We have a Procurve 5412zl managed switch and two HP J8130A 420 access points. The access points (VLAN currently disabled) each have 2 active SSID's; one authenticating hosts directly on the device with a VLAN ID of 20 and one authenticating over 802.1x (to Windows 2003 IAS) with a VLAN ID of 10. We are using a Cisco ASA firewall/router with 4 interfaces.
We want to create one VLAN for production (ID 10). We want to create another VLAN for guest and DMZ usage (ID 20). The guest/DMZ VLAN will have a CRM application running in it that hosts on the production VLAN will need to be able to access. We will also have Outlook Web Access running on that box. We will need a secure way to pass LDAP and SQL traffic between, or around, the 2 VLANs.
- For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?
- Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?
- Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?
- What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?
We currently have VLAN disabled on the access points. They each have 2 SSID's; both SSID's are tagged; one for VLAN ID 10 and one for ID 20. We need to route traffic to both switch VLANs over one single wired interface per AP.
- To allow packets to be routed to their respective destination VLANs, can we simply trunk the ports that each of these AP's will connect to?