MDstable
NoteSnippetChecklistPlaybook

Configuration VLANs

Créer et configurer des VLANs sur switches Cisco et HP/Aruba

snippetintermediate 2025-05-10 3 min read
vlanciscohparubaswitchingtrunkaccess802.1q

Concepts

VLAN  Virtual LAN  segmentation logique dun rseau physique
802  standard de tagging VLAN sur les trames Ethernet
Types de ports 
 Access  port appartenant  UN seul VLAN postes imprimantes
 Trunk   transporte PLUSIEURS VLANs inter-switch, vers routeur
 Hybrid  mix access  trunk Huawei HP
Native VLAN  VLAN non tagg sur un trunk dfaut  VLAN 1

Cisco IOS

Créer des VLANs

cisco
Variables
{{VLAN_ID}}
{{SERVICE}}
! Mode configuration globale
conf t
! Créer le VLAN
vlan {{VLAN_ID}}
 name {{SERVICE}}
! Plusieurs VLANs d'un coup
vlan 10,20,30,100
! Vérifier
show vlan brief
show vlan id {{VLAN_ID}}

Port Access

cisco
Variables
{{VLAN_ID}}
conf t
interface FastEthernet0/1
 switchport mode access
 switchport access vlan {{VLAN_ID}}
 spanning-tree portfast        ! Pour les postes clients
 no shutdown
! En masse sur une plage d'interfaces
interface range FastEthernet0/1-12
 switchport mode access
 switchport access vlan {{VLAN_ID}}
 spanning-tree portfast

Port Trunk

cisco
conf t
interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk encapsulation dot1q   ! sur les anciens IOS
 switchport trunk allowed vlan 10,20,30,100   ! VLANs autorisés
 switchport trunk native vlan 999              ! Native VLAN (pas le VLAN 1 !)
 no shutdown
! Ajouter un VLAN à un trunk existant
switchport trunk allowed vlan add 40
! Voir les trunks
show interfaces trunk

Router-on-a-stick (routage inter-VLAN)

cisco
! Sur le routeur — sous-interfaces
conf t
interface GigabitEthernet0/0
 no shutdown
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.0.100.1 255.255.255.0

SVI — Switch Virtual Interface (Layer 3 switch)

cisco
conf t
ip routing   ! activer le routage sur le switch L3
! Créer les SVIs
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 no shutdown
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 no shutdown

HP / Aruba (ProCurve / AOS-CX)

HP ProCurve

bash
Variables
{{VLAN_ID}}
{{SERVICE}}
{{INTERFACE}}
# Créer et nommer un VLAN
vlan {{VLAN_ID}}
   name {{SERVICE}}
   exit
# Port access
interface {{INTERFACE}}
   untagged vlan {{VLAN_ID}}
   exit
# Port trunk
interface {{INTERFACE}}
   tagged vlan 102030
   exit
# Vérifier
show vlan
show interfaces {{INTERFACE}}

Aruba AOS-CX

bash
Variables
{{VLAN_ID}}
{{SERVICE}}
{{INTERFACE}}
# Créer le VLAN
vlan {{VLAN_ID}}
   name {{SERVICE}}
# Port access
interface {{INTERFACE}}
   no routing
   vlan access {{VLAN_ID}}
# Port trunk
interface {{INTERFACE}}
   no routing
   vlan trunk allowed 102030
   vlan trunk native {{VLAN_ID}}
# Vérifier
show vlan
show interfaces {{INTERFACE}} trunk

Sécurité VLAN

cisco
! VLAN Hopping — protéger le native VLAN
interface range GigabitEthernet0/1-24
 switchport nonegotiate          ! désactiver DTP
 
! Désactiver les ports inutilisés
interface range FastEthernet0/13-24
 switchport mode access
 switchport access vlan 999      ! VLAN de quarantaine
 shutdown
! Private VLAN (isolation au sein d'un VLAN)
vlan 100
 private-vlan isolated
! Port security
interface FastEthernet0/1
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky

Vérifications et debug

cisco
Variables
{{VLAN_ID}}
show vlan brief
show interfaces status
show interfaces trunk
show mac address-table vlan {{VLAN_ID}}
show spanning-tree vlan {{VLAN_ID}}
debug sw-vlan vtp events
💡 Tip —

Ne jamais laisser le VLAN 1 comme native VLAN sur les trunks — risque de VLAN hopping. Créer un VLAN dédié (ex: 999) pour le native et pour les ports inutilisés. Désactiver DTP (switchport nonegotiate) sur tous les ports edge.

OPS·BRAIN v1.027 notes · Networklocal