cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
85973
Views
123
Helpful
8
Replies

Why DTP is used?

cisconetguy
Level 1
Level 1

Hi,

I would like to know Why DTP is used? What are the pros and cons of it?

Why there are different trunking modes?

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hi Sandy,

The DTP is used by Cisco switches to negotiate whether an interconnection between two switches should be put into access or trunk mode. It is meant both to ease the initial deployment of a switched network and to minimize configuration errors that result from mismatched port configuration on an interconnection between two switches.

The DTP helps to automatically negotiate whether the port should be put into access or trunk mode and what trunking protocol (802.1Q or ISL) should be used. The individual DTP modes are:

  • dynamic auto - the port will negotiate the mode automatically, however, it prefers to be an access port
  • dynamic desirable - the port will negotiate the mode automatically, however, it prefers to be a trunk port

DTP datagrams are also sent if the port is set statically to the trunk mode. However, if the port is set statically to the access mode, both sending and processing DTP datagrams on that port is deactivated.

The individual combinations of port settings lead to following results:

  • dynamic auto + dynamic auto = access
  • dynamic auto + dynamic desirable = trunk
  • dynamic desirable + dynamic desirable = trunk
  • dynamic auto or dynamic desirable + trunk = trunk
  • dynamic auto or dynamic desirable + access = access

As you can see, if both ports are dynamic auto, they will act as access ports. If either of them is dynamic desirable, both will agree on trunking. If one of them is dynamic and the other is static, the mode is dictated by the statically set port.

The DTP protocol is unauthicated which means that a station can send false DTP packets, pretending to be a switch. If the switchport is configured as a dynamic port, an attacker can lure the switchport to become a trunk port and he will gain access to all VLANs allowed on that trunk. Therefore, after a network has been installed, it is the best practice to set the mode statically and deactivate the DTP protocol on a port using the command switchport nonegotiate (this command is necessary only for trunk ports, as the static access ports do not send DTP packets automatically).

Best regards,

Peter

View solution in original post

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sandy,

DTP, Dynamic Trunking protocol, is used on Cisco LAN switches as a tool to negotiate a trunk between two DTP capable devices without manual configuration.

This can be a drawback in some scenarios where a trunk is not desired, because for example two campus networks should not join their vlans together.

The two devices have to be part of same VTP domain, and at least one should be in desirable state so that it will start the negotiation.

The idea would be to help the network administrator with a sort of plug and play capability.

Multiple trunking encapsulations exist for historical reasons: Cisco ISL is proprietary, 802.1Q was developed by IEEE and it is a standard. Other standards like 802.10 or LANE itself existed in the past for other media like FDDI or for ATM.

ISL is somewhat too heavy for point to point trunk links with 30 bytes overhead. It was thought when hubs were still common.

ISL frames are not ethernet frames they carry an ethernet frame inside (they could carry a token ring or FDDI frame inside).

802.1Q is more efficient uses only 4 bytes inserted in the ethernet frame and allows for vlan stacking that is use of multiple vlan tags and this is widely used on service providers to offer L2 services in MAN context.

An 802.1Q tagged ethernet frame is still an ethernet frame with the 802.1Q ethertype (protocol over ethernet) followed by the real vlan identifier and 3 bits of Class of service (useful for QoS marking)

Hope to help

Giuseppe

Thanks a lot Giuseppe.

If we have multiple vlan and we create dynamic desirable link then three protocols will run.

1- 802.1q (for vlan tagging)

2- DTP (for encapsulation)

3- dot1q (this is subprotocol of encapsulation and DTP will use this protocol for encapsulation ). right?

.....................................................................................................................

If we have native vlan on both switch and we create dynamic desirable port then also three protocols will run.

1-802.1q (but not vlan tagging) is it corect? or 802.1q will not run?

2- DTP

2- dot1q

right?

..............................................................................................................

if we have have multiple vlans and create trunk port then two protocols will run,

1- 802.1q

2- dot1q

right?

...........................................................................................................

If we have native vlan on both switch and create trunk port then two protocols will run.

1- 802.1q (there will not be vlan taggs attached )  or 802.1q will not run. please correct it

1- dot1q

right?

...........................................................................................................

If i have something wrong please correct it. thanks

Peter Paluch
Cisco Employee
Cisco Employee

Hi Sandy,

The DTP is used by Cisco switches to negotiate whether an interconnection between two switches should be put into access or trunk mode. It is meant both to ease the initial deployment of a switched network and to minimize configuration errors that result from mismatched port configuration on an interconnection between two switches.

The DTP helps to automatically negotiate whether the port should be put into access or trunk mode and what trunking protocol (802.1Q or ISL) should be used. The individual DTP modes are:

  • dynamic auto - the port will negotiate the mode automatically, however, it prefers to be an access port
  • dynamic desirable - the port will negotiate the mode automatically, however, it prefers to be a trunk port

DTP datagrams are also sent if the port is set statically to the trunk mode. However, if the port is set statically to the access mode, both sending and processing DTP datagrams on that port is deactivated.

The individual combinations of port settings lead to following results:

  • dynamic auto + dynamic auto = access
  • dynamic auto + dynamic desirable = trunk
  • dynamic desirable + dynamic desirable = trunk
  • dynamic auto or dynamic desirable + trunk = trunk
  • dynamic auto or dynamic desirable + access = access

As you can see, if both ports are dynamic auto, they will act as access ports. If either of them is dynamic desirable, both will agree on trunking. If one of them is dynamic and the other is static, the mode is dictated by the statically set port.

The DTP protocol is unauthicated which means that a station can send false DTP packets, pretending to be a switch. If the switchport is configured as a dynamic port, an attacker can lure the switchport to become a trunk port and he will gain access to all VLANs allowed on that trunk. Therefore, after a network has been installed, it is the best practice to set the mode statically and deactivate the DTP protocol on a port using the command switchport nonegotiate (this command is necessary only for trunk ports, as the static access ports do not send DTP packets automatically).

Best regards,

Peter

That was a great explanation peter.

I really appreciate it.

That was perfect Explanation, thanks Peter

Hello Peter,

I have confusion about DTP. Please correct me

If we have multiple vlan and we create dynamic desirable link then three protocols will run.

1- 802.1q (for vlan tagging)

2- DTP (for encapsulation)

3- dot1q (this is subprotocol of encapsulation and DTP will use this protocol for encapsulation ). right?

.....................................................................................................................

If we have native vlan on both switch and we create dynamic desirable port then also three protocols will run.

1-802.1q (but not vlan tagging) is it corect? or 802.1q will not run?

2- DTP

2- dot1q

right?

..............................................................................................................

if we have have multiple vlans and create trunk port then two protocols will run,

1- 802.1q

2- dot1q

right?

...........................................................................................................

If we have native vlan on both switch and create trunk port then two protocols will run.

1- 802.1q (there will not be vlan taggs attached )  or 802.1q will not run. please correct it

1- dot1q

right?

...........................................................................................................

If i have something wrong please correct it. thanks

I can't find information on the changes of DTP in the last few years, but as far as I know, DTP mode dynamic auto will not actively try to negotiate the mode. Instead, it will passively listen for trunk negotiation messages from a neighboring switch.