• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1565
  • Last Modified:

VLAN setup between HP 5412zl switch and HP J8130A Wireless Access Point 420

We have a Procurve 5412zl managed switch and two HP J8130A 420 access points.  The access points (VLAN currently disabled) each have 2 active SSID's; one authenticating hosts directly on the device with a VLAN ID of 20 and one authenticating over 802.1x (to Windows 2003 IAS) with a VLAN ID of 10.  We are using a Cisco ASA firewall/router with 4 interfaces.  

Problem #1
We want to create one VLAN for production (ID 10).  We want to create another VLAN for guest and DMZ usage (ID 20).  The guest/DMZ VLAN will have a CRM application running in it that hosts on the production VLAN will need to be able to access.  We will also have Outlook Web Access running on that box.  We will need a secure way to pass LDAP and SQL traffic between, or around, the 2 VLANs.  

Questions:
- For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?  
- Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?
- Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?
- What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?

Problem #2
We currently have VLAN disabled on the access points.  They each have 2 SSID's; both SSID's are tagged; one for VLAN ID 10 and one for ID 20.  We need to route traffic to both switch VLANs over one single wired interface per AP.

Questions:
- To allow packets to be routed to their respective destination VLANs, can we simply trunk the ports that each of these AP's will connect to?  
0
footballstar
Asked:
footballstar
1 Solution
 
kyleb84Commented:
Discusses how to configure AD/Radius Authentication with 802.1x:
  ftp://ftp.hp.com/pub/networking/software/Part-2-Secure-Access-Configuration-Guide-Wireless-Clients.pdf

"For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?"
- ISA

"Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?"
- If you keep everything going back to one point it will be easier to manage, since you going to try 802.1x auth etc.. keep it with the ISA server.

"Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?"
- Each SSID would be it's own VLAN, the 420 would essentially trunk those VLANs back to the switch, I'd get a ISA server with 2 network adaptors, and put a VLAN on each adaptor, maybe include a 3rd for internet access VLAN.

"What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?"
- Untagged (In the context of HP ProCurve) indicates that the packets on that VLAN will not have a 802.1Q header attached to each one. It's the equivalent of Cisco's "native vlan" or "access vlan".

Laptops and Desktop PC's must have the packets "untagged" to communicate. Windows XP etc does not support tagged frames (Well, it does, but requires configuration).

Access ports, or ports that will have a PC connectted to it would have the respective VLAN untagged on that port.

Trunk ports, or ports that connect switches/network devices together can still have ONE AND ONLY ONE vlan untagged, all the rest must be tagged.

0
 
footballstarAuthor Commented:
Thanks alot!  So just to clarify to the readers for our situation:

Our Cisco ASA router has 4 ports configurable for separate networks so we are using separate untagged ports on each VLAN to connect to the router (as opposed to using one trunked port).  For our present situation, we do not need any trunked ports.  We are using 2 tagged ports; one for each access point; each port is tagged on both VLANs.  All other ports are untagged on either VLAN.  
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now