On common way of solving this is by using vlan's as you hav outlined.
If one has an internet-firewall, it is common to forward the guest-access-vlan to the firewall, and terminate it en an interface there. Using firewall rules one then prevents the guest-network from accessing the internal network, but allows access to the internet.
In your case it is difficult to keep guest-traffic seperate from the internal network without making changes on the cisco-router.
An alternative would be to invest in a separate inexpensive (typically ADSL) internet-connection for the guest network.
I take it your internal network toda is using vlan1.
If you want to use a separate internet-access for the guest-traffic:
Make a new vlan10 on the HP switch
Make sure the guest-vlan is tagged with vlan 10 in the access-point.
In the HP-switch, add the vlan 10 as tagged on the port where the AP is connected.
Add vlan 10 as untagged on the port where the new guest internet-connection is connected.
If you want to use the existing internet-connection for guest-traffic:
Make a new vlan10 on the HP switch
Make sure the guest-vlan is tagged with vlan 10 in the access-point.
In the HP-switch, add the vlan 10 as tagged on the port where the AP is connected.
In the HP-switch, add the vlan 10 as tagged on the port towards the Cisco-switch
On the cisco-switch put the interfaces towards the hp-switch and cisco ruter into vlan-trunking mode: "switchport mode trunk".
Ask the company who controls the router to:
- add a subinterface to the LAN-interface, and tag it with vlan10.
- set up an ip-address on the interface and set up a dhcp-scope for this new network.
- using access-lists, limit access to the internal network, but allow access to the internet.
