?
Solved

VLAN setup between HP 5412zl switch and HP J8130A Wireless Access Point 420

Posted on 2008-10-23
2
Medium Priority
?
1,552 Views
Last Modified: 2012-06-27
We have a Procurve 5412zl managed switch and two HP J8130A 420 access points.  The access points (VLAN currently disabled) each have 2 active SSID's; one authenticating hosts directly on the device with a VLAN ID of 20 and one authenticating over 802.1x (to Windows 2003 IAS) with a VLAN ID of 10.  We are using a Cisco ASA firewall/router with 4 interfaces.  

Problem #1
We want to create one VLAN for production (ID 10).  We want to create another VLAN for guest and DMZ usage (ID 20).  The guest/DMZ VLAN will have a CRM application running in it that hosts on the production VLAN will need to be able to access.  We will also have Outlook Web Access running on that box.  We will need a secure way to pass LDAP and SQL traffic between, or around, the 2 VLANs.  

Questions:
- For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?  
- Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?
- Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?
- What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?

Problem #2
We currently have VLAN disabled on the access points.  They each have 2 SSID's; both SSID's are tagged; one for VLAN ID 10 and one for ID 20.  We need to route traffic to both switch VLANs over one single wired interface per AP.

Questions:
- To allow packets to be routed to their respective destination VLANs, can we simply trunk the ports that each of these AP's will connect to?  
0
Comment
Question by:footballstar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 2000 total points
ID: 22791800
Discusses how to configure AD/Radius Authentication with 802.1x:
  ftp://ftp.hp.com/pub/networking/software/Part-2-Secure-Access-Configuration-Guide-Wireless-Clients.pdf

"For optimal security, would we be better guided to use an application such as Microsoft ISA Server to handle LDAP and SQL traffic between the 2 VLANs, or could we make use of trunking on the switch to avoid that?"
- ISA

"Would it be best to use routing on the Cisco ASA to manage traffic between VLAN 10 and 20?"
- If you keep everything going back to one point it will be easier to manage, since you going to try 802.1x auth etc.. keep it with the ISA server.

"Would we simply tag the ports we are going to use to connect to the router with 10 or 20, or is there something else that would need to be done?"
- Each SSID would be it's own VLAN, the 420 would essentially trunk those VLANs back to the switch, I'd get a ISA server with 2 network adaptors, and put a VLAN on each adaptor, maybe include a 3rd for internet access VLAN.

"What is the "untagged" property and would we need to use it to dedicate ports to a VLAN or would tagging accomplish that?"
- Untagged (In the context of HP ProCurve) indicates that the packets on that VLAN will not have a 802.1Q header attached to each one. It's the equivalent of Cisco's "native vlan" or "access vlan".

Laptops and Desktop PC's must have the packets "untagged" to communicate. Windows XP etc does not support tagged frames (Well, it does, but requires configuration).

Access ports, or ports that will have a PC connectted to it would have the respective VLAN untagged on that port.

Trunk ports, or ports that connect switches/network devices together can still have ONE AND ONLY ONE vlan untagged, all the rest must be tagged.

0
 

Author Closing Comment

by:footballstar
ID: 31509451
Thanks alot!  So just to clarify to the readers for our situation:

Our Cisco ASA router has 4 ports configurable for separate networks so we are using separate untagged ports on each VLAN to connect to the router (as opposed to using one trunked port).  For our present situation, we do not need any trunked ports.  We are using 2 tagged ports; one for each access point; each port is tagged on both VLANs.  All other ports are untagged on either VLAN.  
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month15 days, 16 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question