Wireless Troubleshooting

Lab Objectives

• Troubleshoot common wireless-related L2/L3 problems: AP not joining, clients not connecting, and VLAN mapping errors on the wired infrastructure that supports wireless.
• Apply and verify corrective configuration on switches and routers so wireless traffic is carried and routed correctly.

Tip: Wireless issues are often rooted in the wired network — trunking, VLANs and SVI reachability are frequent culprits. Fix the wire first, then the wireless.

Topology (BASE LAB TOPOLOGY — exact IPs shown)

                    [Internet]
                   203.0.113.1
                        |
                   R1 (Gateway)
                  Gi0/0: 10.10.10.1
                  Gi0/1: 10.10.20.1
                  Gi0/2: 10.10.30.1
                  /     |     \
               R2      R3      R4
   Gi0/0: 10.10.10.2   |   Gi0/0: 10.10.30.2
   Gi0/1: 10.10.40.1   |
              /  \      |
           S1    S2    S3
          /  \    |   /  \
        PC1  PC2 PC3 PC4  PC5

IP subnets used in this lab:

• 10.10.10.0/24 — R1 <> R2
• 10.10.20.0/24 — R1 <> R3
• 10.10.30.0/24 — R1 <> R4
• 10.10.40.0/24 — R2 <> S1
• 192.168.1.0/24 — VLAN 10 (Sales)
• 192.168.2.0/24 — VLAN 20 (Engineering)
• 192.168.3.0/24 — VLAN 30 (Management)
• 203.0.113.0/24 — Public/Internet simulation

Key terms introduced:

• Trunk — carries multiple VLANs across a single link using 802.1Q tags.
• SVI (Switched Virtual Interface) — a logical L3 interface for a VLAN on a multilayer switch.
• VLAN — separation of broadcast domains. Wireless SSIDs are typically mapped to VLANs on the wired switch.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Fix AP Trunking

The AP is connected to S1 but cannot reach the wireless controller or management subnet. Configure the switchport where the AP connects as a 802.1Q trunk carrying VLANs 10, 20 and the management VLAN 30. Do NOT change the router.

Parameters: trunk encapsulation dot1q, trunk mode, allow VLANs 10,20,30.

Task 2: Create SVIs for wireless VLANs

On the switch acting as the L3 boundary (S1), create SVIs for VLAN 10, 20 and 30 with gateway addresses:

• VLAN 10 -> 192.168.1.1/24
• VLAN 20 -> 192.168.2.1/24
• VLAN 30 -> 192.168.3.1/24 Enable IP routing on the switch so inter-VLAN traffic can be forwarded to R1.

Task 3: Verify and correct VLAN mapping for wireless clients

A wireless client in the Sales SSID should be in VLAN 10. Verify the access port mapping for the wired port that the AP uses for untagged (management) traffic and for any wired access ports for client devices. Fix an incorrect access VLAN if you find one.

Think About It: Why will an AP fail to provide client connectivity if its switchport is an access port in VLAN 99 while the AP expects a trunk with tags for multiple SSIDs?

---

Lab Solution

Task 1 Solution: Fix AP Trunking

What we are doing: Convert the port connected to the AP into a 802.1Q trunk so the AP can carry multiple SSID VLANs (tagged) and keep a management VLAN (native/untagged or tagged depending on controller design). This is needed because APs use VLAN tags to separate SSID traffic; if the switchport is an access port the AP cannot tag traffic and the controller/SSID mapping will break.

! Enter interface for the AP physical port (example interface E0/1)
interface E0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
!

What each command does and why it matters:

• interface E0/1 — selects the physical switch port to configure (this is where the AP is plugged).
• switchport trunk encapsulation dot1q — selects 802.1Q tagging for trunks. Required so tagged VLAN frames can be carried.
• switchport mode trunk — makes the port operate as a trunk, allowing multiple VLANs.
• switchport trunk allowed vlan 10,20,30 — limits which VLANs are carried; prevents unexpected VLANs being forwarded.

Verify:

show interfaces trunk

Expected output excerpt (illustrative — exact formatting depends on IOS):

Port        Mode         Encapsulation  Status        Native vlan
E0/1        on           802.1q         trunking      1

Port        Vlans allowed on trunk
E0/1        10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
E0/1        10,20,30

Task 2 Solution: Create SVIs for wireless VLANs

What we are doing: Create Layer-3 interfaces (SVIs) for each wireless VLAN so the AP and wireless clients have a gateway. Enable IP routing so the switch routes between VLANs and towards R1.

! Enable IP routing on the switch so SVIs are active and routeable
ip routing

! Create VLAN interfaces and assign IP addresses
interface vlan 10
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface vlan 20
 ip address 192.168.2.1 255.255.255.0
 no shutdown
!
interface vlan 30
 ip address 192.168.3.1 255.255.255.0
 no shutdown
!

What each command does and why it matters:

• ip routing — enables Layer-3 switching so the switch can route between VLANs and to upstream routers.
• interface vlan X — creates the SVI for VLAN X; this becomes the default gateway for hosts in that VLAN.
• ip address ... — assigns the gateway IP for that VLAN.
• no shutdown — enables the SVI. Without this the SVI stays administratively down and hosts cannot reach their gateway.

Verify:

show ip interface brief

Expected relevant lines:

Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 192.168.1.1     YES manual up                    up
Vlan20                 192.168.2.1     YES manual up                    up
Vlan30                 192.168.3.1     YES manual up                    up

Also verify the running-config for each SVI:

show running-config interface vlan 10

Expected output excerpt:

interface Vlan10
 ip address 192.168.1.1 255.255.255.0
 no ip route-cache
 no shutdown
!

Task 3 Solution: Verify and correct VLAN mapping for wireless clients

What we are doing: Confirm that the AP’s management/native VLAN and the wired client ports are mapped to the correct VLANs. If a Sales client is placed in VLAN 20 instead of VLAN 10, they will get the wrong gateway and cannot reach resources.

Example: Fix a wired client port (E0/2) that was mistakenly placed in VLAN 20 but should be VLAN 10.

! Check the port status and VLAN assignment
show interfaces status

! Correct the access port to VLAN 10
interface E0/2
 switchport mode access
 switchport access vlan 10
!

What each command does and why it matters:

• show interfaces status — quick view of ports and assigned VLANs; helps spot mismatches.
• interface E0/2 — selects the client port.
• switchport mode access — ensures the port is an access port (untagged).
• switchport access vlan 10 — places the port in VLAN 10, matching the Sales SSID mapping.

Verify:

show vlan brief

Expected relevant output:

VLAN Name                             Status    Ports
10   Sales                           active    E0/2, (other ports...)
20   Engineering                     active    E0/3
30   Management                      active    E0/1 (if native mgmt)

Also verify the specific interface:

show running-config interface E0/2

Expected excerpt:

interface E0/2
 switchport mode access
 switchport access vlan 10
!

---

Troubleshooting Scenario

Scenario: AP not joining controller / Clients cannot get to gateway

Symptom: AP LEDs show no controller, and wireless clients cannot ping 192.168.1.1 (Sales gateway). Wired clients in VLAN 10 can ping the gateway.

Your task: Find and fix the issue.

Hint: The switchport to the AP is configured as an access port; the AP needs to tag SSID VLANs.

Solution:

• Confirm the AP port is set to access:

show running-config interface E0/1

• If output shows switchport mode access, change to trunk:

interface E0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

• Verify with:

show interfaces trunk

Explanation: The AP requires a trunk so it can send/receive tagged frames for multiple SSIDs; as an access port it could only be on one VLAN and the controller or SSID VLANs would be unreachable.

---

Verification Checklist

• AP port is configured as trunk with dot1q and carries VLANs 10, 20, 30.
• SVIs for VLANs 10/20/30 exist and are up with correct IPs (192.168.1.1/2/3).
• Wired/wireless client ports map to the correct VLANs (Sales -> VLAN 10, etc).
• Clients can ping their gateway (e.g., PC -> 192.168.1.1).

Common Mistakes

Symptom	Cause	Fix
AP cannot join controller	AP port is an access port (no tags)	Make the port a trunk: switchport trunk encapsulation dot1q + switchport mode trunk
Wireless clients can't reach gateway	SVI missing or admin down	Create SVI: interface vlan X + ip address ... + no shutdown; enable ip routing if needed
Client placed in wrong VLAN	Wrong switchport access vlan on port	Change access VLAN: switchport access vlan <correct>
VLANs not carried to upstream	Trunk allowed VLANs do not include required VLAN	Update switchport trunk allowed vlan to include the VLAN

Warning: Changing the native VLAN on trunks without coordination can drop untagged management frames. Always plan native VLAN changes.

Challenge Task

Add DHCP for VLAN 10 on the router R2 (actors: R2 Gi0/1 -> 10.10.40.1 link to S1). Configure a pool on R2 to hand out 192.168.1.0/24 addresses to Sales wireless clients. Verify a wireless client receives an IP from 192.168.1.0/24 and can reach the internet via R1. (No step-by-step given — use your knowledge of DHCP pools and routing.)

Real-world insight: In production wireless deployments, the wired network must be engineered to carry VLANs and maintain SVI reachability before wireless controllers or APs will function correctly. Misconfigured trunking or missing SVIs are the most common root causes of “wireless” outages.