understanding VTP pruning

Unanswered Question
Oct 30th, 2008
User Badges:

I am in the process of setting up a trunk port for a client. I want to allow only 4 production vlan to traverse the trunk. The rest of the vlans I want to prune off.

I am shipping this trunk port to an IPS unit to inspect the traffic for mal content. The IPS interface is supposed to act as a trunk port as well and then ship traffic from one vlan pair back to another Vlan Pair. I am configuring two vlan pairs on the interface of the IPS unit.

Yesterday i used the command " swi trunk pruning vlan 4,6,7,8,10,14,15,20"

Should this command keep these vlan's from propogating down the trunk link?

Thank You

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (5 ratings)
Loading.
mbroberson1 Thu, 10/30/2008 - 11:31
User Badges:

I would suggest under VTP configuration that you enable "vtp prunning". The default is off. You can then manually disallow the vlans on various trunk links for added security and propagation.


HTH,

Brandon

Edison Ortiz Sat, 11/01/2008 - 12:41
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Kevin,


As Brandon indicated, switchport trunk pruning vlan command works in conjunction with having VTP Pruning enabled in the VTP domain. VTP Pruning must be enabled in the VTP server and this change will be propagated throughout all switches in the same domain.


If you want to go with manual pruning on a inter-switch link, then I recommend using the command switchport trunk allowed vlan instead.


HTH,


__


Edison.


Please rate helpful posts


tcordier Sun, 11/02/2008 - 02:21
User Badges:
  • Bronze, 100 points or more

I may misunderstand your question here, but if you want to allow only traffic from certain VLANs to pass over a trunk you should use


switchport trunk allowed vlan 4,6,7 etc


(you can also define all VLANs except 4,6,7. Check the possible syntax options with the ?)


VTP pruning is meant to prohibit propagation of multicast, broadcast, and unknown unicast traffic over trunks to switches which may discard the traffic (see e.g. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swvtp.html#wp1035139). VTP pruning is not the feature you need to configure which VLAN's traffic is allowed to pass over a trunk. The command you mention will not deny traffic for e.g. VLAN 6 to traverse the trunk if VLAN 6 is defined on both switches at each end of the trunk.


HTH, Thomas

Actions

This Discussion