--- title: "Configuration VLANs" domain: network subdomain: vlan type: snippet tags: [vlan, cisco, hp, aruba, switching, trunk, access, 802.1q] difficulty: intermediate status: stable updated: "2025-05-10" --- ## Concepts ``` VLAN = Virtual LAN — segmentation logique d'un réseau physique 802.1Q = standard de tagging VLAN sur les trames Ethernet Types de ports : - Access : port appartenant à UN seul VLAN (postes, imprimantes) - Trunk : transporte PLUSIEURS VLANs (inter-switch, vers routeur) - Hybrid : mix access + trunk (Huawei, HP) Native VLAN : VLAN non taggé sur un trunk (défaut = VLAN 1) ``` ## Cisco IOS ### Créer des VLANs ```cisco ! Mode configuration globale conf t ! Créer le VLAN vlan {{VLAN_ID}} name {{SERVICE}} ! Plusieurs VLANs d'un coup vlan 10,20,30,100 ! Vérifier show vlan brief show vlan id {{VLAN_ID}} ``` ### Port Access ```cisco conf t interface FastEthernet0/1 switchport mode access switchport access vlan {{VLAN_ID}} spanning-tree portfast ! Pour les postes clients no shutdown ! En masse sur une plage d'interfaces interface range FastEthernet0/1-12 switchport mode access switchport access vlan {{VLAN_ID}} spanning-tree portfast ``` ### Port Trunk ```cisco conf t interface GigabitEthernet0/1 switchport mode trunk switchport trunk encapsulation dot1q ! sur les anciens IOS switchport trunk allowed vlan 10,20,30,100 ! VLANs autorisés switchport trunk native vlan 999 ! Native VLAN (pas le VLAN 1 !) no shutdown ! Ajouter un VLAN à un trunk existant switchport trunk allowed vlan add 40 ! Voir les trunks show interfaces trunk ``` ### Router-on-a-stick (routage inter-VLAN) ```cisco ! Sur le routeur — sous-interfaces conf t interface GigabitEthernet0/0 no shutdown interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 interface GigabitEthernet0/0.100 encapsulation dot1Q 100 ip address 10.0.100.1 255.255.255.0 ``` ### SVI — Switch Virtual Interface (Layer 3 switch) ```cisco conf t ip routing ! activer le routage sur le switch L3 ! Créer les SVIs interface Vlan10 ip address 192.168.10.1 255.255.255.0 no shutdown interface Vlan20 ip address 192.168.20.1 255.255.255.0 no shutdown ``` ## HP / Aruba (ProCurve / AOS-CX) ### HP ProCurve ```bash # Créer et nommer un VLAN vlan {{VLAN_ID}} name {{SERVICE}} exit # Port access interface {{INTERFACE}} untagged vlan {{VLAN_ID}} exit # Port trunk interface {{INTERFACE}} tagged vlan 10,20,30 exit # Vérifier show vlan show interfaces {{INTERFACE}} ``` ### Aruba AOS-CX ```bash # Créer le VLAN vlan {{VLAN_ID}} name {{SERVICE}} # Port access interface {{INTERFACE}} no routing vlan access {{VLAN_ID}} # Port trunk interface {{INTERFACE}} no routing vlan trunk allowed 10,20,30 vlan trunk native {{VLAN_ID}} # Vérifier show vlan show interfaces {{INTERFACE}} trunk ``` ## Sécurité VLAN ```cisco ! VLAN Hopping — protéger le native VLAN interface range GigabitEthernet0/1-24 switchport nonegotiate ! désactiver DTP ! Désactiver les ports inutilisés interface range FastEthernet0/13-24 switchport mode access switchport access vlan 999 ! VLAN de quarantaine shutdown ! Private VLAN (isolation au sein d'un VLAN) vlan 100 private-vlan isolated ! Port security interface FastEthernet0/1 switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky ``` ## Vérifications et debug ```cisco show vlan brief show interfaces status show interfaces trunk show mac address-table vlan {{VLAN_ID}} show spanning-tree vlan {{VLAN_ID}} debug sw-vlan vtp events ``` Ne jamais laisser le VLAN 1 comme native VLAN sur les trunks — risque de VLAN hopping. Créer un VLAN dédié (ex: 999) pour le native et pour les ports inutilisés. Désactiver DTP (`switchport nonegotiate`) sur tous les ports edge.