Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
30
Helpful
7
Replies

DTP On Trunk Ports

Ali Hazim
Level 1
Level 1

‎03-13-2019 11:42 AM

When Manually Configuring a Port As Access, DTP Will Be Automatically Disabled. So Why Is It When Configuring a Port As Trunk, DTP Will Still Be Enabled?

Labels:
0 Helpful
7 Replies 7

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-13-2019 11:51 AM - edited ‎03-13-2019 01:45 PM

The DTP is used by Cisco switches to negotiate whether an interconnection between two switches should be put into access or trunk mode. It is meant both to ease the initial deployment of a switched network and to minimize configuration errors that result from mismatched port configuration on an interconnection between two switches.

 

The DTP helps to automatically negotiate whether the port should be put into access or trunk mode and what trunking protocol (802.1Q or ISL) should be used. The individual DTP modes are:

 

  • dynamic auto - the port will negotiate the mode automatically, however, it prefers to be an access port
  • dynamic desirable - the port will negotiate the mode automatically, however, it prefers to be a trunk port

 

DTP datagrams are also sent if the port is set statically to the trunk mode. However, if the port is set statically to the access mode, both sending and processing DTP datagrams on that port is deactivated.

 

The individual combinations of port settings lead to following results:

 

  • dynamic auto + dynamic auto = access
  • dynamic auto + dynamic desirable = trunk
  • dynamic desirable + dynamic desirable = trunk
  • dynamic auto or dynamic desirable + trunk = trunk
  • dynamic auto or dynamic desirable + access = access

 

As you can see, if both ports are dynamic auto, they will act as access ports. If either of them is dynamic desirable, both will agree on trunking. If one of them is dynamic and the other is static, the mode is dictated by the statically set port.

 

The DTP protocol is unauthicated which means that a station can send false DTP packets, pretending to be a switch. If the switchport is configured as a dynamic port, an attacker can lure the switchport to become a trunk port and he will gain access to all VLANs allowed on that trunk. Therefore, after a network has been installed, it is the best practice to set the mode statically and deactivate the DTP protocol on a port using the command switchport nonegotiate (this command is necessary only for trunk ports, as the static access ports do not send DTP packets automatically).

 

more information: https://community.cisco.com/t5/switching/why-dtp-is-used/td-p/1377495

 

@Seb Rupik lol, i forgot it, thanks.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Ali Hazim
Level 1
Level 1
In response to Jaderson Pessoa

‎03-13-2019 01:23 PM

Thank You For Your Response, But My Question Is Why a Port That Is Configured Statically As Trunk Doesn't Automatically Disable DTP Like Access Ports Do

0 Helpful

Angel Munoz Garcia
Level 1
Level 1
In response to Ali Hazim

‎07-21-2023 01:15 PM

Hi @Ali Hazim, you probably found the answer since then but I will try to give a direct answer to this question because I have been asking myself the exact same question the whole day.

Why is it not automatically disabled as when configuring it statically as an access port?

Because other dynamic switchport modes like switchport mode dynamic auto and switchport mode dynamic desirable on the other end of the link need it to be a negotiator.
Imagine you have configured one of these dynamic modes on the other end, but have disabled DTP negotiation on your end with the switchport nonegotiate command, the other end switch will not receive any negotiation response and will decide to operate in static access mode instead.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Jaderson Pessoa

‎03-13-2019 01:25 PM - edited ‎03-13-2019 01:27 PM

@Jaderson Pessoa You really should credit and reference the original post!:
https://community.cisco.com/t5/switching/why-dtp-is-used/td-p/1377495

0 Helpful

luis_cordova
VIP Alumni
VIP Alumni

‎03-13-2019 12:11 PM

Hi @Ali Hazim ,

 

In short, DTP manages the link that connects two switches to become a trunk link, even without previous configurations.
The only instance in which the link will be deactivated, is when in a link, one side is configured as a trunk and the other side as access.

As mentioned @Jaderson Pessoa , it is a good practice to disable DTP, since being a Cisco exclusive protocol, it can cause problems with other brands.

 

Remember to mark the correct answers as solved, because that helps other users with similar doubts.

 

Regards

paul driver
VIP
VIP

‎03-13-2019 12:38 PM - edited ‎03-13-2019 02:12 PM

Hello

just like to add - i always choose to make not only trunks but also access mode ports non negotiate which inst necessary on a access mode port but I like to make sure dtp isn’t active in anyway and to prevent the access port accidentally being changed in anyway and then left as a dynamic desirable.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card