Minasan, kon’nichiwa,
Manual VLAN pruning. What is VLAN pruning? VLAN pruning is the process of being picky with which VLANs are allowed over certain trunk links. For example if you (and you should) had a topology of switches that were segmented per department/VLAN, then there would be switches that didn’t have any ports configured in certain VLANs on them. To be more clear, if you had switches that you used to patch all your VoIP phones in, and every port in those switches were configured in the voice VLAN, why would we want traffic for the wireless VLAN or the server VLAN crossing that trunk link? It would be redundant right? Thats where manual VLAN pruning comes in. (I have put manual in bold, as there is automatic VLAN pruning when using VTP which we’ll discuss in a later post.)
Another thing to consider if you’re utilising (as you should) a ‘per vlan’ spanning tree protocol such as RPVST, then pruning a VLAN from a trunk link will remove that switch from that VLANs spanning tree topology. Just something to consider…
So how do we configure manual VLAN pruning? Pretty simple, just the one command required (providing the port is already configured as a trunk.) The command has several options: add, all, except, none, remove.
- add – this will add ONLY the vlans that you specify. It’s worth noting, that as by default the trunk will be set to all, if you do an add command, that anything not specified will be PRUNED from this trunk link.
- all – the default option when the trunk is configured. all existing VLANs will be “allowed” across the dot1q trunk.
- except – this option is for if you want to allow “except” for specific VLANs. This command is useful if the trunk is currently set to none, as you can then just specify which VLANs you DONT want to go across the trunk, and the command will add every VLAN except the ones you specify.
- none – will remove ALL VLANs from the trunk link.
- remove – pretty self explanatory, will remove the VLANs you specify.
Its worth noting that ranges of VLANs can be done at once with a hyphen (eg: switchport trunk allowed vlan remove 10-20), and multiple VLANs can be remove with a comma (eg: switchport trunk allowed vlan remove 10,20,30.) Lets take a look at this in practice with the below topology:
So here we have a not very good network design, but its just for the purpose of demonstration. Currently, the links between switch 1 and 2, and 1 and 3, are configured as dot1q trunks. In their default configuration, all VLANs are allowed across. The ports the PCs are patched into are configured as access ports in VLAN 10. All PCs have been configured with static IPs as shown, can ping each other, but have no default gateway configured (as there is no L3 configured in this topology.) Let’s see what happens if I remove VLAN 10 from the dot1q trunk link between switch 1 and switch 2. Firstly, lets check we can ping between PC1 and PC2:
Ok so we’ve got connectivity, lets now remove VLAN 10 from the dot1 trunk and see whether we can still ping across:
Voila. Trunk PRUNED. It’s worth noting that this only needed to be done at one end of the trunk for it to be effective. I would however always do this at each end of the trunk for completion. So we’ve just shown how only certain VLANs can be configured over a dot1q trunk, but what command can we use to find this information out?
Show interfaces trunk, will show you everything you need and more. We can see here that SW1 on gi0/1 is allowing all VLANs apart from the VLAN we removed (VLAN 10), where as the other trunk link on gi0/0 is still allowing all VLANs between 1-4094. It will list all trunks configured on the switch and what port they’re on, the VLANs allowed on those trunks, the VLANs that are active on those trunks, and the pruning status for spanning tree.
Manual VLAN pruning. Tick.
Jack xx
Leave A Comment