Not pruning vlans from trunks

Answered Question
Feb 3rd, 2010

Suppose you have two switches (switch a and b) and one router performing the routing.  Each of the two switches hosts a single unique vlan.  What is the best practice with regard to pruning the vlans from the trunks?  Should you leave the default as is or prune?  Obviously in a large environment, pruning select vlans could become a management nightmare.  Is it a bad idea to leave the default (allow all vlans on the trunk)?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 10 months ago

jason.fraioli wrote:

So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.


From a best practice standpoint, is that advised?

Yes it is. It limits STP for example which is always a good thing. So if you have a vlan that is not needed on a switch why run an STP instance for that vlan on the switch.

It is also good practice from the point of security. Again why have a vlan on a switch when it is not needed there.

And it also limits traffic across the trunks that is not needed.

The only problem with both VTP transparent and "switchport trunk vlan allowed ..." is they do require a lot of manual administration. If you have the time and staff it is recommended but if you don't have either or both then VTP server/client with VTP pruning is acceptable.

Jon

Correct Answer by Jon Marshall about 6 years 10 months ago

jason.fraioli wrote:

This is the case if you are operating in VTP client/server mode, but what about transparent mode?

VTP transparent requires that you manually configure the vlans on each switch and the VTP updates may be passed onwards by a VTP transparent switch (v2) but they won't be used by the VTP switch.

VTP pruning is not applicable to VTP transparent switches ie. it only works in a VTP server/client environment. So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Collin Clark Wed, 02/03/2010 - 11:34

The trunks between the switches should only have the VLANs that are necessary. Yes it can be an admin nightmare, but if you start like that, it's not that bad. A couple of years ago we removed VTP and cleaned all the trunks. It took a weekend of work. It's also best security practice to remove any unnecessary VLANs from trunks. You should also add a native VLAN to the trunk and remove VLAN (and add your management vlan).

Hope that helps.

Jon Marshall Wed, 02/03/2010 - 11:54

jason.fraioli wrote:

Suppose you have two switches (switch a and b) and one router performing the routing.  Each of the two switches hosts a single unique vlan.  What is the best practice with regard to pruning the vlans from the trunks?  Should you leave the default as is or prune?  Obviously in a large environment, pruning select vlans could become a management nightmare.  Is it a bad idea to leave the default (allow all vlans on the trunk)?

Jason

VTP pruning is automatic ie. it does not require any configuration per trunk, you just enable VTP pruning globally on the VTP server.  And then only the vlans with ports in use at the other end of the trunk will be sent down the trunk.


However i suspect you are referring to using "switchport trunk vlan allowed ..." where you manually specify the vlans allowed on the trunk. The advantage of doing this is that unlike pruning if you do not allow a vlan on the trunk link then STP does not extend for that vlan across the trunk link.

At the very least you should probably enable VTP pruning but manually specifying which vlans are allowed is the more efficient, you just have to weigh it up against the admin overhead involved.

Jon

Jason Fraioli Wed, 02/03/2010 - 12:20

This is the case if you are operating in VTP client/server mode, but what about transparent mode?

Correct Answer
Jon Marshall Wed, 02/03/2010 - 12:26

jason.fraioli wrote:

This is the case if you are operating in VTP client/server mode, but what about transparent mode?

VTP transparent requires that you manually configure the vlans on each switch and the VTP updates may be passed onwards by a VTP transparent switch (v2) but they won't be used by the VTP switch.

VTP pruning is not applicable to VTP transparent switches ie. it only works in a VTP server/client environment. So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.

Jon

Jason Fraioli Wed, 02/03/2010 - 12:41

So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.


From a best practice standpoint, is that advised?

Correct Answer
Jon Marshall Wed, 02/03/2010 - 12:47

jason.fraioli wrote:

So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.


From a best practice standpoint, is that advised?

Yes it is. It limits STP for example which is always a good thing. So if you have a vlan that is not needed on a switch why run an STP instance for that vlan on the switch.

It is also good practice from the point of security. Again why have a vlan on a switch when it is not needed there.

And it also limits traffic across the trunks that is not needed.

The only problem with both VTP transparent and "switchport trunk vlan allowed ..." is they do require a lot of manual administration. If you have the time and staff it is recommended but if you don't have either or both then VTP server/client with VTP pruning is acceptable.

Jon

Leo Laohoo Wed, 02/03/2010 - 13:07

If your network is just a handful of switches then setting VTP to Transparent is simpler.   Just make sure the VTP Domain and VTP password are all the same.

Actions

This Discussion