Traffic prioritisation on trunked switch port

Similar Messages

• Switch Port Trunk allowed Vlan

  Hi Guys
  Request your help on my query :
  I have a distribution switch  and access switch and port channel between them.
  Dist switch is the VTP server
  lets assum I have 25 vlan
  when I do show vlan brief on the access switch I can see all 25 vlans listed now
  no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
  Dist switch po1 -- connecting to - po Access switch
  Dist switch #
  int po1
  switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
  After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
  Thanks in advance  

  Hi,
  John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
  I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
  Best regards,
  Peter

• ISCSI & Server LAN Traffic in Same Trunk Port

  Hi,
  I plan to use a Cisco UCS Rack mountable C200 server with a dual port PCIe card with TOE iSCSI. Is it acceptable to:
  To use just one dual port PCIe card for both iSCSI storage traffic and server LAN traffic - separated by VLANs? - With the ports connected two upstream swtches (for redundancy) and the switch ports configured as Trunks for both iSCSI & data VLANs??
  To use 1GE TOE iSCSI ports instead of 10GE TOE iSCSI ports
  To use a TOE iSCSI port for server data VLAN traffic??

  Yes doable. Also you can mark iSCSI with cos 2 and 9000 MTU with certain badwidth gaurantee for your iSCSI traffic and rest stays in default queue.
  class-map type qos iSCSI-qos-class
       match cos 2
  policy-map type qos iSCSI-qos-policy
       class iSCSI-qos-class
            set qos-group 2
       class class-default
            set qos-group 0
  class-map type queuing iSCSI-queuing-class
       match qos-group 2
  policy-map type queueing iSCSI-queuing-policy
       class type queuing iSCSI-queuing-class
            bandwidth percent 30
       class type queuing class-default
            bandwidth percent 70
  class-map type network-qos iSCSI-network-class
       match qos-group 2
  policy-map type network-qos iSCSI-network-policy
       class type network-qos iSCSI-network-class
            mtu 9216
       class type network-qos iSCSI-network-class
            mtu 1500
  system qos
       service-policy type qos input iSCSI-qos-policy
       service-policy type queueing output iSCSI-queuing-policy
       service-policy type network-qos iSCSI-network-policy

• LMS 4.2 - How do I find switch ports that are configured as trunks.

  I've been tasked with finding all switch ports that are configured as Trunks. We plan to use LMS 4.2 to push (via Netconfig) new interface level commands to all user (non-trunked) ports. From my experience, this poses a problem because we do not know which ports are configured as trunks -vs- user ports.
  Using Netconfig is not going to be easy since there is no way to script this. It would be great if I could run a show command on a switch and then have CWSI peform a change based upon the output.
  In other words, we need a way to run a job based upon the output of a command.
  Is there a section of LMS that I could use for help with this?
  Thanks,

  You need to go to Monitoring>Dashboard. Here Just click the switch in the Llisted device and then click the interface you will find the all the down and Up interface with type of configuration (i.e. Trunk or Access.)

• Switch port in dot1x multi-auth mode stops passing traffic

  Dear All,
  I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
  interface GigabitEthernet2/34
  switchport mode access
  ip arp inspection limit rate 30
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  dot1x pae authenticator
  dot1x timeout tx-period 5
  dot1x max-reauth-req 6
  spanning-tree portfast
  ip verify source vlan dhcp-snooping
  end
  It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
  Did anyone experience a simmilar problem? Any advice?
  Thanks.
  Mirek

  We have the same issue on 3750E switch running 12.2.(58)SE

• Traffic on interfaces trunk - Network Ingraestructure

  I wanted to know if it is normal that all traffic on my network this through all trunk ports of switches
  I set a sniffer and a switch connected without any connection trunk only to validate, the sniffer see that you are getting all network traffic through the trunk.
  What can be causing this behavior and what considerations should be taken apart filtering vlans?
  Regards.

  Now I might have misunderstood your concern but I'll give it a shot:
  Trunks carry traffic for multiple vlans and with no filtering in place they carry traffic for all vlans configured, normally you will see broadcasts e.g. DHCP or ARP requests going through all the trunk ports on a switch (that are not STP Blocking). This is normal behaviour.
  However if your sniffer is picking up a lot of packets that are meant for unicast destinations going out all trunk ports and also being captured by your sniffer over some time, then could be something else. CAM Overflows result in the switch flooding packets out all ports that are in the same vlan and out all trunk ports on which the vlan is allowed. This would result in the behaviour you observed. you can use the show mac address-table count to verify mac address space.
  Hope this helps

• Vlan x traffic block on trunk

  Hi ,
  Can someone please explain me why a trunk link, between two cisco switch, not allow a vlan x  traffic if vlan x is not locally configured ?
  In my lab I have three switch (2950 but it is the same with 2960 3750 etc).
  Switch 1 is connected by trunk to switch 2 and switch 2 is connected by trunk to switch 3.
  Switch 1 and switch 3 has configured vlan 10 and interfaces vlan 10 instead Switch 2 has not configured vlan 10
  Vtp is disabled (transparent mode) in all switch
  Switch 2 not permit switch1 to ping switch3 until I not configure vlan 10.
  2950#sh int fa 0/9 status
  Port      Name               Status       Vlan       Duplex  Speed Type
  Fa0/9                        connected    trunk      a-full  a-100 10/100BaseTX
  2950#sh int fa 0/9 trun
  Port        Mode         Encapsulation  Status        Native vlan
  Fa0/9       on           802.1q         trunking      1
  Port      Vlans allowed on trunk
  Fa0/9       1-4094
  Port        Vlans allowed and active in management domain
  Fa0/9       1-2,11,101
  Port        Vlans in spanning tree forwarding state and not pruned
  Fa0/9       1-2,11,101
  2950#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 128
  Number of existing VLANs        : 8
  VTP Operating Mode              : Transparent
  VTP Domain Name                 : daniele
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  MD5 digest                      : 0x63 0x6C 0xF9 0xF6 0xB9 0xDC 0xBE 0xF3
  Configuration last modified by 192.168.0.103 at 0-0-00 00:00:00
  2950#
  It seem that vlan 10 is pruned but I don't understand why (vtp is disabled)
  Thanks a lot for you help
  Daniele

  Hi lnrdnl78d,
  so will give this ago not quite sure how a uploaded images looks,
  i have mocked up what i have understood from your explanation so feel free to correct me if i have got this wrong :) 
  however assuming in this situation that VTP is enabled (which i know you have disabled in yours, but hoping this helps)
  in this situation client 1 sends a broadcast to client two.
  with VTP pruning enable switch 2 will learn that switch 4 has no ports connected to VLAN 2
  so the trunk link to Switch 4 will have VLAN 2 pruned from the trunk link
  but   2 and 3 will receive the broadcast and switch 3 will be the only one to forward it out the connected port
  from my understanding this is what you have configured in your lab apart from switch 4 but added it to fit the example
  does this help demonstrate it at all or am i way off ?

• Jabber and Meida Interface Service - Switch port

  Hi All,
  here is from Cisco:
  Before Cisco Jabber for Windows sends audio media or video media, it checks for Cisco Media Services Interface .
  • If the service exists on the computer , Cisco Jabber for Windows provides flow information to Cisco Media Services Interface . The service then signals the network so that routers classify the flow and provide priority to the Cisco Jabber for Windows traffic.
  • If the service does not exist, Cisco Jabber for Windows does not use it and sends audio media and video media as normal.
  My Question is : what does normal means?
  1- we can identify ports for Jabber in CUCM, then create ACL and apply QoS.in that Case what " Normal Traffic " means?
  2- for MSI, do we need to configure anything on the switch port to work peoperly?
  3- How switch knows which Qos to apply based on what MSI saying? still needs an ACL, if yes, what s apoint of using MSI dfor Qos?
  Thanks,
  Hamed

  This would be EF for voice, AF41 for video/voice, and CS3 for SIP signal. Two things typically cause this to get treated as best effort:
  The Windows PC is not allowing the application to set DSCP markings. Group or local security policy can be used to allow this
  The switch is not trusting the data VLAN. Most SRND material suggests using a policer to limit the amount of EF/AF41/CS3 traffic from the data VLAN and to remark the violation traffic to best effort.
  You'll want to start with the MediaNet Deployment Guide. There is a lot going on to make this work.
  The MSI tells the switch what application and ports are being used. The switch then sets the DSCP marking on that traffic.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Two VLANs on one switch port?

  Currently we have the following
  Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
  What I would like to do is on those exterior switches have two vlans assigned to it.
  We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
  Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
  The switch ports on those phones support vlan tagging
  How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

  To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
  In cat switches, voice vlan is created using command,
  set port auxiliaryvlan vlan
  In IOS based switches,
  int fa0/1
  switchport mode trunk
  switchport trunk encap dot1q
  switchport trunk native vlan
  switchport voice vlan
  switchport priority cos extend 0
  or
  int fa0/1
  switchport mode access
  switchport access vlan
  switchport voice vlan
  I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

• Can't get switch ports to work

  Okay so I have a basic home lab, 2600 router x2 and 2900 XL switch x 2. I've connected each router together (they "see" each other in cdp), and each router to one switch. My problem is that the interfaces that the router connects to the switch won't accept an ip address, (it says unrecognized command) and the switch lights are off). A "show status" says only the trunk port (22 on each switch) are connected. I've checked the cabling, it works, and the cables are out of the box. What am I missing/forgetting?
  Sorry if i newb :\ I'm Looking forward to going over static routes xD
  Thanks,
  Devlin
  (I looked throught the documentation, maybe I missed it? I did a config reset on the switches. I bought these used, I hope they aren't broken :\)

  No, they don't work, POST is fine (The switches boot normally), CABLING IS FINE, they are NOT admin down
  Switch1#sho run
  Building configuration...
  Current configuration:
  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname Switch1
  ip subnet-zero
  !!!!! Omitted fa ports 1-24
  interface VLAN1
  no ip directed-broadcast
  no ip route-cache
  line con 0
  transport input none
  stopbits 1
  line vty 5 15
  end
  Switch1#sho int status
  Says every port except the ports trunking between the two switches is "not connected"
  !!!!!HERES AN EXAMPLE OF ON OF THE DOWN SWITCHPORTS!!!!!
  Switch1#sho int fa0/1
  FastEthernet0/1 is down, line protocol is down
  Hardware is Fast Ethernet, address is 00b0.647f.6681 (bia 00b0.647f.6681)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex , Auto Speed , 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 1d23h, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast 0 input packets with dribble condition detected
  2 packets output, 424 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
  Switch1# sh version
  Cisco Internetwork Operating System Software
  IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC8, RELEASE SOFTWAR
  E (fc1)
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 19-Jun-03 13:09 by antonino
  Image text-base: 0x00003000, data-base: 0x0034E2F4
  ROM: Bootstrap program is C2900XL boot loader
  Switch1 uptime is 1 day, 23 hours, 31 minutes
  System returned to ROM by power-on
  System image file is "flash:c2900xl-c3h2s-mz.120-5.WC8.bin"
  cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt
  es of memory.
  Processor board ID FAA0402G17B, with hardware revision 0x03
  Last reset from power-on
  Processor is running Enterprise Edition Software
  Cluster command switch capable
  Cluster member switch capable
  24 FastEthernet/IEEE 802.3 interface(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:B0:64:7F:66:80
  Motherboard assembly number: 73-3425-10
  Power supply part number: 34-0920-01
  Motherboard serial number: FAA04019FEM
  Power supply serial number: NONE
  Model revision number: A0
  Model number: WS-C2924M-XL-EN
  System serial number: FAA0402G17B
  Configuration register is 0xF
  I'm really desperate here I have no idea what the problem is, and I cannot prepare for the exam without being able to assign ip addresses to the switch ports. If anyone can help me I would be EXTREMELY grateful.
  Thanks
  Devlin

• Cisco Prime Infrastructure 2.0 Alarms (switch port down)

  We have a cisco Prime Infrastructure 2.0 managing switches, routers and AP.
  By default, when a port of a switch goes down, the cisco Prime Infrastructre generates a Critical Alarm for that. (this is a problem, because every phone of laptop disconnection will generate a critical alarm for me)
  I found out that if we go to Administration --> Alarm Severity --> Link down, I can change the Alarm from Critical to another type of alarm.(ex: warning)
  The problem is that I want to keep the Critical Alarm for my Uplinks ports and for some important switch ports, and I would like to make the alarm as warning for the normal user ports.
  I know that I can create Port Groupping and add ports to each group and apply monitoring templates on those groups. But This couldn't Help me solving my alarm problem.
  So I just need to know how to manage the alarms severity for each group of ports.
  Thank you

  Hi,
  Same problem here.
  I am using Cisco Prime Infrastructure 2.0 (evaluation version for 60 days). I want to deploy port monitoring for my trunk ports between switches and some other important ports e.g. servers. Basically I want to get alarms when these ports are down, there are errors on ports and etc.
  So in Design>Port Grouping I created User Defined group with important ports. In Deploy>Monitoring Deployment I selected Interface Health (default)>Deploy selected Port Groups and when selected port group I created.
  Now the rule shows Deployed: Yes and Status: Active. After that I just pulled out one port which was in monitored group, waited 5min as it is set in Interface Health (default) template, and nothing happened, and worse, alarms started to show up of other ports where regular users are connected (computers was turned off), which I do not want to see at all. I tried redeploy template, I even created my own template but still no desired result.
  Any suggestions how to make port monitoring work?

• Template(best practice) for Switch ports

  Hi,
  Looking for best practice advice on switchport config for client facing ports.
  We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
  For Access Ports(First two should stop DTP I'm hoping?):
  switchport mode access
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree guard root
  switchport port-security maximum 10
  switchport port-security
  switchport port-security aging time 10
  And for trunk ports to clients:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan xxx,xxx
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  spanning-tree guard root
  Thanks in advance.

  Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
  That's Cisco's branch design doc from Design Zone.
  For those that want a fast answer:
  For VoIP phones and PC:
  interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
  description phone with PC connected to phone
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  mls qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  For data only:
  interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
  description DATA only ports
  switchport access vlan 102
  switchport mode access
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  That's Cisco's recommendation.
  And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

• AP 802.1X switched port-authentication

  Hi,
  I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.
  The AP is connected to a switch where the port is not configured for 802.1X.
  On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized
  If I connect on the same port a PC using 802.1X,this is working fine..
  Am I missing something to configure on the switch or AP ???
  Any suggestion are appreciated
  Regards
  Omar

  Omar,
  There's a gotcha with this...most likely a trunk issue...
  Here is a snippet for EAPOL guidelines:
  Authentication Configuration Guidelines
  This section provides the guidelines for configuring 802.1x authentication on the switch:
  802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
  802.1x is supported only on Ethernet ports.
  Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.
  802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.
  802.1x authentication is not supported with the sc1 interface.
  You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.
  You cannot enable trunking on an 802.1x port.
  You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.
  You cannot enable DVLAN on an 802.1x port.
  You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.
  You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.
  You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.
  You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.
  Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
  Here is the url for the link:
  http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697

• 2960X 15.0(2)EX5 Stack Bug? Master Switch Ports link in Orange, no spanning Tree

  Is anyone aware of a bug in version 15.0(2)EX5 for 2960X Switches that would cause a switch in the master role to stop linking in new ports in green (and passing traffic).  I have 2 2960X-48FPD-L Switches in a stack and whichever switch I designate master will only link new connections in orange and not pass traffic.  All ports linked in show up/up and can be seen in a show cdp neighbor but won't pass any other traffic. 
  If I unplug the Stacking cables both switches become masters and ports linked in green on the previous member switch stay green, but after it switches to master any new connections plugged in only link in orange. 
  If I switch priorities and reboot the problem switches to the new master switch and the problem goes away on the member switch.
  Also, a switch in the master role does not show any spanning tree instances for ports in the orange link state. 
  Has anyone seen this issue and do you know of a solution? 
  Jim

  A quick update for those with this same problem.
  1.  15.2(3)E turned out to be very unstable causing my switch stack to randomly lockup/reboot one of the switches about once a week.
  2.  I downgraded back to 15.0(2)EX5 but found a workaround.  It turns out the switch stack with the 15.0 versions does not like the switchport voice vlan command on any of the interfaces on the master switch.  I simply removed the voice vlan configuration on the interfaces and all the switch ports linked in just fine.  I would prefer to run the phones on a voice vlan, but it still works without, just the PC's and phones are on the same vlan. 
  Jim

• AP-1131AG: 2 VLANs/SSIDs, switch port configuration?

  We're setting up a (seemingly) simple deployment of some APs, and want 2 SSIDs...one will have Pre-Shared WEP and one will be open and broadcast (with access-lists on the router). My question is how to set up the switch port to match my AP, in order for it to pass both VLANs (in this case I've setup WLAN100=VLAN100 and WLAN101=VLAN101)...Do I have to configure trunking on that switchport? Thanks for any links or answers on this!!!

  Hi Vince,
  Here is a great doc that goes over this concept in detail. You will need to configure Trunking on the switchport. Have a look at what yours might look like;
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1,100,101
  From this excellent doc;
  Using VLANs with Cisco Aironet Wireless Equipment
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#clic2935xl
  Hope this helps!
  Rob