VTP – Pruning VLAN explanation and lab to demonstrate, and example of trick question for Exam day (bottom of post)!

Topology has been reset to VTP Version 2, Domain CCNP, and above Topology configured.

Note that the two VTP Client switches both have interfaces in a common VLAN, interfaces in separate VLANs, and the VTP Server only has Trunk interfaces which are considered to be in “all VLANs” by default.

 

The Fundamentals of VTP Pruning

 

VTP Pruning is a mechanism to dynamically stop traffic from traversing Trunk interfaces to neighboring Switches that do not have active interfaces in that VLAN, as to limit the scope of Broadcast / Multicast / Unknown Unicast traffic from taking up network bandwidth / hardware resources that it does not need to.

Pruning can only be enabled on the VTP Server, however the manual adjusting of Pruned VLANs can be configured on either the Server or Clients Trunk interfaces.

Once enabled on the Server, it dynamically enables it on Client switches in the VTP Domain of the Server, and those switches save the information to also perform Pruning dynamically on their own Trunks.

 

What VLANs CAN and CANNOT be Pruned by VTP

 

• Once VTP is enabled, VLANs 2 – 1001 are Pruning eligible unless config’d otherwise
• The 5 default VLANs (1, 1002-1005) are not Pruning eligible, nor are the range of Extended VLANs (1006-4094)
• VLANs in the Pruning eligible range can be made non-eligible demonstrated below

 

The configuration of VTP Pruning on the Lab with VTP already synched

 

First I want to look at SW2’s “sh vlan brief” and “sh vtp status” to see how it looks pre-VTP Pruning:

SW2#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/3, Fa1/0/4, Fa1/0/5
Fa1/0/6, Fa1/0/7, Fa1/0/8
Fa1/0/9, Fa1/0/21, Fa1/0/22
Fa1/0/23, Gi1/0/1, Gi1/0/2
10 Data active Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20
20 Server active Fa1/0/24
30 Voice active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

I’ll color code for clarity with the Topology, but as can be seen, the Voice VLAN has no active interfaces in it, so on to verifying VTP Status:

SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:49:54

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 4
MD5 digest : 0x26 0x9C 0xE1 0xA3 0x86 0xF5 0xA8 0xB8
0x44 0xCC 0x0A 0x50 0xB0 0x45 0xB3 0x51
SW2#

Now to enable VTP Pruning on the Server SW1, and see if it removes unnecessary VLANs from the Client switches dynamically:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vtp pruning ?
<cr>

SW1(config)#vtp pruning
Pruning switched on
SW1(config)#

That is all there is to it, now first to look at SW1’s “sh int trunk” as that is where you will see Pruning information for that VTP Server:

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30
Fa1/0/3 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20
Fa1/0/3 1,10,30
SW1#

Of course as it should be, the server will now only send Server VLAN traffic to SW2, and Voice VLAN traffic to SW3, and Data VLAN traffic to both as they share that common VLAN and devices in it.

*** IMPORTANT NOTE! *** While labbing this SW1 did not originally show VLAN 20 being Pruned off Trunk Fa1/0/2, because I only placed the interface in it and forgot to turn on the “Server” host on the port, so the port has to be both in the VLAN AND Active for it to be considered for Pruning (or rather to NOT be Pruned by VTP)!

So if you are asked why a VLAN is not showing up in the “not pruned” portion of the Trunk interface output, it could be administratively shutdown, device not powered on, or interface is not part of the VLAN.

So lets take a look at SW2:

SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Enabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:35:36

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 5
MD5 digest : 0x84 0x0D 0xE1 0x5F 0xAC 0x00 0x48 0x2B
0x4E 0x0B 0x4C 0x9E 0xAC 0x49 0xCC 0xDD
SW2#

Couple of things to note from this output:

• The number of VLANs does not change, because VTP Pruning only filters traffic for a given VLAN, but will not delete knowledge of the VLAN existing in the Domain
• Configuring VTP Pruning on the Server incremented the Config Revision number
• Configuring VTP Pruning on the Server dynamically put Clients into it as well

I found kind of an oddity when checking SW2’s output which is mirrored on SW3:

SW2

SW2#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 auto n-802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,30
SW2#

So from SW1 to SW2 VLAN 30 is being pruned, and SW1 to SW3 VLAN 20 is being pruned, but back from SW2 and SW3’s perspective they are only Pruning traffic local to this switch only.

I’ve added VLAN 40 (Test) to SW1 which has propagated to both VTP Clients, and plugged in a router to Fa1/0/23 on SW3, to see some different behaviors across the Topology:

How SW1 is now Pruning the VLANs

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20
Fa1/0/3 1,10,30,40
SW1#

That is as expected, but more important I’d like to see how SW2 and SW3’s output look for their Pruning, to verify this behavior that local VLANs are Pruned:

SW3#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/3 auto n-802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/3 1,10,20

SW3#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/4
Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9, Fa1/0/21
Fa1/0/22, Gi1/0/1, Gi1/0/2
10 Data active Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20
20 Server active
30 Voice active Fa1/0/24
40 Test active Fa1/0/23
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW3#

This one is a bit tricky, because there is a device with a common subnet between the two Switches (Data VLAN 10), however this demonstrates that only the local VLANs are being Pruned almost like a security feature as well as limiting traffic across the network!

Now a look at SW2’s Trunk interface output:

SW2#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 auto n-802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,30,40
SW2#

I’ll spare the VLAN output, but sure enough only the local Server VLAN 20 is being Pruned from SW2, this is a very important detail to remember for exam day!

 

How to make change the VLANs being Pruned manually

 

First lets take a look at what is happening on SW1 currently:

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20
Fa1/0/3 1,10,30,40

The following is a method to make a single VLAN, VLAN range, and so forth as demonstrated Pruning ineligible like the default and extended VLANs on a switch.

Say for example you want the Voice and Data VLANs always to be ineligible for your Access Layer switches in the network:

Verification

SW1(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20
Fa1/0/3 1,10,30,40

So by default, the VTP Server is Pruning any VLANs not local to that switch (remote switch has no active interfaces in it yet), so to make the Voice VLAN 30 non-eligible for Pruning we remove it from the Eligible list which is 2-1001 by default:

SW1(config)#int fa1/0/2
SW1(config-if)#switchport trunk pruning vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list

SW1(config-if)#switchport trunk pruning vlan remove 30 ?
<cr>

SW1(config-if)#switchport trunk pruning vlan remove 30
SW1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20,30
Fa1/0/3 1,10,30,40
SW1(config-if)#

So by using the “remove” command, we removed it from the eligible list, whereas adding it to the list is just making it eligible for dynamic pruning.

Among the options I also wanted to distinguish “switchport trunk pruning vlan #” from “switchport trunk pruning vlan add #” as I struggled with understanding this and how to remove / add VLANs on Trunk interfaces.

So the first option to just use a # after the “switchport trunk pruning vlan …” command actually allows the VLAN over the Trunk port, whereas I thought it would add it to Pruning Eligible list:

SW1(config-if)#switchport trunk pruning vlan 40
SW1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,30,40
SW1(config-if)#

I was trying to remove VLAN 30 using “switchport trunk pruning vlan 30” and it somehow added VLAN 40 on there, which may have been a bug, so now I had both VLANs allowed which I definitely did not want.

So this is when I really read that Syntax, and found that using “add” will add those VLANs to the Pruning Eligible list:

SW1(config-if)#switchport trunk pruning vlan add 30
SW1(config-if)#switchport trunk pruning vlan add 40
SW1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094

Port Vlans allowed and active in management domain
Fa1/0/2 1,10,20,30,40
Fa1/0/3 1,10,20,30,40

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,10,20
Fa1/0/3 1,10,30,40
SW1(config-if)#

So that added those VLANs for this Trunk back to the Pruning Eligible list, and away they went, I won’t get into the other sub-commands or I will be writing this until I turn into a Prune in front of the CLI however I encourage anyone to really lab this topic out for clarity sake as those commands have odd behaviors and can be confusing!

However, the basic “remove” to make the VLAN non-Pruning eligible and “add” to make it Pruning eligible is hopefully as detailed as it gets on exam day.

 

Speaking of Exam Day and VTP, there is room for Trick questions to be aware of!

 

I have not taken SWITCH yet so this is by no means an actual test question, however I wanted to pose an example question with tricky wording to throw candidates off the correct answer:

“A network engineer must Extend his LAN over a geographical distance using VTP, and with Extended VLANs being Pruning Ineligible, how would the Engineer stop the flow of unnecessary Traffic across the LAN?”

So with this question type, there is word play on Extending the LAN, and pointing out that Extended VLANs are Pruning ineligible, but it never specifies the traffic is on an Extended VLAN itself – So the answer would be “Enable VTP Pruning”.

I saw variations of this on Cisco forums, so I wanted to just come up with a question type that is intended to throw you off by using similar names while pointing out that the similarity is VTP Pruning Ineligible when it really simply asking how to stop the flow of unnecessary traffic on the LAN.

SO THAT IS FINALLY IT FOR VTP! Onto Spanning-Tree Fundamentals I go!