Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Creating several VLANs on a switch to share a common Internet connection.

Posted on 2006-07-22
Last Modified: 2010-05-18
I've been trying to create the following for a client.

I have a Linksys SRW224G switch on which I want to create several VLANs both to improve network performance and for security reasons. These VLANs need to share a common resource being an Astaro Security Gateway firewall/UTM device.

To cover the hardware the Astaro system is built on a Dell GX240 box with a 3Com 3C905 NIC which is supposed to handle 802.1q traffic. Additionally the Astaro system is running the most current version being 6.301. I configured the Astaro interface for as an ethernet VLAN interface as per the user's manual for version 6.

Note I'm still learning the ins and outs of networking (working on the CCNA currently) so hopefully I'm not missing the obvious here.


1. Can VLANs be set to share a common port that connects to a common resource such as the Astaro Gateway? According to what I've read and the tech people at Linksys the answer is yes however three different attempts to get a solution from them didn't work. Note I'm not trying to route between the VLANs just share a common gateway.

2. If yes what is the basic configuration to do so. i.e., how is the common port configured etc. A Cisco based explanation is fine as I'm more interested in understanding the concept.
Question by:mbshafer2
LVL 22

Accepted Solution

Rick Hobbs earned 34 total points
ID: 17161823
On a Cisco it would be like this:
interface vlan 1
 ip address 171.197.155.x <---or whatever your subnet range is
 ip helper-address

interface vlan 2
 ip address
 ip helper-address

Assisted Solution

jfrady earned 33 total points
ID: 17162081
The Astaro server would have to be in both VLAN's.  For the NIC to support VLAN's I believe it has to be a 3Com "Server" NIC.  The 3C905, while a great card, was before the time of 802.1Q based VLAN's and does not support multiple VLAN's that I am aware of.  It does support PACE but not 802.1Q.

Essentially what you will need - all station facing ports untagged in the VLAN they are supposed to be in - the link to your server tagged in both VLAN's - and the server NIC tagged in both VLAN's.

In that Linksys device you would create an additional "Static" VLAN in addition to the Default VLAN.  Then (in the "webview" interface) select tagged or untagged.

You will have to have 2 subnets.  And the server will need to be in both unless they are routed somewhere.  If you don't want them routed do not enable routing in your server.

You generally (especially in low end switches) can only have one untagged VLAN per port.

Is your Astaro server running on Linux or VMWare?

Author Comment

ID: 17163180
In response to jfrady the Astaro box is runnng the native Astaro Linux.

Assisted Solution

mbavisi earned 33 total points
ID: 17163804

Hi mbshafer,

Not sure how to do it on these funny new age switches, im more of a cisco person....

The problem you have is that you need to terminate these vlans on your astaro.

The switch ports between the Linksys and your astaro need to be both 802.1q trunk ports, as multiple vlans are traversing this.

The other ports on the Linksys, can be seperated into as many vlans as you like, so put example, make 4 access ports on vlan 10, make another 4 access ports on vlan 20 etc...(statically assign the vlan ids on these ports and make sure they are set as ACCESS, not trunks).  You can now segment your traffic, make a subnet range for devices plugged into vlan 10 and apply to the devices eg.., same for vlan 20, eg, you now have devices on different vlans.

The crucial thing here is that on the astaro, you need to have an IP interface on this vlan, example on vlan 10, you need to create an IP interface listening to this vlan, eg for vlan 10 above.. , This will be the Default Gateway of your subnet.

For, make it

Once you do this, the IP packets coming from the subnets can now see the routing table of the astaro and can reach wherever you want to reach, including the other subnets.

The only problem here is that im not sure whether the astaro does vlan interfaces or supports it? maybe you can shed some light as i am more of a cisco guy.


Expert Comment

ID: 17164942
My question re: the OS was just out of curiosity.

How is this issue progressing? mbavisi translated my explanation in even more layman terms.  Good job mbavisi.

The other easy solution may be for you to add another NIC in the server.  That way you can have one NIC in each VLAN.  That way you can put NIC 1 untagged in VLAN 1 and NIC 2 untagged in VLAN 2 etc..  That would negate the need for your server to understand 802.1Q tagging.  You would have seperate subnets and therefore seperate default gateways on each network.

You could also turn on routing if you ever needed to and configure an ACL for security.

With the low priced Layer 3 switches on the market now though you could also just get a layer 3 switch.


Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to remotely connect to a pc that got stuck middle restart? 94 167
Wired Network vs Wireless 12 66
Dns issues 4 47
Wifi addin for wireshark? 5 30
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question