Vlan setup help

I am setting up a VLAN and what to make sure that I understand it correctly. Here is the equipment I have and my idea.

1 - PIX515E firewall 4 - Procurve 4000m switch

Would it be bettter to start the VLAN at the PIX or at the Procurve? I

need a VLAN1 for regular employees to access the internet, other office

computers and the office server. I need VLAN2 to setup a guest LAN that can only see the internet and not the office computers or server. (also does anyone have any suggestions on how to setup a network authorization, that can be used to logon with a username and password to access the internet)

My idea is to start the VLAN at the procurve switch. I would have the port to the firewall as tagged with VLAN1. I would setup the office computers and server on VLAN1 that are untagged. I would setup the guest ports on VLAN2 that are untagged.

Any one have any other ideas or a better way to do this. Any suggestions would help

I would recommend not using VLAN 1 for any thing special as some equipment does (or has not in the past) not trunk VLAN 1 correctly. Namely I'm aware that some Cisco gear does (or did) not like to trunk VLAN 1 traffic as they use it for the default VLAN. Choose any other VLAN you like, so long as it is not VLAN 1.

Just a suggestion, but look in to a proxy server that requires authentication to access the internet. There are MANY that will do this, however I would personally use Squid as I have more experience with it.

I would probably be tempted to trunk in to the server so that you would have options down the road. But that is just my personal preference. Trunking would allow you to create a 3rd VLAN and have the server on the office as well as the additional (testing?) VLAN.

Word to the wise. I have worked with an older HP ProCurve 4000m and found that it only supported 32 VLANs. I don't think this will become a problem for you, but it may for others reading this post.

Grant. . . .