vtp pruning vs swi trunk allowed vlan

gordfran03 · ‎06-10-2013

I'm planning to limit unneeded vlan traffic from the trunks that connect my switches. There seems to be two ways to approach this. One way is to use the "vtp pruning" command on the switch that acts as the vtp server for all the switches in my vtp domain. The other way is the more hands on method of directly configuring each of the individual trunk links using the "switchport trunk allowed vlan" command. This method also seems to be the more widely accepted and preferred approach from the research I've done. Why is "vtp pruning" not as popular? It appears to acomplish the same thing, and without all the micro-management of individual trunk links.

If I decide to use the "switchport trunk allowed vlan" method, which I probably will, is it basically as simple as limiting the vlan's that are permitted on the trunk to the same ones that appear on the switch? For example, I have a switch that has ports in vlan's 1, 5, 10, and 20. By limiting the vlans on the trunk to these four I'm not necessarily preventing the PC's, printers and other devices that are in vlan's 1, 5 10, 20 on that switch from communicating with other devices on other switches am I? Can a PC on the switch in vlan 5 still communicate with a server on another switch that's in vlan 200?

Edwin Summers · ‎06-10-2013

None of the environments that I have worked in have used VTP, so we have always manually "pruned' VLANs by only allowing necessary VLANs on the trunks. As noted you can use VTP for more automation. There are benefits and drawbacks to each. Just make sure to document the method you use in your environment.

Pruning VLANs on trunks (whether via VTP or manually) will not affect how the traffic is routed to other subnets/VLANs. As long as your devices can reach their router, the traffic will be routed normally.

Best of luck! -Ed

Joseph W. Doherty · ‎06-10-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

No, you shouldn't cause an issue for reachability if you disallow on a trunk (downstream) unused VLANs. This assumes you don't accidentally block a utilized VLAN, though.

As to why "VTP pruning" isn't more popular. It seems that's from a basic distrust of automation (because it doesn't always work correctly) by many network engineers. VTP, itself, is often disabled too.

BTW, I recall there is some special consideration when using VTP pruning vs. manual pruning, but at the moment can't recall what it is.

Rolf Fischer · ‎06-10-2013

BTW, I recall there is some special consideration when using VTP pruning vs. manual pruning, but at the moment can't recall what it is.

Joseph,

I think the major difference is that manual pruning also reduces the STP-instances while VTP pruning does not.

Important when you have very much VLANs and 2k/3k platforms with a maximum of 128 STP instances or even less.

Best regards

Rolf

Rolf Fischer · ‎06-10-2013

Why is "vtp pruning" not as popular?

I think most people who use VTP made some "special experiences" sometime.

Here's my story:

A year ago I had to change the VTP domain name in a LAN with >4.000 users.

"No problem" I thought - "I know VTP".

Unfortunately I forgot disabling prunging when I started to change the domain.

Do you know what pruning does when there's a mismatch in domain name or password?

It prunes every VLAN (exept non pruning eligibles which is VLAN 1 by default).

That was a "great day" ...

Best regards

Rolf

Dennis Mink · ‎06-13-2013

I dont think that is typical for VTP, Rolf, that goes for every technology, and that is why change management is such a power full thing.

Manual pruning by means of trunk vlan allowed, I come across that a lot, it is not very scalable, if you run a bigger Layer2 network, containing multiple devices.

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

Rolf Fischer · ‎06-14-2013

I agree.

I didn't want to state for or against VTP and VTP pruning - it is widely used, which means it can't be that bad.

Actually we use VTP pruning too (by company policy); in the decision process there were many pros and cons but in the end the majority of our network admins wanted to use it.

But part of the original question was about the potential unpopularity of VTP pruning and I just wanted to give an example for that.

Manual pruning by means of trunk vlan allowed, I come across that a lot, it is not very scalable, if you run a bigger Layer2 network, containing multiple devices.

I agree on that, too. But remember: VTP- and manual pruning is not the same thing in terms of STP instances.

Best regards

Rolf

Kyle McKay · ‎06-19-2013

As stated above, the reduction in STP instances offered by manually pruning the trunk links outweights the hassle required to do so when compared to VTP pruning.

VTP Pruning limits the broadcast domain effectively and works as advertised in most cases. However, it is in your best interest (in most cases) to manually prune the trunks in an effort to configure with intent and to limit the number of STP instances on your network gear.

Dennis Mink · ‎06-20-2013

Thanks Rolf, you are correct and it needs pointing out

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

fredrick.pettiford · ‎07-02-2018

I understand what you are asking and I’m not sure if you got the answer that you were looking for so i will add my 2 cents and see if this helps any...

So obviously with both methods the goal is to filter unwanted VLAN traffic.

The environment that I work in now we do not use VTP so we manually prune VLANs an only allow wanted VLANS over trunk links.

So to answer your question. From what I have seen, if we are using VTP to prune VLANS we would be doing that simply for the ease of use.

TO me it seems like manually pruning with the "allowed VLAN" command, gives us more control but is more labor intensive. Both have their pros and cons...I hope this response was helpful.