Bonjour,
 
Si je me trompe pas, par défaut le VTP pruning n'est pas activé sur les switchs.
 
Y a t-il une raison de ne pas l'activée ?
 
Merci,

ça fout le bordel parfois.
 
il vaut mieux contrôler manuellement la propagation des vlans sur les trunks.

ok merci,
bon je vais autoriser les vlan à la main sur les trunk et le laisser désactiver alors.
Néanmoins en lisant la doc Cisco on a plutot l'impression que c'est une bonne chose de l'activer.

il y a certains cas où VTP peut être pris en défaut. La préco c'est d'autoriser/supprimer les vlans sur un trunk à la main.

ok , merci  

Je n'utilise pas le Vlan 1, mais je crois que cdp et d'autre protocoles l'utilise par exemple.
 
Sur chacun de mes trunks si je fais un "switchport trunk allowed vlan add ...", dois je le faire aussi pour le vlan 1 ?

non. Le Vlan 1 passe toujours pour les protocoles de management (cdp, vtp, pagp...)

On ne peut pas empecher sa propagation? Meme si on en a pas envie? C'est limite moyen pour les attaques par vlan hoping quand meme...
Sinon le pruning a la main ca va mais quand tu commences a avoir plusieurs 10aines de VLAN sur un réseau t'as interet a avoir un suivi rigoureux du réseau.

VLAN 1
 
VLAN 1 has a special significance in Catalyst networks.
 
The Catalyst Supervisor Engine always uses the default VLAN, VLAN 1, to tag a number of control and management protocols when trunking, such as CDP, VTP and PAgP. All ports, including the internal sc0 interface, are configured by default to be members of VLAN 1. All trunks carry VLAN 1 by default, and in CatOS software versions earlier than 5.4, it was not possible to block user data in VLAN 1.
 
These definitions are needed in order to help clarify some well-used terms in Catalyst networking:
 
    *
 
      The management VLAN is where sc0 resides; this VLAN can be changed.
    *
 
      The native VLAN is defined as the VLAN to which a port returns when not trunking, and is the untagged VLAN on an 802.1Q trunk. By default, VLAN 1 is the native VLAN.
    *
 
      In order to change the native VLAN, issue the set vlan vlan-id mod/port command.
 
      Note: Create the VLAN before you set it as the native VLAN of the trunk.
 
These are several good reasons to tune a network and alter the behavior of ports in VLAN 1:
 
    *
 
      When the diameter of VLAN 1, like any other VLAN, gets large enough to be a risk to stability (particularly from an STP perspective) it needs to be pruned back. This is discussed in more detail in the In-Band Management section of this document.
    *
 
      Control plane data on VLAN 1 must be kept separate from the user data in order to simplify troubleshooting and maximize available CPU cycles.
    *
 
      L2 loops in VLAN 1 must be avoided when multilayer-campus networks are designed without STP, and trunking is still required to the access layer if there are multiple VLANs and IP subnets. To do this, manually clear VLAN 1 from trunk ports.
 
In summary, note this information about trunks:
 
    *
 
      CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 is cleared from the trunks and is not the native VLAN. If VLAN 1 is cleared for user data, these is no impact on control plane traffic that is still sent using VLAN 1.
    *
 
      On an ISL trunk, DTP packets are sent on VLAN1. This is the case even if VLAN 1 is cleared from the trunk and is no longer the native VLAN. On an 802.1Q trunk, DTP packets are sent on the native VLAN. This is the case even if the native VLAN is cleared from the trunk.
    *
 
      In PVST+, the 802.1Q IEEE BPDUs are forwarded untagged on the common Spanning Tree VLAN 1 for interoperability with other vendors, unless VLAN 1 is cleared from the trunk. This is the case regardless of the native VLAN configuration. Cisco PVST+ BPDUs are sent and tagged for all other VLANs. Refer to the Spanning Tree Protocol section in this document for more details.
    *
 
      802.1s Multiple Spanning Tree (MST) BPDUs are always sent on VLAN 1 on both ISL and 802.1Q trunks. This applies even when VLAN 1 is cleared from the trunks.
    *
 
      Do not clear or disable VLAN 1 on trunks between MST bridges and PVST+ bridges. But, in the case that VLAN 1 is disabled, the MST bridge must become root in order for all VLANs to avoid the MST bridge putting its boundary ports in the root-inconsistent state. Refer to Understanding Multiple Spanning Tree Protocol (802.1s) for details.

Merci pour l'info il ya quelques élements que je ne savais pas.
Au moins c'est clair, meme en activant pas les protocoles proprio ya quand meme un cas ou on devra quand meme avoir le vlan 1 (mstp)
Par contre si j'en conclus ce que je lis je peux faire sauter totalement le vlan 1 si j'active seulement du rstp, 802.3ad et gvrp, bref du standard. Tu es du meme avis?