Maybe I can clarify this some

Joe Link · ‎07-03-2015

I am working with 2 3560 POE switches that have watchguard AP's attached. I am attempting to separate 2 SSID's by use of vlans. I have setup vlans 10 and 21 and i need to tag traffic from vlan 21. I understand that I have to use "private vlans" to accomplish this but my issue is that I have made vlan 21 an isolated private vlan and set the ports the AP's are connected to as trunk ports to allow both vlans but now that I have that setup the tagged vlan (21) remains administratively shutdown. I am not sure where to go with this now. Int f0/1 is the trunk between the 2 switches and the AP's are connected to ports 4,7,8 on the first switch. When I set the ports the AP's are connected to as "switchport mode access" they are able to connect to the router and pass vlan 10.

no aaa new-model
system mtu routing 1500
vtp domain dm1
vtp mode transparent
ip routing
!
!
!
!
!
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
!
vlan 21
private-vlan isolated
!
vlan 100,140,150
!
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 150
switchport mode trunk
no mdix auto
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no mdix auto
!
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,140,150
switchport mode trunk
no mdix auto
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,21
switchport mode trunk
no mdix auto
!
interface FastEthernet0/5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,21
switchport mode trunk
no mdix auto
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,21
switchport mode trunk
no mdix auto
!
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,21
switchport mode trunk
no mdix auto
!
interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,21
switchport mode trunk
no mdix auto

interface Vlan1
ip address 10.0.10.200 255.255.255.0
!
interface Vlan10
ip address 10.0.5.253 255.255.255.0
!
interface Vlan21
ip address 10.0.21.253 255.255.255.0
shutdown
!

Horacio2021 · ‎07-03-2015

Hi Joe

is the possibility that your AP VLANs are not configured for each SSID

Joe Link · ‎07-03-2015

The config of the AP's was checked by watchguard and the vlans were pushed out from the main router when every thing was on the vlan 1. Shortly after the config was pushed everything associated with vlan 21 stopped. The watchguard tech suggested it was due to the lack of tagging for vlan 21.

Horacio2021 · ‎07-03-2015

cada ssid debe de etiquetarse ,si el puerto no es troncal no pasara trafico, debe de anunciarse en cada dispositivo

Joe Link · ‎07-03-2015

Maybe something was lost in the translation? I don't understand what you trying to say. I am trying to see if I correctly setup the vlans to be tagged and I am looking for an explanation as to why vlan 21 is staying administratively down.

Joe Link · ‎07-03-2015

Maybe I can clarify this some more.

vlan 21
private-vlan isolated - removed this

I am trying to pass over the same physical port, tagged traffic for Vlan 21 and untagged traffic for Vlan 10. Currently only VLAN 10 traffic is being passed and no VLAN 21 traffic is being seen by the router.

All associated trunk ports are set to native VLAN 1.

vlan tagging for wireless AP's