Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
5
Helpful
5
Replies

VTP Pruning v Manually removing vlans from trunks

Go to solution
GRANT3779
Spotlight
Spotlight

‎10-10-2016 12:59 AM - edited ‎03-08-2019 07:44 AM

Hi,

From what I am reading, pruning and manually removing vlans from trunks essentially achieve similar goals. Is there a rule of thumb for this?, e.g if using VTP then go ahead with pruning? Are there other things to consider when deciding which to use, e.g spanning tree issues?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-10-2016 01:26 AM

Hi

Yes there basically the same thing  , just some engineers rather have full control of what's in use in each trunk than leaving it up to automatic pruning but you should use one or the other , reduced stp instances and reduced flooding on uplinks and reduced broadcasts all reasons to prune one way or the other

dynamic vtp obviously relieves the workload of the engineer automatically but requires you to have server/client setup in operation which for security reasons among others some don't want but manual pruning allows you to do the same while being secure and having devices in transparent mode, we as a business do not allow server/client its just not allowed by security teams or by the business in general due to the issues it can lead to , if someone sticks in lower end revision switch could wipe the network at layer 2 if not using vtp v3 , this cant happen in manual mode with transparent so people do just tend to avoid dynamic pruning but in the end the choice is yours what way you go , just got to be a bit more careful when using dynamic mode

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-10-2016 01:26 AM

Hi

Yes there basically the same thing  , just some engineers rather have full control of what's in use in each trunk than leaving it up to automatic pruning but you should use one or the other , reduced stp instances and reduced flooding on uplinks and reduced broadcasts all reasons to prune one way or the other

dynamic vtp obviously relieves the workload of the engineer automatically but requires you to have server/client setup in operation which for security reasons among others some don't want but manual pruning allows you to do the same while being secure and having devices in transparent mode, we as a business do not allow server/client its just not allowed by security teams or by the business in general due to the issues it can lead to , if someone sticks in lower end revision switch could wipe the network at layer 2 if not using vtp v3 , this cant happen in manual mode with transparent so people do just tend to avoid dynamic pruning but in the end the choice is yours what way you go , just got to be a bit more careful when using dynamic mode

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Mark Malone

‎10-10-2016 01:31 AM

Thanks for the feedback Mark. I run VTP Version 3 and with hindsight probably would have done the vlans manually on each switch.

I think dynamic vtp pruning sounds best in my case. What are the risks when initially enabling vtp pruning? I did read that when using version 3, I need to enable it all on switches manually. I think with Version 1 and 2, it was only required on the server and then pushed out dynamically to others.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to GRANT3779

‎10-10-2016 02:06 AM

yes all switches come as vtp server by default so server can push to server with vtp info without intervention/config once the switches are in the same vtp domain , but in reality you should still whether v2 or v3 manually set it up correctly on each switch and not leave anything for chance,even on v2 switches should be set to client where they should be even though they can push server to server

V3 will protect you from the issues that most organizations block vtp so you should be good once its setup correctly, I have not had problems with it before its a stable version

vtp is interoperable between versions so you should be able to move to 2 - 3 without much impact at all once there all still in same domain , I would still personally put in for a maintenance window especially if your going to turn on dynamic pruning incase something goes wrong as your leaving it up to device to decide what's allowed on your trunk based on the rules such as the vlan been in use on the device.

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Mark Malone

‎10-11-2016 01:24 AM

OK, so got an outage window to do this last night. Looking at one of my switches I see the following -

Does this output say - "I am sending all VLAN information to my neighbour BUT requesting vlan info for only 1,500,521,643,861 ?"

sh int trunk

Port Mode Encapsulation Status Native vlan
Po10 on 802.1q trunking 998

Port Vlans allowed on trunk
Po10 1-4094

Port Vlans allowed and active in management domain
Po10 1,15,70-71,500-503,519,521-523,530,532,640-641,643-645,647,771-772,780-781,860-861,970-971,998

Port Vlans in spanning tree forwarding state and not pruned
Po10 1,15,70-71,500-503,519,521-523,530,532,640-641,643-645,647,771-772,780-781,860-861,970-971,998


sh int po10 pruning

Port Vlans pruned for lack of request by neighbor
Po10 none

Port Vlan traffic requested of neighbor
Po10 1,500,521,643,861

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to GRANT3779

‎10-11-2016 01:33 AM

Yes looks like its allowing all out and not pruning but only asking for those few vlans inbound , so it should be pruning on far end when you check that switch

0 Helpful
Customers Also Viewed These Support Documents