AP that the int Gi0/1 switch connected is for local client traffic.  I have attached the copy of what transpired during this process.  Appreciate your help. 

@pieterh Not sure if the text file is readable so I have included some of the text and let me know what you see that could be the issue. 

%DOT11-3-ADD_PRIM_IDB_TOLIST: can not add idb GigabitEthernet0 to the private list
*Nov 23 19:14:59.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Nov 23 19:15:19.607: %MESH-6-LINK_UPDOWN: Mesh station 0023.052f.710f link Down
*Nov 23 19:15:19.807: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 0023.052f.710f VIDB Virtual-Dot11Radio10 going down

%MESH-6-ADJ_VIDB_LINK: Mesh neighbor 682c.7b11.e88f VIDB Virtual-Dot11Radio10 going down
*Nov 23 19:18:33.399: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 2c3e.cf48.b0ef VIDB Virtual-Dot11Radio5 dot1x control
*Nov 23 19:18:34.399: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 2c3e.cf48.b0ef VIDB Virtual-Dot11Radio5 dot1x control
*Nov 23 19:18:35.399: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 2c3e.cf48.b0ef VIDB Virtual-Dot11Radio5 dot1x control

*Nov 23 19:20:25.055: %MESH-6-LINK_UPDOWN: Mesh station 006c.bce8.502f link Down
*Nov 23 19:20:25.059: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 006c.bce8.78df VIDB Virtual-Dot11Radio5 dot1x control
*Nov 23 19:20:25.071: %LINK-6-UPDOWN: Interface Virtual-Dot11Radio5, changed state to up
*Nov 23 19:20:25.271: %MESH-6-ADJ_VIDB_LINK: Mesh neighbor 006c.bce8.502f VIDB Virtual-Dot11Radio10 going down
Please remove the BVI 1 interface first!
Please remove the BVI 1 interface first!

%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.200peer_port: 5246
*Nov 23 19:23:54.339: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.6 peer_port: 5246
*Nov 23 19:23:54.343: %CAPWAP-5-SENDJOIN: sending Join Request to 10.
*Nov 23 19:23:55.159: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to configuration change
*Nov 23 19:23:55.167: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 23 19:23:55.187: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 23 19:23:56.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 23 19:23:56.207: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 23 19:23:56.467: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to channel change from 11 to 1

>>> When I connect the AP to Gi0/1, everything is fine until I get the link light then all goes astray <<<
does mean that
- the RAP succesfully registers to the controller?
- with no switch attached (that is only the power injector connected) the MAP connect succesfully to the RAP?
   (and succesfully register to the controller?)

just to make sure: the RAP connects to the network where the controller is connected
and MAP is the remote site

@pieterh - Without the switch plugged in the RAP and MAP successfully connect to the controller with no issues.  Once the switchport light goes on with switch powered up it just all downhill until a few minutes it connects to the WLC again, but then drops it connection soon after.  When I have the Garretcom switch connected there is no loop network drop but the traffic from the client connection does not get back to the WLC.

* Your Picture above is our exact set up.  What do you mean by remote site?  Our MAP is at the same site about 300 yards from the RAP. 

* When the AP says please remove BVI interface first. Is it referring the BVI on the AP itself or on the Cisco Switch?

* We have lots of Autonomous AP's (Cisco 1602e) that stay connected to the WLC when have a switch plugged into them and pass data on client device. 

Thanks for your help on this issue. 

hi, 
with remote site I mean the site where MAP is connected

the BVI interface exists on the AP, this is the connection (Bridge Virtual Interface) between wireless network and wired network
when manually configuring the AP this needs to be done in a certain order.
I understand this message , but this warning thrown during bootup or when connecting is unknown to me.

=============================================
>>> We have lots of Autonomous AP's (Cisco 1602e) .......<<<
1) are you sure these are not lightweigt AP's ? (but you do manage them using the controller?)
2) if your setup with the 1602 and a switch works as planned , why do you need a different setup?
are the intended RAP and MAP different models than the 1602?
============================================

if your RAP and MAP are configured manually this explains some misunderstanding between us
and also the unexpected errors because the configuration is not fully maintained by the controller.

the document I referenced is based on an AP with EWC (Embedded wireless Controler)
this means there is a virtual controller running on one of the AP's (one physical device, two functions AP and WLC)
but the AP part of the device operates as a lightweight (CAPWAP) AP and is fully configured by the controller (EWC)

when the WLC has full control of the AP and has staged the MAP, then the MAP's configuration must be correct
(exception of bugs in this procedure of course)