Oct 22

Do you prune VLAN’s off of your Trunk’s?

Pruning VLAN’s when passing VLAN’s from one switch to another switch or device is a very debatable subject. I have found that there are two reason’s why people do not prune the VLAN’s, Laziness and Convenience.

When passing 30+ vlan’s to another switch can get pretty tedious. After you add all of those VLAN’s to the link, what happens if you missed one? That’s simple, you get a complaint and you go back and add it. When you go back and add the vlan, if you don’t issue the correct command on a Cisco Switch, you clear out all of the VLAN’s and simply add the one you just added. You must use the “switchport trunk allow vlan ADD ” command. You run the risk of causing a major outage by adding that one VLAN that you missed, or the new VLAN you now need.

When connecting a Virtual Machine (VM), it seems to be much easier to pass all of the VLAN’s to the VM. This way the server administrator can use any VLAN at any time with out asking the network team to add or remove VLAN’s from the switch port. Network companies like Brocade with their VDX platform are working to remove this inconvenience. The VMWare server will automatically communicate with the VDX switches and automatically configure the switch ports on the VDX for only the VLAN’s the VMWare server is configured to use.

So why not let all of the VLAN’s go everywhere and not prune them? The answer used to be processing power. Your PC, Server, Router, Switch has to process every packet that enters it’s network card. While the device is processing all of those unneeded packets, it’s not doing the work it’s supposed to be doing. This issue can be argued that the technology has drastically improved over the years and the devices now have the processing power to handle the extra packet processing. I don’t like this argument because these extra packets could take a device from highly utilized to overloaded and out of service.

What’s the likelihood of this, reply and share your opinion?

There could be security issues with not pruning the VLAN’s. With virtualization with VLAN’s, you could have a DMZ switch directly connected to a core switch. VLAN 5 may pass data from the core to the Edge firewall (connected to the DMZ switch) through the DMZ switch so the data flow is secure. In this design, DMZ VLAN’s could be passed to the core switch if the VLAN’s were not pruned. If somebody configured the same VLAN on the core for another use, the DMZ VLAN would be bridged to the core vlan.

Network Diagram showing why to prune VLAN's

Network Diagram showing why to prune VLAN’s

What’s the likelihood of this, reply and share your opinion?

Like I said in the beginning, this is debatable. For the reasons above, I always prune the VLAN’s.

What do you do? Prune, or let them go and Why?

If you enjoyed this article, please share it with the social media below!!