Creating several VLANs on a switch to share a common Internet connection.

I've been trying to create the following for a client.

I have a Linksys SRW224G switch on which I want to create several VLANs both to improve network performance and for security reasons. These VLANs need to share a common resource being an Astaro Security Gateway firewall/UTM device.

To cover the hardware the Astaro system is built on a Dell GX240 box with a 3Com 3C905 NIC which is supposed to handle 802.1q traffic. Additionally the Astaro system is running the most current version being 6.301. I configured the Astaro interface for as an ethernet VLAN interface as per the user's manual for version 6.

Note I'm still learning the ins and outs of networking (working on the CCNA currently) so hopefully I'm not missing the obvious here.


1. Can VLANs be set to share a common port that connects to a common resource such as the Astaro Gateway? According to what I've read and the tech people at Linksys the answer is yes however three different attempts to get a solution from them didn't work. Note I'm not trying to route between the VLANs just share a common gateway.

2. If yes what is the basic configuration to do so. i.e., how is the common port configured etc. A Cisco based explanation is fine as I'm more interested in understanding the concept.
Who is Participating?
Rick HobbsConnect With a Mentor RETIREDCommented:
On a Cisco it would be like this:
interface vlan 1
 ip address 171.197.155.x <---or whatever your subnet range is
 ip helper-address

interface vlan 2
 ip address
 ip helper-address
jfradyConnect With a Mentor Commented:
The Astaro server would have to be in both VLAN's.  For the NIC to support VLAN's I believe it has to be a 3Com "Server" NIC.  The 3C905, while a great card, was before the time of 802.1Q based VLAN's and does not support multiple VLAN's that I am aware of.  It does support PACE but not 802.1Q.

Essentially what you will need - all station facing ports untagged in the VLAN they are supposed to be in - the link to your server tagged in both VLAN's - and the server NIC tagged in both VLAN's.

In that Linksys device you would create an additional "Static" VLAN in addition to the Default VLAN.  Then (in the "webview" interface) select tagged or untagged.

You will have to have 2 subnets.  And the server will need to be in both unless they are routed somewhere.  If you don't want them routed do not enable routing in your server.

You generally (especially in low end switches) can only have one untagged VLAN per port.

Is your Astaro server running on Linux or VMWare?
mbshafer2Author Commented:
In response to jfrady the Astaro box is runnng the native Astaro Linux.
mbavisiConnect With a Mentor Commented:

Hi mbshafer,

Not sure how to do it on these funny new age switches, im more of a cisco person....

The problem you have is that you need to terminate these vlans on your astaro.

The switch ports between the Linksys and your astaro need to be both 802.1q trunk ports, as multiple vlans are traversing this.

The other ports on the Linksys, can be seperated into as many vlans as you like, so put example, make 4 access ports on vlan 10, make another 4 access ports on vlan 20 etc...(statically assign the vlan ids on these ports and make sure they are set as ACCESS, not trunks).  You can now segment your traffic, make a subnet range for devices plugged into vlan 10 and apply to the devices eg.., same for vlan 20, eg, you now have devices on different vlans.

The crucial thing here is that on the astaro, you need to have an IP interface on this vlan, example on vlan 10, you need to create an IP interface listening to this vlan, eg for vlan 10 above.. , This will be the Default Gateway of your subnet.

For, make it

Once you do this, the IP packets coming from the subnets can now see the routing table of the astaro and can reach wherever you want to reach, including the other subnets.

The only problem here is that im not sure whether the astaro does vlan interfaces or supports it? maybe you can shed some light as i am more of a cisco guy.

My question re: the OS was just out of curiosity.

How is this issue progressing? mbavisi translated my explanation in even more layman terms.  Good job mbavisi.

The other easy solution may be for you to add another NIC in the server.  That way you can have one NIC in each VLAN.  That way you can put NIC 1 untagged in VLAN 1 and NIC 2 untagged in VLAN 2 etc..  That would negate the need for your server to understand 802.1Q tagging.  You would have seperate subnets and therefore seperate default gateways on each network.

You could also turn on routing if you ever needed to and configure an ACL for security.

With the low priced Layer 3 switches on the market now though you could also just get a layer 3 switch.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.