Cisco Support Community
Community Member

understanding VTP pruning

I am in the process of setting up a trunk port for a client. I want to allow only 4 production vlan to traverse the trunk. The rest of the vlans I want to prune off.

I am shipping this trunk port to an IPS unit to inspect the traffic for mal content. The IPS interface is supposed to act as a trunk port as well and then ship traffic from one vlan pair back to another Vlan Pair. I am configuring two vlan pairs on the interface of the IPS unit.

Yesterday i used the command " swi trunk pruning vlan 4,6,7,8,10,14,15,20"

Should this command keep these vlan's from propogating down the trunk link?

Thank You

Community Member

Re: understanding VTP pruning

I would suggest under VTP configuration that you enable "vtp prunning". The default is off. You can then manually disallow the vlans on various trunk links for added security and propagation.



Hall of Fame Super Bronze

Re: understanding VTP pruning


As Brandon indicated, switchport trunk pruning vlan command works in conjunction with having VTP Pruning enabled in the VTP domain. VTP Pruning must be enabled in the VTP server and this change will be propagated throughout all switches in the same domain.

If you want to go with manual pruning on a inter-switch link, then I recommend using the command switchport trunk allowed vlan instead.




Please rate helpful posts

Community Member

Re: understanding VTP pruning

I may misunderstand your question here, but if you want to allow only traffic from certain VLANs to pass over a trunk you should use

switchport trunk allowed vlan 4,6,7 etc

(you can also define all VLANs except 4,6,7. Check the possible syntax options with the ?)

VTP pruning is meant to prohibit propagation of multicast, broadcast, and unknown unicast traffic over trunks to switches which may discard the traffic (see e.g. VTP pruning is not the feature you need to configure which VLAN's traffic is allowed to pass over a trunk. The command you mention will not deny traffic for e.g. VLAN 6 to traverse the trunk if VLAN 6 is defined on both switches at each end of the trunk.

HTH, Thomas

CreatePlease to create content