Dynamic Trunking Protocol (DTP) is the second generation of Dynamic Inter-Switch Link (DISL) which allow switches to negotiate trunking state of the link between two switches. Both DISL and DTP are Cisco proprietary protocol that are designed to learn whether the device on the other end wants to perform trunking or not.
DTP was covered in BCMSN exam and continues to be covered in SWITCH and even in the CCIE R&S v4.0 book – though not as detailed as the SWITCH/BCMSN books. In Cisco Press’ SWITCH Foundation Learning Guide (FLG in short), there’s table in chapter two that shows combination of DTP modes between two switches. While it’s a great table for DTP reference, it’s incomplete. The table is shown below.
One might ask, what’s missing? Well, DTP on this table shows that it is still on – except for the access. One mode that is missing is the DTP off mode which one would get if the switchport nonegotiate command was issued on a port. The table that the authors should’ve used is something like shown below.
While having DTP turned on can save some time in forming trunks between two switches (assuming that proper modes match up), it is in my opinion that it is not good to leave this feature turned on. Why? Imagine an access port left with default configuration and a malicious user connects to the port and successfully negotiated as a trunk and at the same time decided to attack the STP topology by assigning his computer to be the root bridge for all VLANs. Another example would be an attacker successfully negotiated as a trunk and decided to send traffic to hosts on all VLANs allowed in a trunk. Leaving the DTP on can leave a security hole in an organization’s network so turning it off is a good practice.
While there are ways to mitigate the attacks that I’ve described above, there are other ways one can be convinced to turn DTP off. As a network engineer, do you want ports to automatically negotiate as a trunk even though you didn’t want these ports to be trunk in the first place? A poorly design network is full of unintended scenarios such as this. Why would a network engineer let a finance employee who brought a switch and decided to plug it in to one of the data drops and able to negotiate as a trunk be allowed? Another reason to turn it off is to do increase the speed of convergence. While DTP negotiation is not time consuming, if your uptime is measured in milliseconds then shaving some milliseconds off the DTP negotiation is a good reason, in my opinion.
One final reason that I can think of right now not to rely on DTP, is when you use VTP with multiple domains in your network. If you try to link two switches with different VTP domains, the DTP will not negotiate even if it matches the modes in the table. An example is shown below.
The link between Switch 1 and Switch 2 is Fa0/1. Switch 2’s Fa0/1 is administratively down.
SW1#sh vtp statu VTP Version : 3 (capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CISCO VTP Pruning Mode : Disabled (Operationally Disabled) VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xD3 0x78 0x41 0xC8 0x35 0x56 0x89 0x97 Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found) VTP version running : 1 SW1#sh int f0/1 sw Name: Fa0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: isl Operational Dot1q Ethertype: 0x8100 Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Operational Native VLAN tagging: disabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL SW2#sh vtp statu VTP Version : 3 (capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : SYSTEMS VTP Pruning Mode : Disabled (Operationally Disabled) VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x9E 0x9B 0x51 0x32 0x00 0xB3 0xDC 0x5D Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found) VTP version running : 1 SW2#sh int f0/1 sw Name: Fa0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Operational Native VLAN tagging: disabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
Upon bringing up the interface on Switch 2, DTP event on Switch 1 shows that it failed to trunk due to VTP domain mismatch.
SW2(config)#int f0/1 SW2(config-if)#no shut SW2(config-if)#end SW2# *Feb 9 03:00:32.847: %SYS-5-CONFIG_I: Configured from console by console SW2# *Feb 9 03:00:34.075: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up *Feb 9 03:00:35.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up SW1#debug DTP events DTP events debugging is on SW1# *Feb 9 03:00:32.715: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP domain mismatch.
To verify this, one can issue show interface trunk.
SW1#sh int trunk SW1# SW2#sh int trunk SW2#
As already mentioned above, the command to turn DTP off is by issuing switchport nonegotiate command. But issuing it on an interface without specifying the trunk will give you an error message as shown below.
SW1(config)#int f0/1 Switch(config-if)#switchport nonegotiate Command rejected: Conflict between 'nonegotiate' and 'dynamic' status.
To properly turn DTP off, you need to specify what kind of trunk you want to use as shown below.
SW1(config)#int f0/1 SW1(config-if)#switchport trunk encapsulation dot1q SW1(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up SW1(config-if)#switchport nonegotiate
To verify that DTP is turned off, you can issue the command below.
SW1#sh int f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: All Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none
This command can also be issued on an access port. If the port was not configured with static access, then the error shown earlier will appear as well. That said, change the port to mode access then issue the nonegotiate command.
I believe that this should be a standard configuration in any network for all trunk ports and also the switchport host command on user ports. While not having the nonegotiate command on access ports yield to the same results, it might be a good idea to consider turning it off. If default configuration present more risks than it can offer are then I’d rather issue more commands than be sorry in the future. As what Jeremy Cioara would say, auto is ought not to use it.
Want to learn more about DTP or switching?
CCNP SWITCH 642-813 Official Certification Guide (Official Cert Guide)
CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1 (5th Edition)
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.