• Skip to main content
  • Skip to footer

NetworkJutsu

Networking & Security Services | San Francisco Bay Area

  • Blog
  • Services
  • Testimonials
  • About
    • About Us
    • Terms of Use
    • Privacy Policy
  • Contact Us

Dynamic Trunking Protocol (DTP)

02/08/2014 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Dynamic Trunking Protocol (DTP) is the second generation of Dynamic Inter-Switch Link (DISL) which allow switches to negotiate trunking state of the link between two switches. Both DISL and DTP are Cisco proprietary protocol that are designed to learn whether the device on the other end wants to perform trunking or not.

DTP was covered in BCMSN exam and continues to be covered in SWITCH and even in the CCIE R&S v4.0 book – though not as detailed as the SWITCH/BCMSN books. In Cisco Press’ SWITCH Foundation Learning Guide (FLG in short), there’s table in chapter two that shows combination of DTP modes between two switches. While it’s a great table for DTP reference, it’s incomplete. The table is shown below.

DTP

One might ask, what’s missing? Well, DTP on this table shows that it is still on – except for the access. One mode that is missing is the DTP off mode which one would get if the switchport nonegotiate command was issued on a port. The table that the authors should’ve used is something like shown below.

DTP complete

While having DTP turned on can save some time in forming trunks between two switches (assuming that proper modes match up), it is in my opinion that it is not good to leave this feature turned on. Why? Imagine an access port left with default configuration and a malicious user connects to the port and successfully negotiated as a trunk and at the same time decided to attack the STP topology by assigning his computer to be the root bridge for all VLANs. Another example would be an attacker successfully negotiated as a trunk and decided to send traffic to hosts on all VLANs allowed in a trunk. Leaving the DTP on can leave a security hole in an organization’s network so turning it off is a good practice.

While there are ways to mitigate the attacks that I’ve described above, there are other ways one can be convinced to turn DTP off. As a network engineer, do you want ports to automatically negotiate as a trunk even though you didn’t want these ports to be trunk in the first place? A poorly design network is full of unintended scenarios such as this. Why would a network engineer let a finance employee who brought a switch and decided to plug it in to one of the data drops and able to negotiate as a trunk be allowed? Another reason to turn it off is to do increase the speed of convergence. While DTP negotiation is not time consuming, if your uptime is measured in milliseconds then shaving some milliseconds off the DTP negotiation is a good reason, in my opinion.

One final reason that I can think of right now not to rely on DTP, is when you use VTP with multiple domains in your network. If you try to link two switches with different VTP domains, the DTP will not negotiate even if it matches the modes in the table. An example is shown below.

The link between Switch 1 and Switch 2 is Fa0/1. Switch 2’s Fa0/1 is administratively down.

SW1#sh vtp statu
VTP Version : 3 (capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CISCO
VTP Pruning Mode : Disabled (Operationally Disabled)
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xD3 0x78 0x41 0xC8 0x35 0x56 0x89 0x97
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
VTP version running : 1
SW1#sh int f0/1 sw
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Operational Dot1q Ethertype: 0x8100
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Operational Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
SW2#sh vtp statu
VTP Version : 3 (capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : SYSTEMS
VTP Pruning Mode : Disabled (Operationally Disabled)
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x9E 0x9B 0x51 0x32 0x00 0xB3 0xDC 0x5D
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
VTP version running : 1
SW2#sh int f0/1 sw
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Operational Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Upon bringing up the interface on Switch 2, DTP event on Switch 1 shows that it failed to trunk due to VTP domain mismatch.

SW2(config)#int f0/1 
SW2(config-if)#no shut 
SW2(config-if)#end 
SW2# *Feb 9 03:00:32.847: %SYS-5-CONFIG_I: Configured from console by console 
SW2# *Feb 9 03:00:34.075: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up *Feb 9 03:00:35.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up 
SW1#debug DTP events DTP events debugging is on 
SW1# *Feb 9 03:00:32.715: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP domain mismatch.

To verify this, one can issue show interface trunk.

SW1#sh int trunk
SW1#
SW2#sh int trunk
SW2#

As already mentioned above, the command to turn DTP off is by issuing switchport nonegotiate command. But issuing it on an interface without specifying the trunk will give you an error message as shown below.

SW1(config)#int f0/1
Switch(config-if)#switchport nonegotiate
Command rejected: Conflict between 'nonegotiate' and 'dynamic' status.

To properly turn DTP off, you need to specify what kind of trunk you want to use as shown below.

SW1(config)#int f0/1
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
SW1(config-if)#switchport nonegotiate

To verify that DTP is turned off, you can issue the command below.

SW1#sh int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

This command can also be issued on an access port. If the port was not configured with static access, then the error shown earlier will appear as well. That said, change the port to mode access then issue the nonegotiate command.

I believe that this should be a standard configuration in any network for all trunk ports and also the switchport host command on user ports. While not having the nonegotiate command on access ports yield to the same results, it might be a good idea to consider turning it off. If default configuration present more risks than it can offer are then I’d rather issue more commands than be sorry in the future. As what Jeremy Cioara would say, auto is ought not to use it.

Want to learn more about DTP or switching?

CCNP SWITCH 642-813 Official Certification Guide (Official Cert Guide)

CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1 (5th Edition)

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Filed Under: Switching Tagged With: Cisco, IOS, Switch

About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.

Footer

WORK WITH US

Schedule a free consultation now!

LET’S TALK

Copyright © 2011–2023 · NetworkJutsu · All Rights Reserved · Privacy Policy · Terms of Use