Solved

VLAN setup between HP 5412zl switch and HP J8130A Wireless Access Point 420

Posted on 2008-10-23
2
1,543 Views
Last Modified: 2012-06-27
We have a Procurve 5412zl managed switch and two HP J8130A 420 access points.  The access points (VLAN currently disabled) each have 2 active SSID's; one authenticating hosts directly on the device with a VLAN ID of 20 and one authenticating over 802.1x (to Windows 2003 IAS) with a VLAN ID of 10.  We are using a Cisco ASA firewall/router with 4 interfaces.  

Problem #1
We want to create one VLAN for production (ID 10).  We want to create another VLAN for guest and DMZ usage (ID 20).  The guest/DMZ VLAN will have a CRM application running in it that hosts on the production VLAN will need to be able to access.  We will also have Outlook Web Access running on that box.  We will need a secure way to pass LDAP and SQL traffic between, or around, the 2 VLANs.  

Questions:
- For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?  
- Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?
- Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?
- What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?

Problem #2
We currently have VLAN disabled on the access points.  They each have 2 SSID's; both SSID's are tagged; one for VLAN ID 10 and one for ID 20.  We need to route traffic to both switch VLANs over one single wired interface per AP.

Questions:
- To allow packets to be routed to their respective destination VLANs, can we simply trunk the ports that each of these AP's will connect to?  
0
Comment
Question by:footballstar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22791800
Discusses how to configure AD/Radius Authentication with 802.1x:
  ftp://ftp.hp.com/pub/networking/software/Part-2-Secure-Access-Configuration-Guide-Wireless-Clients.pdf

"For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?"
- ISA

"Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?"
- If you keep everything going back to one point it will be easier to manage, since you going to try 802.1x auth etc.. keep it with the ISA server.

"Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?"
- Each SSID would be it's own VLAN, the 420 would essentially trunk those VLANs back to the switch, I'd get a ISA server with 2 network adaptors, and put a VLAN on each adaptor, maybe include a 3rd for internet access VLAN.

"What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?"
- Untagged (In the context of HP ProCurve) indicates that the packets on that VLAN will not have a 802.1Q header attached to each one. It's the equivalent of Cisco's "native vlan" or "access vlan".

Laptops and Desktop PC's must have the packets "untagged" to communicate. Windows XP etc does not support tagged frames (Well, it does, but requires configuration).

Access ports, or ports that will have a PC connectted to it would have the respective VLAN untagged on that port.

Trunk ports, or ports that connect switches/network devices together can still have ONE AND ONLY ONE vlan untagged, all the rest must be tagged.

0
 

Author Closing Comment

by:footballstar
ID: 31509451
Thanks alot!  So just to clarify to the readers for our situation:

Our Cisco ASA router has 4 ports configurable for separate networks so we are using separate untagged ports on each VLAN to connect to the router (as opposed to using one trunked port).  For our present situation, we do not need any trunked ports.  We are using 2 tagged ports; one for each access point; each port is tagged on both VLANs.  All other ports are untagged on either VLAN.  
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question