Solved

VLAN setup between HP 5412zl switch and HP J8130A Wireless Access Point 420

Posted on 2008-10-23
2
1,524 Views
Last Modified: 2012-06-27
We have a Procurve 5412zl managed switch and two HP J8130A 420 access points.  The access points (VLAN currently disabled) each have 2 active SSID's; one authenticating hosts directly on the device with a VLAN ID of 20 and one authenticating over 802.1x (to Windows 2003 IAS) with a VLAN ID of 10.  We are using a Cisco ASA firewall/router with 4 interfaces.  

Problem #1
We want to create one VLAN for production (ID 10).  We want to create another VLAN for guest and DMZ usage (ID 20).  The guest/DMZ VLAN will have a CRM application running in it that hosts on the production VLAN will need to be able to access.  We will also have Outlook Web Access running on that box.  We will need a secure way to pass LDAP and SQL traffic between, or around, the 2 VLANs.  

Questions:
- For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?  
- Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?
- Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?
- What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?

Problem #2
We currently have VLAN disabled on the access points.  They each have 2 SSID's; both SSID's are tagged; one for VLAN ID 10 and one for ID 20.  We need to route traffic to both switch VLANs over one single wired interface per AP.

Questions:
- To allow packets to be routed to their respective destination VLANs, can we simply trunk the ports that each of these AP's will connect to?  
0
Comment
Question by:footballstar
2 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
Comment Utility
Discusses how to configure AD/Radius Authentication with 802.1x:
  ftp://ftp.hp.com/pub/networking/software/Part-2-Secure-Access-Configuration-Guide-Wireless-Clients.pdf

"For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?"
- ISA

"Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?"
- If you keep everything going back to one point it will be easier to manage, since you going to try 802.1x auth etc.. keep it with the ISA server.

"Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?"
- Each SSID would be it's own VLAN, the 420 would essentially trunk those VLANs back to the switch, I'd get a ISA server with 2 network adaptors, and put a VLAN on each adaptor, maybe include a 3rd for internet access VLAN.

"What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?"
- Untagged (In the context of HP ProCurve) indicates that the packets on that VLAN will not have a 802.1Q header attached to each one. It's the equivalent of Cisco's "native vlan" or "access vlan".

Laptops and Desktop PC's must have the packets "untagged" to communicate. Windows XP etc does not support tagged frames (Well, it does, but requires configuration).

Access ports, or ports that will have a PC connectted to it would have the respective VLAN untagged on that port.

Trunk ports, or ports that connect switches/network devices together can still have ONE AND ONLY ONE vlan untagged, all the rest must be tagged.

0
 

Author Closing Comment

by:footballstar
Comment Utility
Thanks alot!  So just to clarify to the readers for our situation:

Our Cisco ASA router has 4 ports configurable for separate networks so we are using separate untagged ports on each VLAN to connect to the router (as opposed to using one trunked port).  For our present situation, we do not need any trunked ports.  We are using 2 tagged ports; one for each access point; each port is tagged on both VLANs.  All other ports are untagged on either VLAN.  
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now