Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7700
Views
10
Helpful
6
Replies

Can't disable DTP on Nexus 2000 FEX ports ?

gnijs
Level 4
Level 4

‎07-15-2011 09:24 AM

Hello Cisco,

It seems i cannot disable the sending of DTP packets on a FEX port:

Switch(config-if)# switchport ?

  <CR>        

  access       Set access mode characteristics of the interface

  autostate    Include or exclude this port from vlan link up calculation

  block        Block specified outbound traffic for all VLANs

  description  Enter description of maximum 80 characters

  host         Set port host

  mode         Enter the port mode

  monitor      Configures an interface as span-destination

  trunk        Configure trunking parameters on an interface

Switch(config-if)# switchport

---> There is no "switchport nonegotiate" ??

--> Anyway, even when the port is configured with "switchport mode access", it still keep sending DTP packets (this is normal), however

it sends them with status 0x04, which means "switchport mode desirable auto". This is a security issue.

Dynamic Trunking Protocol

    Version: 0x01

    Domain:

        Type: Domain (0x0001)

        Length: 5

        Domain:

    Status: 0x04

        Type: Status (0x0002)

        Length: 5

        Status: 0x04

    Dtptype: 0x45

        Type: Type (0x0003)

        Length: 5

        Dtptype: 0x45

    Neighbor: 40:55:39:e7:6b:40

        Type: Neighbor (0x0004)

        Length: 10

        Neighbor: Cisco_e7:6b:40 (40:55:39:e7:6b:40)

See:

http://webcache.googleusercontent.com/search?q=cache:GHF2-n-ppCwJ:www.kimiushida.com/bitsandpieces/articles/packet_analysis_dtp/index.html+dtp+types+status&cd=2&hl=nl&ct=clnk&gl=be&source=www.google.be

I am running version  NXOS 5.0(2)N2(1)

Labels:
0 Helpful
6 Replies 6

Chad Peterson
Cisco Employee
Cisco Employee

‎07-15-2011 10:12 AM

I havn't tried to disable DTP...guess I just forgot about it.  Does 'switchport host' turn it off?  I don't have a sniffer handy to test at the moment, but can try Monday if you aren't able to do so.

0 Helpful

gnijs
Level 4
Level 4
In response to Chad Peterson

‎07-17-2011 02:26 PM

I have tried "switchport host".No effect, stil DTP packets received (verified with Sniffer), at least with the NXOS version i used (see above)

0 Helpful

aymen.mohammed
Level 1
Level 1

‎07-18-2011 12:57 PM

Does nexus 2k support DTP?

Sent from Cisco Technical Support iPad App

0 Helpful

gnijs
Level 4
Level 4
In response to aymen.mohammed

‎07-18-2011 02:14 PM

I don't know. I just see DTP packets coming out of the ports and i want to prevent that a user uses these packets to

create a trunk and starts sending tagged packets to other vlans (one of the reasons DTP is turned off on host ports usually)

0 Helpful

Justin Shore
Level 1
Level 1

‎10-01-2013 02:56 AM

DTP is not supported on any Nexus platform.  This extends to the FEXs as well.  Hence the lack of 'switchport nonegotiate' commands on the Nexus interface-config CLI options.  DTP is still supported on Catalyst switches so you should still disable it on all Ethernet interfaces on those switches.

Justin

0 Helpful

nockternalsa@gmail.com
Level 1
Level 1

‎03-19-2018 02:09 AM

The Command looks a little different. {no negotiate auto} i did this  under the nexus 9k and the 2k. the speed setting is also required.

 

interface Ethernet1/36
  switchport
  switchport mode trunk

  speed 1000
  no negotiate auto
  no shutdown
sh int result below

admin state is up, Dedicated Interface
  Encapsulation ARPA, medium is broadcast
  Port mode is trunk
  full-duplex, 1000 Mb/s, media type is 1G
  Auto-Negotiation is turned off, FEC mode is Auto


Customers Also Viewed These Support Documents