Solved: Re:DTP is ON when everything else is hardcoded

cisco_geek · ‎03-18-2013

Hi,

I found that this behavior is very strange (though don't think that nothing called odd in Cisco world! they do a lot of effort ro sustain the same level of conflict in their academic materials vs real-world hands-on experience on their gears).

Anyway, what I know is that DTP is a protocol to negotiate whether the link will be trunk or access, and of it will be a trunk, which encapsulation protocol would it use. Ok, cool.

Now, what if I hard coded that I need the interface to be trunk, and hardcoded that the encapsulation to be used is dot1q, what would left to DTP to be negotiated?!

In other words, check below snip:

Current configuration : 94 bytes

!

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

end

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

cadet alain · ‎03-18-2013

Hi,

what would happen if the other end would be set to dynamic desirable or dynamic auto and DTP was disabled ?

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Rolf Fischer · ‎03-18-2013

Hi,

with that configuration the switch will send DTP frames on port Fa0/1, so the neighbor's port receives information to form a dot1q-trunk if it's mode is dynamic.

To disable sending you can add the "switchport nonegotiate" command.

Hope that helps

Rolf

Oops... Already answered by Alain.

I really have to type quicker ;-)

View solution in original post

paul driver · ‎03-18-2013

Hello
I would say if you know the other end of the link is to be trunked then turn dtp off

switchport nonegociate

with dtp on it opens up the port for a rouge device to be attached and negociate a trunk, with it disabled you have to define a trunk to be established

res
Paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

InayathUlla Sharieff · ‎03-18-2013

Hi,

Lets look this deeper.

Sw1--------------Trunk link (DTP) --SW2

Cisco's Dynamic Trunking Protocol can facilitate the automatic creation of trunks between two switches. When two connected ports are configured in dynamic mode, and at least one of the ports is configured as desirable, the two switches will negotiate the formation of a trunk across the link. DTP isn't to be confused with VLAN Trunking Protocol (VTP), although the VTP domain does come into play.

DTP on the wire is pretty simple, essentially only advertising the VTP domain, the status of the interface, and it's DTP type. These packets are transmitted in the native (or access) VLAN every 60 seconds both natively and with ISL encapsulation (tagged as VLAN 1) when DTP is enabled.

DTP is enabled by default on all modern Cisco switches. But a responsible network engineer has to ask himself, "why?" Do you really want switches to form trunks on their own? I certainly don't, for several reasons.

First, it's simply bad design; trunks should be present where they were intended, and only where they were intended. Second, leaving switch ports set to dynamic mode is a gaping security hole. If all it takes is the right DTP packet to form a trunk from an access port, an intruder can easily inject traffic into whatever VLANs are allowed on the port (by default, all of them). Fortunately, these two issues can be resolved by configuring a static switchport mode, either "access" or "trunk", as best practice dictates.

! Access port

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 10

! Trunk port

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk encapsulation dot1q

However, even when a port is statically configured in such a manner, DTP is still active on the port. If you've ever attempted to setup a trunk between two switches in different VTP domains and received the following error, you can thank DTP:

%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of

VTP domain mismatch.

Recall that DTP advertisements include the VTP domain name. A switch won't form a trunk on a DTP-enabled port to a switch advertising a different VTP domain, even if the ports are manually configured in trunking mode. Nice, eh? Fortunately we can kill DTP once and for all with the switchport nonegotiate command on the interface.

Switch(config-if)# switchport nonegotiate

This configuration prevents DTP packets from being sent, effectively disabling trunk negotiation and evaluation of the VTP domain.

HTH

Regards

Inayath.

View solution in original post

cadet alain · ‎03-18-2013

Hi,

what would happen if the other end would be set to dynamic desirable or dynamic auto and DTP was disabled ?

Regards

Alain

Don't forget to rate helpful posts.

Rolf Fischer · ‎03-18-2013

Hi,

with that configuration the switch will send DTP frames on port Fa0/1, so the neighbor's port receives information to form a dot1q-trunk if it's mode is dynamic.

To disable sending you can add the "switchport nonegotiate" command.

Hope that helps

Rolf

Oops... Already answered by Alain.

I really have to type quicker ;-)

paul driver · ‎03-18-2013

Hello
I would say if you know the other end of the link is to be trunked then turn dtp off

switchport nonegociate

with dtp on it opens up the port for a rouge device to be attached and negociate a trunk, with it disabled you have to define a trunk to be established

res
Paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cisco_geek · ‎03-18-2013

Hi

I must say that all replies are valid, and I know that DTP can be turned off using switchport nonegotiate command, but where is the common sense here?

I'm an administrator and I'd configure both the switches to be trunk and to use dot1q, Cisco should turn off DTP once we hardcode the mode to trunk, just like the duplex auto vs duplex full

InayathUlla Sharieff · ‎03-18-2013

Hi,

Lets look this deeper.

Sw1--------------Trunk link (DTP) --SW2

Cisco's Dynamic Trunking Protocol can facilitate the automatic creation of trunks between two switches. When two connected ports are configured in dynamic mode, and at least one of the ports is configured as desirable, the two switches will negotiate the formation of a trunk across the link. DTP isn't to be confused with VLAN Trunking Protocol (VTP), although the VTP domain does come into play.

DTP on the wire is pretty simple, essentially only advertising the VTP domain, the status of the interface, and it's DTP type. These packets are transmitted in the native (or access) VLAN every 60 seconds both natively and with ISL encapsulation (tagged as VLAN 1) when DTP is enabled.

DTP is enabled by default on all modern Cisco switches. But a responsible network engineer has to ask himself, "why?" Do you really want switches to form trunks on their own? I certainly don't, for several reasons.

First, it's simply bad design; trunks should be present where they were intended, and only where they were intended. Second, leaving switch ports set to dynamic mode is a gaping security hole. If all it takes is the right DTP packet to form a trunk from an access port, an intruder can easily inject traffic into whatever VLANs are allowed on the port (by default, all of them). Fortunately, these two issues can be resolved by configuring a static switchport mode, either "access" or "trunk", as best practice dictates.

! Access port

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 10

! Trunk port

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk encapsulation dot1q

However, even when a port is statically configured in such a manner, DTP is still active on the port. If you've ever attempted to setup a trunk between two switches in different VTP domains and received the following error, you can thank DTP:

%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of

VTP domain mismatch.

Recall that DTP advertisements include the VTP domain name. A switch won't form a trunk on a DTP-enabled port to a switch advertising a different VTP domain, even if the ports are manually configured in trunking mode. Nice, eh? Fortunately we can kill DTP once and for all with the switchport nonegotiate command on the interface.

Switch(config-if)# switchport nonegotiate

This configuration prevents DTP packets from being sent, effectively disabling trunk negotiation and evaluation of the VTP domain.

HTH

Regards

Inayath.

cisco_geek · ‎03-19-2013

Thank you Inayath