Philip

Thanks for your interest.

I just tried getting the phone to forget both networks so it was unattached and then re-attached to VLAN 111 Analytics ( via the Enigma SSID. I still get the same error message and the orange status on the AP.

The default is VLAN 1 not 0. The switch and the AP are on the management VLAN 11. Eventually, I intend removing VLAN 1 and I do not see that I need VLAN 0 (is that a normal VLAN), if everything is specifically assigned?

I'm a bit puzzled.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

My assumptions are that the error message is for the AP not the phone. How's the AP configured, is it configured to receive an IP address via DHCP? Make sure there is no VLAN tagging set on the AP's DHCP configuration as I assume it's already being tagged at the Switch port? (Double tagging could cause this error message)

@MilesMeraki

Thanks for your suggestion - the screenshot below shows how the AP is configured -

Both the SSIDs function as expected. The AP is getting its IP address from the correct VLAN DHCP server. I am not sure where to go looking for more causes . . .

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Try checking the config on the local status page. Particularly the VLAN assigned there.

If it all still looks correct perhaps give the AP a power cycle.

To me, everything looks configured correctly.

You mention a switch.

So you have an MX, and on LAN1 it connects to a switch? And then the AP plugs into that switch?

@Philip D'Ath

I've accessed the local pages for the switch (MS220-8P) and the AP, everything appears to be Healthy.

However, I check the entry on the switch port page and it shows that that the port the switch is connected to has

Native VLAN - 11

Allowed VLAN - 11, 111, 1001

(11 Management, 111 Analytics, 1001 Isolated Guests)

- is this correct?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

You have two choices:

1. Configure the native VLAN configured as "1". Nothing will use it, as you have everything configured to use other VLANs.

2. Leave the native VLAN as 11 but change the AP backup to using VLAN1 - which will actually end up on VLAN11.

Sorry this is between the switch and the MX.

I would make the native VLAN "1", and configure the switch to use VLAN11 as its management VLAN via the local status page on the switch.

Double tagging is the issue here. As @Philip D'Ath has stated, the Native VLAN is 11 and the AP is using VLAN 11 for it's DHCP requests when the Native VLAN is already VLAN 11.

As @Philip D'Ath has mentioned, change the Native VLAN back to 1 and this will resolve the issue.

@MilesMeraki

@Philip D'Ath

Thanks for your help guys, it is much appreciated.

As you both predicted, changing the native VLAN for the AP(s) back to 1 solved the problem.

Because of my background, I'd prefer it if there was not a default VLAN, and to avoid using VLAN 1, because both 0 and 1 are predictable and often default values.

I'm trying to develop a core architecture that can act as a template for future deployments, rather than configure on a one-off basis.

I am not a network engineer, so what is obvious to everybody else is not always obvious to me. As I said before, your assistance is much appreciated.

Robin

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

You can choose a non-existent VLAN to be the default if you want, like 123. But you must configure it as the native VLAN on each side of a trunk link.

No problem @Uberseehandel, glad that we could be of assistance. As @Philip D'Ath has stated above, if you believe keeping VLAN 1 as the default Native VLAN as being insecure/vulnerable, change it to another unused VLAN number in your design, just ensure that you change the Native VLAN on all other links to reflect it.