Creating several VLANs on a switch to share a common Internet connection.

Posted on 2006-07-22
Last Modified: 2010-05-18
I've been trying to create the following for a client.

I have a Linksys SRW224G switch on which I want to create several VLANs both to improve network performance and for security reasons. These VLANs need to share a common resource being an Astaro Security Gateway firewall/UTM device.

To cover the hardware the Astaro system is built on a Dell GX240 box with a 3Com 3C905 NIC which is supposed to handle 802.1q traffic. Additionally the Astaro system is running the most current version being 6.301. I configured the Astaro interface for as an ethernet VLAN interface as per the user's manual for version 6.

Note I'm still learning the ins and outs of networking (working on the CCNA currently) so hopefully I'm not missing the obvious here.


1. Can VLANs be set to share a common port that connects to a common resource such as the Astaro Gateway? According to what I've read and the tech people at Linksys the answer is yes however three different attempts to get a solution from them didn't work. Note I'm not trying to route between the VLANs just share a common gateway.

2. If yes what is the basic configuration to do so. i.e., how is the common port configured etc. A Cisco based explanation is fine as I'm more interested in understanding the concept.
Question by:mbshafer2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Accepted Solution

Rick Hobbs earned 34 total points
ID: 17161823
On a Cisco it would be like this:
interface vlan 1
 ip address 171.197.155.x <---or whatever your subnet range is
 ip helper-address

interface vlan 2
 ip address
 ip helper-address

Assisted Solution

jfrady earned 33 total points
ID: 17162081
The Astaro server would have to be in both VLAN's.  For the NIC to support VLAN's I believe it has to be a 3Com "Server" NIC.  The 3C905, while a great card, was before the time of 802.1Q based VLAN's and does not support multiple VLAN's that I am aware of.  It does support PACE but not 802.1Q.

Essentially what you will need - all station facing ports untagged in the VLAN they are supposed to be in - the link to your server tagged in both VLAN's - and the server NIC tagged in both VLAN's.

In that Linksys device you would create an additional "Static" VLAN in addition to the Default VLAN.  Then (in the "webview" interface) select tagged or untagged.

You will have to have 2 subnets.  And the server will need to be in both unless they are routed somewhere.  If you don't want them routed do not enable routing in your server.

You generally (especially in low end switches) can only have one untagged VLAN per port.

Is your Astaro server running on Linux or VMWare?

Author Comment

ID: 17163180
In response to jfrady the Astaro box is runnng the native Astaro Linux.

Assisted Solution

mbavisi earned 33 total points
ID: 17163804

Hi mbshafer,

Not sure how to do it on these funny new age switches, im more of a cisco person....

The problem you have is that you need to terminate these vlans on your astaro.

The switch ports between the Linksys and your astaro need to be both 802.1q trunk ports, as multiple vlans are traversing this.

The other ports on the Linksys, can be seperated into as many vlans as you like, so put example, make 4 access ports on vlan 10, make another 4 access ports on vlan 20 etc...(statically assign the vlan ids on these ports and make sure they are set as ACCESS, not trunks).  You can now segment your traffic, make a subnet range for devices plugged into vlan 10 and apply to the devices eg.., same for vlan 20, eg, you now have devices on different vlans.

The crucial thing here is that on the astaro, you need to have an IP interface on this vlan, example on vlan 10, you need to create an IP interface listening to this vlan, eg for vlan 10 above.. , This will be the Default Gateway of your subnet.

For, make it

Once you do this, the IP packets coming from the subnets can now see the routing table of the astaro and can reach wherever you want to reach, including the other subnets.

The only problem here is that im not sure whether the astaro does vlan interfaces or supports it? maybe you can shed some light as i am more of a cisco guy.


Expert Comment

ID: 17164942
My question re: the OS was just out of curiosity.

How is this issue progressing? mbavisi translated my explanation in even more layman terms.  Good job mbavisi.

The other easy solution may be for you to add another NIC in the server.  That way you can have one NIC in each VLAN.  That way you can put NIC 1 untagged in VLAN 1 and NIC 2 untagged in VLAN 2 etc..  That would negate the need for your server to understand 802.1Q tagging.  You would have seperate subnets and therefore seperate default gateways on each network.

You could also turn on routing if you ever needed to and configure an ACL for security.

With the low priced Layer 3 switches on the market now though you could also just get a layer 3 switch.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question