Solved

Creating several VLANs on a switch to share a common Internet connection.

Posted on 2006-07-22
7
2,058 Views
Last Modified: 2010-05-18
I've been trying to create the following for a client.

I have a Linksys SRW224G switch on which I want to create several VLANs both to improve network performance and for security reasons. These VLANs need to share a common resource being an Astaro Security Gateway firewall/UTM device.

To cover the hardware the Astaro system is built on a Dell GX240 box with a 3Com 3C905 NIC which is supposed to handle 802.1q traffic. Additionally the Astaro system is running the most current version being 6.301. I configured the Astaro interface for as an ethernet VLAN interface as per the user's manual for version 6.

Note I'm still learning the ins and outs of networking (working on the CCNA currently) so hopefully I'm not missing the obvious here.

Questions:

1. Can VLANs be set to share a common port that connects to a common resource such as the Astaro Gateway? According to what I've read and the tech people at Linksys the answer is yes however three different attempts to get a solution from them didn't work. Note I'm not trying to route between the VLANs just share a common gateway.

2. If yes what is the basic configuration to do so. i.e., how is the common port configured etc. A Cisco based explanation is fine as I'm more interested in understanding the concept.
0
Comment
Question by:mbshafer2
7 Comments
 
LVL 22

Accepted Solution

by:
rickhobbs earned 34 total points
ID: 17161823
On a Cisco it would be like this:
interface vlan 1
 ip address 171.197.155.x 255.255.255.0 <---or whatever your subnet range is
 ip helper-address 171.197.155.4

interface vlan 2
 ip address 171.197.154.4 255.255.255.0
 ip helper-address 171.197.155.4
0
 
LVL 9

Assisted Solution

by:jfrady
jfrady earned 33 total points
ID: 17162081
The Astaro server would have to be in both VLAN's.  For the NIC to support VLAN's I believe it has to be a 3Com "Server" NIC.  The 3C905, while a great card, was before the time of 802.1Q based VLAN's and does not support multiple VLAN's that I am aware of.  It does support PACE but not 802.1Q.

Essentially what you will need - all station facing ports untagged in the VLAN they are supposed to be in - the link to your server tagged in both VLAN's - and the server NIC tagged in both VLAN's.

In that Linksys device you would create an additional "Static" VLAN in addition to the Default VLAN.  Then (in the "webview" interface) select tagged or untagged.

You will have to have 2 subnets.  And the server will need to be in both unless they are routed somewhere.  If you don't want them routed do not enable routing in your server.

You generally (especially in low end switches) can only have one untagged VLAN per port.

Is your Astaro server running on Linux or VMWare?
0
 

Author Comment

by:mbshafer2
ID: 17163180
In response to jfrady the Astaro box is runnng the native Astaro Linux.
0
 
LVL 1

Assisted Solution

by:mbavisi
mbavisi earned 33 total points
ID: 17163804

Hi mbshafer,

Not sure how to do it on these funny new age switches, im more of a cisco person....

The problem you have is that you need to terminate these vlans on your astaro.

The switch ports between the Linksys and your astaro need to be both 802.1q trunk ports, as multiple vlans are traversing this.

The other ports on the Linksys, can be seperated into as many vlans as you like, so put example, make 4 access ports on vlan 10, make another 4 access ports on vlan 20 etc...(statically assign the vlan ids on these ports and make sure they are set as ACCESS, not trunks).  You can now segment your traffic, make a subnet range for devices plugged into vlan 10 and apply to the devices eg..192.168.1.0/24, same for vlan 20, eg 192.168.2.0/24, you now have devices on different vlans.

The crucial thing here is that on the astaro, you need to have an IP interface on this vlan, example on vlan 10, you need to create an IP interface listening to this vlan, eg for vlan 10 above.. 192.168.1.254 , This will be the Default Gateway of your subnet.

For 192.168.2.0/24, make it 192.168.2.254...

Once you do this, the IP packets coming from the subnets can now see the routing table of the astaro and can reach wherever you want to reach, including the other subnets.

The only problem here is that im not sure whether the astaro does vlan interfaces or supports it? maybe you can shed some light as i am more of a cisco guy.

0
 
LVL 9

Expert Comment

by:jfrady
ID: 17164942
My question re: the OS was just out of curiosity.

How is this issue progressing? mbavisi translated my explanation in even more layman terms.  Good job mbavisi.

The other easy solution may be for you to add another NIC in the server.  That way you can have one NIC in each VLAN.  That way you can put NIC 1 untagged in VLAN 1 and NIC 2 untagged in VLAN 2 etc..  That would negate the need for your server to understand 802.1Q tagging.  You would have seperate subnets and therefore seperate default gateways on each network.

You could also turn on routing if you ever needed to and configure an ACL for security.

With the low priced Layer 3 switches on the market now though you could also just get a layer 3 switch.

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now