Do you prune VLAN’s off of your Trunk’s?

Pruning VLAN’s when passing VLAN’s from one switch to another switch or device is a very debatable subject. I have found that there are two reason’s why people do not prune the VLAN’s, Laziness and Convenience.

When passing 30+ vlan’s to another switch can get pretty tedious. After you add all of those VLAN’s to the link, what happens if you missed one? That’s simple, you get a complaint and you go back and add it. When you go back and add the vlan, if you don’t issue the correct command on a Cisco Switch, you clear out all of the VLAN’s and simply add the one you just added. You must use the “switchport trunk allow vlan ADD ” command. You run the risk of causing a major outage by adding that one VLAN that you missed, or the new VLAN you now need.

When connecting a Virtual Machine (VM), it seems to be much easier to pass all of the VLAN’s to the VM. This way the server administrator can use any VLAN at any time with out asking the network team to add or remove VLAN’s from the switch port. Network companies like Brocade with their VDX platform are working to remove this inconvenience. The VMWare server will automatically communicate with the VDX switches and automatically configure the switch ports on the VDX for only the VLAN’s the VMWare server is configured to use.

So why not let all of the VLAN’s go everywhere and not prune them? The answer used to be processing power. Your PC, Server, Router, Switch has to process every packet that enters it’s network card. While the device is processing all of those unneeded packets, it’s not doing the work it’s supposed to be doing. This issue can be argued that the technology has drastically improved over the years and the devices now have the processing power to handle the extra packet processing. I don’t like this argument because these extra packets could take a device from highly utilized to overloaded and out of service.

What’s the likelihood of this, reply and share your opinion?

There could be security issues with not pruning the VLAN’s. With virtualization with VLAN’s, you could have a DMZ switch directly connected to a core switch. VLAN 5 may pass data from the core to the Edge firewall (connected to the DMZ switch) through the DMZ switch so the data flow is secure. In this design, DMZ VLAN’s could be passed to the core switch if the VLAN’s were not pruned. If somebody configured the same VLAN on the core for another use, the DMZ VLAN would be bridged to the core vlan.

Network Diagram showing why to prune VLAN's

Network Diagram showing why to prune VLAN’s

What’s the likelihood of this, reply and share your opinion?

Like I said in the beginning, this is debatable. For the reasons above, I always prune the VLAN’s.

What do you do? Prune, or let them go and Why?

If you enjoyed this article, please share it with the social media below!!

This entry was posted in Switching and tagged , , , by Scape. Bookmark the permalink.

About Scape

Over 10 Years in the networking field. Have worked in the Service provider and Enterprise environments. I have worked with Cisco, Foundry/Brocade, F5, Riverbed, Scientific Atlanta, Routers, Switches, Firewalls, Load Balancers, WAN Accelerators, DWDM, SONET, Multicast etc...

3 thoughts on “Do you prune VLAN’s off of your Trunk’s?

  1. OK Scape. I agree with you. I have for a long time pruned my Vlans. I have been somewhat disappointed by the “auto pruning”. Biggest issue I get with pruning is when machines are moved with no notification (that is a procedure issue I know). Leaves you with a Vlan where you don’t need it. Of course you get those who try and move a machine to places where the Vlan doesn’t exist too. All are vocal, but the network has to come first.

  2. Our biggest issue is with the VM systems. They move a VM to a different machine that doesn’t have the proper VLAN, then the VM is black holed.

    We are looking at the Brocade VDX platform to help with this issue. It is supposed to be able to talk to the ESX host and automatically add or remove the proper VLAN to the switch port that is needed by the ESX host.

  3. I like how you have wrote this as i believe pruning is almost an absolute for trunk links to upstream devices but I must admit to being a bit more lazier when it is say an access point or a vm host. From the comms side we ran a large layer 2 network that had around 600 vlans and we also used per vlan spanning tree so that was a lot of overhead but more importantly when we had problems that we couldnt sometimes get to the root cause, pruning made a difference here in the stability. I am going back 6-7 years though. The security side was very relevant too as we dropped a switch at the far end with only the customer and management vlans on. I got bitten by the add command too, thankfully I reversed it quickly enough. One issue I had recently though with APs was my client wanted to prune specifically down to emulate his comware environment and I added just the wireless vlan to the trunk and added the native vlan command only to find the native had to also be specified on the trunk for it to work so I discussed with him the benefits of pruning an AP and the pruning is now gone. Id like to hear about MST being used where security isnt such a big deal as I only stumbled across it when working on HP environemnts

Leave a Reply