Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Native Vlan LWAP to Controller

Hi guys,

I had a LWAP connected to a switch trunk port:

Port        Vlans allowed on trunk
Fa1/1       1-4094

LWAP joined the WLC, then I switched it to FlexConnect Mode. I enabled Vlan Support and used Vlan 1 as Native Vlan.

Knowing exactly site's SSID I went to the switch and "secured the config":

interface fa1/1

switchport trunk allowed vlan none

switchport trunk allowed vlan add 5, 10


show interfaces FastEthernet 1/1 switchport 
Name: Fa1/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Trunking VLANs Enabled: 5, 10

Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL


I did this, assuming that LWAP will communicate with the controller on NATIVE Vlan 1, while vlans 5 and 10 had to be mapped/used to the two site's SSIDs. As you probably assume LWAP got disconnected from the controller.

I had to switchport trunk allowed vlan add 1 and finally things got as it were. 


Why does native vlan had to be also allowed on the tagged Vlan list?

Everyone's tags (1)
VIP Purple

Hi Florin, You must allow the

Hi Florin,


You must allow the native vlan on swicth port config for AP. The access point needs IP connectivity on the native VLAN.

this is the example :

interface FastEthernet1/1

description *** AP ***

switchport trunk encapsulation dot1q

switchport trunk native vlan 1 - AP Management VLAN

switchport trunk allowed vlan 5,10  - VLAN's attached to various SSID's

switchport mode trunk

switchport nonegotiate


More to check here:



Dont forget to rate helpful posts

Hello Sandeep,Thanks for

Hello Sandeep,

Thanks for replying.

I found out the hardway that having the VLAN added is needed, still I would love to understand the underground requirement.

VIP Purple

Hi Florin,As per my exp:1.

Hi Florin,

As per my exp:

1. When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the native VLAN for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an Access Point (AP) is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.

2. To support the AP management(with connection to WLC)

3. As per your post switchport trunk allowed vlan none

means you dont want to allow any vlan on this trunk port.


Dont forget to rate helpful posts

New Member

Florin -The native vlan had

Florin -

Vlan 1 had to also be allowed because of the command you issued:

switchport trunk allowed vlan none

This command effectively prevents any vlans (tagged or untagged) from passing across the trunk link.  Be aware the trunk link will remain in an On state even though you have blocked all vlans from passing through it.  So think of the switchport trunk allowed set of commands as a block/allow set of rules that exists independently of the configuration requirements to create a trunk link such as one native vlan being established/encapsulation being set/negotiation being set.





P.S. here is a link that will help explain it in more detail


CreatePlease to create content