{"id":1266,"date":"2019-12-23T15:46:08","date_gmt":"2019-12-23T14:46:08","guid":{"rendered":"http:\/\/blogperso.union31.fr\/?p=1266"},"modified":"2019-12-26T00:00:39","modified_gmt":"2019-12-25T23:00:39","slug":"packet-tracer-routage-inter-vlan-sur-un-switch","status":"publish","type":"post","link":"https:\/\/blogperso.union31.fr\/?p=1266","title":{"rendered":"Packet tracer : routage inter-vlan et VACL sur un switch"},"content":{"rendered":"\n<p>Dans cet article, il sera abord\u00e9 :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>le routage inter-vlan sur un switch (cisco 3560) ;<\/li><li>les ACL et association sur VLAN (VACL).<\/li><\/ul>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sommaire<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#I_Routage_inter-vlan_avec_un_switch\" >I Routage inter-vlan avec un switch<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#I1_Avant_de_commencer\" >I.1 Avant de commencer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II2_Interface_virtuelle_de_Vlan\" >II.2 Interface virtuelle de Vlan<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II_Implementer_des_regles_de_communication_au_milieu_de_ces_VLAN\" >II Impl\u00e9menter des r\u00e8gles de communication au milieu de ces VLAN<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II2_Avant_de_commencer\" >II.2 Avant de commencer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II2_Regles_a_implementer\" >II.2 R\u00e8gles \u00e0 impl\u00e9menter<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II3_Implementation\" >II.3 Impl\u00e9mentation<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II31_Les_ACL_explications_initiales\" >II.3.1 Les ACL, explications initiales<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogperso.union31.fr\/?p=1266\/#II32_Creation_des_ACL_et_associations_sur_les_VLAN\" >II.3.2 Cr\u00e9ation des ACL et associations sur les VLAN<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_Routage_inter-vlan_avec_un_switch\"><\/span>I Routage inter-vlan avec un switch<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I1_Avant_de_commencer\"><\/span>I.1 Avant de commencer<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Ci dessous le sch\u00e9ma de travail :<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2019\/12\/Routage-inter-vlan1-1024x512.png\" alt=\"\" class=\"wp-image-1282\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2019\/12\/Routage-inter-vlan1-1024x512.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2019\/12\/Routage-inter-vlan1-300x150.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2019\/12\/Routage-inter-vlan1-768x384.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2019\/12\/Routage-inter-vlan1.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Pour chaque switch avoir les vlan suivants :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show vlan brief\n\nVLAN Name                             Status    Ports\n---- -------------------------------- --------- -------------------------------\n1    default                          active    \n2    RH                               active    Fa0\/2\n3    LOG                              active    Fa0\/3\n4    FIN                              active    Fa0\/4\n20   inactif                          active    Fa0\/1, Fa0\/5, Fa0\/6, Fa0\/7\n                                                Fa0\/8, Fa0\/9, Fa0\/10, Fa0\/11\n                                                Fa0\/12, Fa0\/13, Fa0\/14, Fa0\/15\n                                                Fa0\/16, Fa0\/17, Fa0\/18, Fa0\/19\n                                                Fa0\/21, Fa0\/22, Fa0\/23\n80   serveur                          active    Fa0\/20\n99   Admin                            active    Fa0\/24\n1002 fddi-default                     active    \n1003 token-ring-default               active    \n1004 fddinet-default                  active    \n1005 trnet-default                    active    <\/code><\/pre>\n\n\n\n<p>Les 2 ports gigabits sont en mode trunk et aggr\u00e9g\u00e9s comme suit :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show etherchannel port-channel \n                Channel-group listing:\n                ----------------------\n\nGroup: 1\n----------\n                Port-channels in the group:\n                ---------------------------\n\nPort-channel: Po1    (Primary Aggregator)\n------------\n\nAge of the Port-channel   = 00d:00h:03m:24s\nLogical slot\/port   = 2\/1       Number of ports = 2\nGC                  = 0x00000000      HotStandBy port = null\nPort state          = Port-channel \nProtocol            =   LACP\nPort Security       = Disabled\n\nPorts in the Port-channel:\n\nIndex   Load   Port     EC state        No of bits\n------+------+------+------------------+-----------\n  0     00     Gig0\/2   Active             0\n  0     00     Gig0\/1   Active             0\nTime since last port bundled:    00d:00h:03m:11s    Gig0\/1<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II2_Interface_virtuelle_de_Vlan\"><\/span>II.2 Interface virtuelle de Vlan<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Il faut dans un premier temps cr\u00e9er des interfaces de Vlan sur un deux switch (pas les deux).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#interface vlan 2\nSwitch1(config-if)#ip address 192.168.2.100 255.255.255.0\nSwitch1(config-if)#exit\nSwitch1(config)#interface vlan 3\nSwitch1(config-if)#ip address 192.168.3.100 255.255.255.0\nSwitch1(config-if)#exit\nSwitch1(config)#interface vlan 4\nSwitch1(config-if)#ip address 192.168.4.100 255.255.255.0\nSwitch1(config-if)#exit<\/code><\/pre>\n\n\n\n<p>Ensuite on active le routage :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch(config)#ip routing <\/code><\/pre>\n\n\n\n<p>On peut voir la prise en compte sur le swicth :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show ip interface brief | begin Vlan\nVlan1                  unassigned        YES NVRAM  administratively down down \nVlan2                  192.168.2.100     YES manual up                    up \nVlan3                  192.168.3.100     YES manual up                    up \nVlan4                  192.168.4.100     YES manual up                    up<\/code><\/pre>\n\n\n\n<p>Maintenant chaque PC pourra communiquer entre eux :<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>@IP PC<\/td><td>@IP passerelle<\/td><\/tr><tr><td>192.168.1.1<\/td><td>192.168.1.100  (@ip passerelle du VLAN 2)<\/td><\/tr><tr><td> 192.168.1.2<\/td><td>192.168.1.100   (@ip passerelle du VLAN 2) <\/td><\/tr><tr><td>192.168.2.1<\/td><td>192.168.2.100    (@ip passerelle du VLAN 3) <\/td><\/tr><tr><td>etc..<\/td><td><\/td><\/tr><\/tbody><\/table>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II_Implementer_des_regles_de_communication_au_milieu_de_ces_VLAN\"><\/span>II Impl\u00e9menter des r\u00e8gles de communication au milieu de ces VLAN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II2_Avant_de_commencer\"><\/span>II.2 Avant de commencer<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Maintenant que le routage inter vlan est impl\u00e9ment\u00e9, tout les pc des VLAN peuvent communiquer entre eux.<\/p>\n\n\n\n<p>Nous allons voir comment affiner cela afin que :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>certains VLAN ne puissent pas communiquer entre eux ;<\/li><li>certains VLAN acc\u00e8dent au serveur ;<\/li><li>le VLAN admin acc\u00e8de \u00e0 tous les VLAN.<\/li><\/ul>\n\n\n\n<p>Nous allons impl\u00e9menter le VLAN 80 (serveur) et 99 (admin). A chacun de ces vlan une adresse d&rsquo;interface virtuelle sera attribu\u00e9e comme suivant :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show ip interface brief\nInterface              IP-Address      OK? Method Status                Protocol \nPort-channel1          unassigned      YES unset  up                    up \nFastEthernet0\/1        unassigned      YES NVRAM  down                  down \n...\nVlan1                  unassigned      YES NVRAM  administratively down down \nVlan2                  192.168.2.100   YES NVRAM  up                    up \nVlan3                  192.168.3.100   YES NVRAM  up                    up \nVlan4                  192.168.4.100   YES NVRAM  up                    up \nVlan80                 192.168.80.100  YES manual up                    up \nVlan99                 192.168.99.100  YES manual up                    up<\/code><\/pre>\n\n\n\n<p>Avec pour chaque VLAN :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show vlan brief\n\nVLAN Name                             Status    Ports\n---- -------------------------------- --------- -------------------------------\n1    default                          active    \n2    RH                               active    Fa0\/2\n3    LOG                              active    Fa0\/3\n4    FIN                              active    Fa0\/4\n20   inactif                          active    Fa0\/1, Fa0\/5, Fa0\/6, Fa0\/7\n                                                Fa0\/8, Fa0\/9, Fa0\/10, Fa0\/11\n                                                Fa0\/12, Fa0\/13, Fa0\/14, Fa0\/15\n                                                Fa0\/16, Fa0\/17, Fa0\/18, Fa0\/19\n                                                Fa0\/21, Fa0\/22, Fa0\/23\n80   serveur                          active    Fa0\/20\n99   Admin                            active    Fa0\/24\n1002 fddi-default                     active    \n1003 token-ring-default               active    \n1004 fddinet-default                  active    \n1005 trnet-default                    active    <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II2_Regles_a_implementer\"><\/span>II.2 R\u00e8gles \u00e0 impl\u00e9menter<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Sous forme de tableau :<\/p>\n\n\n\n<table class=\"wp-block-table aligncenter is-style-regular\"><tbody><tr><td>VLAN<\/td><td>RH<\/td><td>LOG<\/td><td>FIN<\/td><td>Serveur<\/td><td>admin<\/td><\/tr><tr><td>RH <\/td><td>n\u00e9ant<\/td><td><\/td><td>X<\/td><td>X<\/td><td>X<\/td><\/tr><tr><td>LOG<\/td><td><\/td><td>n\u00e9ant<\/td><td><\/td><td><\/td><td>X<\/td><\/tr><tr><td>FIN<\/td><td>X<\/td><td><\/td><td> n\u00e9ant <\/td><td>X<\/td><td>X<\/td><\/tr><tr><td>Serveur<\/td><td>X<\/td><td><\/td><td>X<\/td><td> n\u00e9ant <\/td><td>X<\/td><\/tr><tr><td>admin<\/td><td>X<\/td><td>X<\/td><td>X<\/td><td>X<\/td><td> n\u00e9ant <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II3_Implementation\"><\/span>II.3 Impl\u00e9mentation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II31_Les_ACL_explications_initiales\"><\/span>II.3.1 Les ACL, explications initiales<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Sous Cisco il existe 2 type d&rsquo;ACL :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>les ACL standard qui s&rsquo;appliquent au plus pr\u00e8s de la destination :<ul><li>porte un  num\u00e9ro de 1 \u00e0 99 ou un nom<\/li><li>s&rsquo;applique pour une adresse source<\/li><\/ul><\/li><li>les ACL \u00e9tendues qui quant \u00e0 elle s&rsquo;appliquent au plus pr\u00e8s de la source<ul><li>porte un num\u00e9ro de 100 \u00e0 99 ou un nom ;<\/li><li>s&rsquo;applique soit pour :<ul><li>une adresse source ;<\/li><li>une adresse de destination ;<\/li><li>un port ;<\/li><li>un service.<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<p><span style=\"text-decoration: underline;\">Etape 1 : cr\u00e9ation d&rsquo;une ACL <\/span><\/p>\n\n\n\n<p>Cr\u00e9ation d&rsquo;une ACL de type standard refusant le VLAN 3 (LOG). Cette ACL sera positionn\u00e9e plus tard sur l&rsquo;interface de VLAN 80 :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>cr\u00e9ation d&rsquo;une ACL nomm\u00e9e : VLAN80<\/li><li>interdiction du vlan 3 soit 192.168.3.0 0.0.0.255 (masque invers\u00e9)<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#ip access-list standard vlan80\nSwitch1(config-std-nacl)#?\n  &lt;1-2147483647>  Sequence Number\n  default         Set a command to its defaults\n  deny            Specify packets to reject\n  exit            Exit from access-list configuration mode\n  no              Negate a command or set its defaults\n  permit          Specify packets to forward\n  remark          Access list entry comment\nSwitch1(config-std-nacl)#deny 192.168.3.0 0.0.0.255 <\/code><\/pre>\n\n\n\n<p>Pour voir si cette ACL est prise en compte :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show access-lists \nStandard IP access list vlan80\n    10 deny 192.168.3.0 0.0.0.255<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration: underline;\">Etape 2 association de l&rsquo;ACL \u00e0 une interface de VLAN <\/span><\/p>\n\n\n\n<p>Maintenant que l&rsquo;ACL est d\u00e9finie, on va la positionner sur le VLAN.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#interface vlan 80\nSwitch1(config-if)#ip access-group vlan80 in \nSwitch1(config-if)#ip access-group vlan80 out<\/code><\/pre>\n\n\n\n<p>Pour visualiser :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show running-config \nBuilding configuration...\n...\ninterface Vlan80\n mac-address 0001.6388.7504\n ip address 192.168.80.100 255.255.255.0\n ip access-group vlan80 in\nip access-group vlan80 out\n...\nip access-list standard vlan80\n deny 192.168.3.0 0.0.0.255\n...\nend\n<\/code><\/pre>\n\n\n\n<p>A ce stade plus aucun PC ne peut contacter le serveur. Ceci s&rsquo;explique par le fait que l&rsquo;ACL nomm\u00e9e inclut comme r\u00e8gle implicite \u00ab\u00a0<strong>deny any<\/strong>\u00a0\u00bb \u00e0 la fin de l&rsquo;ACL. Il faut donc ajouter \u00e0 l&rsquo;ACL la r\u00e8gle suppl\u00e9mentaire \u00ab\u00a0<strong>permit any<\/strong>\u00ab\u00a0.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#ip access-list standard vlan80\nSwitch1(config-std-nacl)#permit any <\/code><\/pre>\n\n\n\n<p>Ce qui donne l&rsquo;ACL suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show access-lists \nStandard IP access list vlan80\n    10 deny 192.168.3.0 0.0.0.255\n    20 permit any<\/code><\/pre>\n\n\n\n<p>A ce stade tous les PC du VLAN 3 (LOG) ne peuvent pas acc\u00e9der au serveur du VLAN 80. Les autres VLAN quant \u00e0 eux peuvent y acc\u00e9der.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Suppression des ACL :<\/span><\/p>\n\n\n\n<p>Pour supprimer l\u2019association d&rsquo;une ACL sur un VLAN :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#interface vlan 80\nSwitch1(config-if)#no ip access-group vlan80 in\nSwitch1(config-if)#no ip access-group vlan80 out<\/code><\/pre>\n\n\n\n<p>Pour supprimer une ACL (nomm\u00e9e) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#no ip access-list standard vlan80<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II32_Creation_des_ACL_et_associations_sur_les_VLAN\"><\/span>II.3.2 Cr\u00e9ation des ACL et associations sur les VLAN<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Dans notre cas, on va fonctionner \u00e0 l&rsquo;envers. Par d\u00e9faut tout sera interdit sauf les VLAN que l&rsquo;on souhaite.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Etape 1 :  on va cr\u00e9er une ACL par VLAN :<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>le vlan 80 (serveur) doit accepter que les vlan RH, FIN et admin  :<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#ip access-list standard vlan80_serveur \nSwitch1(config-std-nacl)#permit 192.168.99.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.2.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.4.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.80.0 0.0.0.255<\/code><\/pre>\n\n\n\n<p>remarque : Pas besoin de mettre deny any, c&rsquo;est activ\u00e9 par d\u00e9faut. De plus il faut autoriser le VLan 80 pour qu&rsquo;il puisse communiquer \u00e0 l&rsquo;ext\u00e9rieur.<\/p>\n\n\n\n<p>le Vlan 99 (admin) doit accepter tous les VLAN :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#ip access-list standard vlan99_admin\nSwitch1(config-std-nacl)#permit 192.168.2.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.3.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.4.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.80.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.99.0 0.0.0.255<\/code><\/pre>\n\n\n\n<p>Remarque : On aurait pu mettre \u00ab\u00a0permit any\u00a0\u00bb<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>le Vlan 2 (RH) accepte les vlan FIN, serveur et admin<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1(config)#ip access-list standard valn2_rh\nSwitch1(config-std-nacl)#permit 192.168.2.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.4.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.80.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.99.0 0.0.0.255<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>le Vlan 3 (LOG) accepte le Vlan admin seulement<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#ip access-list standard vlan3_log\nSwitch1(config-std-nacl)#permit 192.168.3.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.99.0 0.0.0.255<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>le vlan 4 (FIN) accepte les VLAN RH, serveur et admin<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#conf t\nSwitch1(config)#ip access-list standard vlan4_fin\nSwitch1(config-std-nacl)#permit 192.168.4.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.2.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.80.0 0.0.0.255\nSwitch1(config-std-nacl)#permit 192.168.99.0 0.0.0.255<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration: underline;\">Etape 2 : on associe les acl aux VLAN<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1(config)#interface vlan 99\nSwitch1(config-if)#ip access-group vlan99_admin in\nSwitch1(config-if)#ip access-group vlan99_admin out\nSwitch1(config-if)#exit\n\nSwitch1(config)#interface vlan 80\nSwitch1(config-if)#ip access-group vlan80_serveur in\nSwitch1(config-if)#ip access-group vlan80_serveur out\nSwitch1(config-if)#exit\n\nSwitch1(config)#interface vlan 2\nSwitch1(config-if)#ip access-group valn2_rh in\nSwitch1(config-if)#ip access-group valn2_rh out\nSwitch1(config-if)#exit\n\nSwitch1(config)#interface vlan 3\nSwitch1(config-if)#ip access-group vlan3_log in\nSwitch1(config-if)#ip access-group vlan3_log out\nSwitch1(config-if)#exit\n\nSwitch1(config)#interface vlan 4\nSwitch1(config-if)#ip access-group vlan4_fin in\nSwitch1(config-if)#ip access-group vlan4_fin out<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">V\u00e9rification :<\/span><\/p>\n\n\n\n<p>Liste des acl :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch1#show access-lists \nStandard IP access list vlan80_serveur\n    10 permit 192.168.99.0 0.0.0.255\n    20 permit 192.168.2.0 0.0.0.255 (351 match(es))\n    30 permit 192.168.4.0 0.0.0.255 (351 match(es))\n    40 permit 192.168.80.0 0.0.0.255 (646 match(es))\nStandard IP access list vlan99_admin\n    10 permit 192.168.2.0 0.0.0.255 (350 match(es))\n    20 permit 192.168.3.0 0.0.0.255 (344 match(es))\n    30 permit 192.168.4.0 0.0.0.255 (342 match(es))\n    40 permit 192.168.80.0 0.0.0.255\n    50 permit 192.168.99.0 0.0.0.255 (1043 match(es))\nStandard IP access list valn2_rh\n    10 permit 192.168.2.0 0.0.0.255 (95 match(es))\n    20 permit 192.168.4.0 0.0.0.255 (7 match(es))\n    30 permit 192.168.80.0 0.0.0.255 (2 match(es))\n    40 permit 192.168.99.0 0.0.0.255 (64 match(es))\nStandard IP access list vlan3_log\n    10 permit 192.168.3.0 0.0.0.255 (15 match(es))\n    20 permit 192.168.99.0 0.0.0.255 (2 match(es))\nStandard IP access list vlan4_fin\n    10 permit 192.168.4.0 0.0.0.255\n    20 permit 192.168.2.0 0.0.0.255\n    30 permit 192.168.80.0 0.0.0.255\n    40 permit 192.168.99.0 0.0.0.255<\/code><\/pre>\n\n\n\n<p>Liste des associations avec les VLAN :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>interface Vlan1\n no ip address\n shutdown\n!\ninterface Vlan2\n mac-address 0001.6388.7501\n ip address 192.168.2.100 255.255.255.0\n ip access-group valn2_rh in\n ip access-group valn2_rh out\n!\ninterface Vlan3\n mac-address 0001.6388.7502\n ip address 192.168.3.100 255.255.255.0\n ip access-group vlan3_log in\n ip access-group vlan3_log out\n!\ninterface Vlan4\n mac-address 0001.6388.7503\n ip address 192.168.4.100 255.255.255.0\n ip access-group vlan4_fin in\n ip access-group vlan4_fin out\n!\ninterface Vlan80\n mac-address 0001.6388.7504\n ip address 192.168.80.100 255.255.255.0\n ip access-group vlan80_serveur in\n ip access-group vlan80_serveur out\n!\ninterface Vlan99\n mac-address 0001.6388.7505\n ip address 192.168.99.100 255.255.255.0\n ip access-group vlan99_admin in\n ip access-group vlan99_admin out\n!<\/code><\/pre>\n\n\n\n<p>A ce stade toutes les impl\u00e9mentations sont d\u00e9finies.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dans cet article, il sera abord\u00e9 : le routage inter-vlan sur un switch (cisco 3560) ; les ACL et association sur VLAN (VACL). I Routage inter-vlan avec un switch I.1 Avant de commencer Ci dessous le sch\u00e9ma de travail :<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1266","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1266"}],"version-history":[{"count":77,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1266\/revisions"}],"predecessor-version":[{"id":1357,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1266\/revisions\/1357"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}