I’m sure this is an easy answer but I dont’ want to play around and mess this up.
We’ve got a server that serves DHCP to two different AP clusters. The server plugs into a Cisco 2900XL switch. One port on the switch goes straight up to one cluster, and another port goes to a BH20 backhaul which serves the other cluster.
How do I go about setting up the VLANs on the switch so that the clusters cant’ talk to each other but the server still serves DHCP to both?
Make both ports on your Cisco switch into ‘trunk’ ports.
like this:
interface FastEthernet0/24
switchport mode trunk
and you can make other ports on your Cisco switch part of different VLANs, like this:
interface FastEthernet0/20
switchport access vlan 4
switchport mode access
That would make port 20 part of vlan 4, and it would be able to talk do devices behind an SM which is also on VID 4 (assuming that that SM’s AP is connected to a switch trunk port on the Cisco switch 
Here are all the commands I use on VLAN-specific ports (NOT trunk ports) for security againt rogue BPDU packets, rogue vlan activity, and to keep port turnup quick.
interface FastEthernet0/20
switchport access vlan 4
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpdufilter enable
Oh, not only does your AP need to plug into a ‘trunk’ mode port, but your router must ALSO plug into a ‘trunk’ mode port on your Cisco switch. And the router will need 802.1Q VLANs activated and configured on its ethernet port that plugs into the Cisco switch, of course.
On a Cisco router, you just create new sub-interfaces like this:
interface FastEthernet1/0.4
encapsulation dot1q 4
ip ad 1.1.1.1 255.255.255.252
Since your switch is a 2900 and not 2950, the commands might be a little different. For instance, you might need to force encapsulation type dot1q (as opposed to the older cisco ISL technique). Also the 2900 have SERIOUS problems talking to certain devices over ethernet cable of any distance, where the 2950 and newer models do not. This accounts for the significant price different between the 2924XL-EN and 2950 on ebay, for instance.
you could always use the command “port protected” on the two BH port.
Every device plugged into a port protected port won’t be able to talk to other port protected port. All other port that are not port protected will be able to talk to them.