Setting up VLANS, Cisco ISA550W + Cisco SMB Switches

[alijnclarke]

Hi,
I'm attempting to install a network to do the following:
1. Guest vlan, wireless and some wired points
2. Admin vlan (access to internet and file servers)
3. IP Camera vlan

I've got the following equipment:
Cisco ISA550W (router / security appliance)
Cisco SG 300-10P (POE for access points and cameras)
Cisco SG 300-10

Access point wise:
3x Cisco Aironet 1200 (old ones until i find modern replacements)

I'm lost on how to start really, currently the ISA550 has multiple SSID's with our admin network and a guest network, both on independent vlans. To start i'd just like to have one of the aironets transmitting two SSID's one admin and one guest, just like the ISA550.

Note: The ISA has each vlan in a different subnet, that's something i'd like to keep if possible.

Do i set the port on the ISA connecting to the POE switch as a trunk? and then the port on the POE switch also as a trunk? Do i have to assign manually the vlan id to the port as well as it being a trunk?

Sorry for the very very nooby questions, i'm just totally lost and struggling to find any documentation that isn't enterprise orientated.

 

[theonlyski]

Sorry for the very very nooby questions, i'm just totally lost and struggling to find any documentation that isn't enterprise orientated.

Well, that comes with the territory when buying more production type equipment.

Not knowing the explicits for the devices you have listed, I can tell you some general info (I work in enterprise Cisco networks).

Keeping the vLANs separated is a requirement, having two interfaces on the same IP network isn't possible with most Cisco equipment.

Whenever you have the option to trunk, do it. You'll set an admin vLAN that doesn't get the 802.1q tags, the rest of the vLANs get a tag to let the systems know what vLAN they belong to.

There is a general overview of the 550w on here. http://www.smallnetbuilder.com/security/security-reviews/32049-cisco-isa550w-integrated-security-appliance-reviewed

The way I envision I would set it up is to trunk the ports that interconnect all of the devices, assign all of the IP cameras to one vLAN. Though this has bitten me with ASA-5505's running the IPS hardware, the cameras were producing so much traffic that the IPS would choke on it and cause outages... So if you're able to put the monitor for the cameras on that vLAN, that would be the best bet as far as keeping your firewall from getting tons of traffic it doesn't need.

Where are you located? There might be people nearby that could come show you the ropes.