cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3105
Views
0
Helpful
8
Replies

Not pruning vlans from trunks

Jason Fraioli
Level 3
Level 3

Suppose you have two switches (switch a and b) and one router performing the routing.  Each of the two switches hosts a single unique vlan.  What is the best practice with regard to pruning the vlans from the trunks?  Should you leave the default as is or prune?  Obviously in a large environment, pruning select vlans could become a management nightmare.  Is it a bad idea to leave the default (allow all vlans on the trunk)?

2 Accepted Solutions

Accepted Solutions

jason.fraioli wrote:

This is the case if you are operating in VTP client/server mode, but what about transparent mode?

VTP transparent requires that you manually configure the vlans on each switch and the VTP updates may be passed onwards by a VTP transparent switch (v2) but they won't be used by the VTP switch.

VTP pruning is not applicable to VTP transparent switches ie. it only works in a VTP server/client environment. So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.

Jon

View solution in original post

jason.fraioli wrote:

So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.


From a best practice standpoint, is that advised?

Yes it is. It limits STP for example which is always a good thing. So if you have a vlan that is not needed on a switch why run an STP instance for that vlan on the switch.

It is also good practice from the point of security. Again why have a vlan on a switch when it is not needed there.

And it also limits traffic across the trunks that is not needed.

The only problem with both VTP transparent and "switchport trunk vlan allowed ..." is they do require a lot of manual administration. If you have the time and staff it is recommended but if you don't have either or both then VTP server/client with VTP pruning is acceptable.

Jon

View solution in original post

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

The trunks between the switches should only have the VLANs that are necessary. Yes it can be an admin nightmare, but if you start like that, it's not that bad. A couple of years ago we removed VTP and cleaned all the trunks. It took a weekend of work. It's also best security practice to remove any unnecessary VLANs from trunks. You should also add a native VLAN to the trunk and remove VLAN (and add your management vlan).

Hope that helps.

Jon Marshall
Hall of Fame
Hall of Fame

jason.fraioli wrote:

Suppose you have two switches (switch a and b) and one router performing the routing.  Each of the two switches hosts a single unique vlan.  What is the best practice with regard to pruning the vlans from the trunks?  Should you leave the default as is or prune?  Obviously in a large environment, pruning select vlans could become a management nightmare.  Is it a bad idea to leave the default (allow all vlans on the trunk)?

Jason

VTP pruning is automatic ie. it does not require any configuration per trunk, you just enable VTP pruning globally on the VTP server.  And then only the vlans with ports in use at the other end of the trunk will be sent down the trunk.


However i suspect you are referring to using "switchport trunk vlan allowed ..." where you manually specify the vlans allowed on the trunk. The advantage of doing this is that unlike pruning if you do not allow a vlan on the trunk link then STP does not extend for that vlan across the trunk link.

At the very least you should probably enable VTP pruning but manually specifying which vlans are allowed is the more efficient, you just have to weigh it up against the admin overhead involved.

Jon

People still use VTP? 

This is the case if you are operating in VTP client/server mode, but what about transparent mode?

jason.fraioli wrote:

This is the case if you are operating in VTP client/server mode, but what about transparent mode?

VTP transparent requires that you manually configure the vlans on each switch and the VTP updates may be passed onwards by a VTP transparent switch (v2) but they won't be used by the VTP switch.

VTP pruning is not applicable to VTP transparent switches ie. it only works in a VTP server/client environment. So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.

Jon

So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.


From a best practice standpoint, is that advised?

jason.fraioli wrote:

So if you want to restrict vlans on trunks on VTP transparent switches you would need to use the "switchport trunk vlan allowed ..." command.


From a best practice standpoint, is that advised?

Yes it is. It limits STP for example which is always a good thing. So if you have a vlan that is not needed on a switch why run an STP instance for that vlan on the switch.

It is also good practice from the point of security. Again why have a vlan on a switch when it is not needed there.

And it also limits traffic across the trunks that is not needed.

The only problem with both VTP transparent and "switchport trunk vlan allowed ..." is they do require a lot of manual administration. If you have the time and staff it is recommended but if you don't have either or both then VTP server/client with VTP pruning is acceptable.

Jon

Leo Laohoo
Hall of Fame
Hall of Fame

If your network is just a handful of switches then setting VTP to Transparent is simpler.   Just make sure the VTP Domain and VTP password are all the same.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card