DTP Dynamic Trunking Protocol
Sections:
Use Case Scenarios:
- Implemented in Cisco environments
- Simplifies Network Administration
- Reduces Manual Configuration Errors
Overview:
- DTP is a Cisco proprietary negotiation protocol that is used to automate the process of establishing a trunk link between two Cisco switches
- When DTP is enabled, the switchports communicate and automatically decide the mode of operation
- DTP operates on two different negotiation modes
- Dynamic Auto
- The most common default on Cisco switches
- In Dynamic Auto the port will passively wait for the other side to initiate trunking negotiation
- Dynamic Auto ports will form a trunk with neighbor ports set to Dynamic Desirable or Trunk mode
- Dynamic Desirable
- In Dynamic Desirable, the port will actively try to negotiate a trunk with the other side
- Dynamic Desirable ports will form a trunk with neighbor ports set to Dynamic Auto, Trunk, or Dynamic Desirable mode
- Dynamic Auto
Lab Topology
Scenario:
- In this lab topology scenario we will configure and implement the different DTP modes between the 4 Cisco switches
- Lab Steps
- HQ-Access-SW1 to HQ-Distro-SW1: Dynamic Desirable / Dynamic Auto
- HQ-Access-SW1 to HQ-Distro-SW2: Dynamic Desirable / Dynamic Desirable
- HQ-Distro-SW1 to HQ-Core-SW1: Dynamic Desirable / Trunk
- HQ-Distro-SW2 to HQ-Core-SW1: Dynamic Auto / Trunk
DTP Configuration
HQ-Access-SW1 to HQ-Distro-SW1: Dynamic Desirable/Dynamic Auto
HQ-Access-SW1 to HQ-Distro-SW2: Dynamic Desirable/Desirable
HQ-Distro-SW1 to HQ-Core-SW1 : Dynamic Desirable/Trunk
HQ-Distro-SW2 to HQ-Core-SW1 : Dynamic Auto/Trunk
To summarize the scenario, the different types of DTP modes have been configured on the trunk link ends between switches and have successfully formed a trunk using the following pairs
- Dynamic Desirable/Dynamic Desirable
- Dynamic Auto/Dynamic Desirable
- Dynamic Desirable/Trunk
- Dynamic Auto/Trunk
Let's discuss the output of the 'show interface <interfaceID> switchport' command
- Administrative Mode
- This mode refers to the intended configured switchport mode set by the admin
- For example, setting the switchport mode by using the commands 'switchport mode access' or 'switchport mode trunk'
- Operational Mode
- This mode indicates the actual mode the port is currently operating on based on the current link characteristics and negotiation process
Disabling DTP Negotiations
By default all Cisco switches have DTP enabled.
Security Concern
- In some environments, it is recommended to disable DTP amongst Cisco switches as it can create a security vulnerability
- An attacker could connect to a switchport configured with DTP and potentially initiate a trunking session to gain access to multiple VLANs
- Although explicitly configuring ports to be access or trunk ports can prevent accidental trunk formation, if DTP is left enabled, it could still lead to accidental trunk formation with rogue switches
- Cisco switches support the ability to disable DTP by issuing the 'switchport nonegotiate' command on a per interface level
- If the plan is to disable DTP in your environment, it is recommended to issue the switchport nonegotiate command on all trunk and access ports
Disabling DTP Configuration
Scenario:
- In this scenario, we will disable DTP negotiation on all access and trunk ports of the 4 switches to raise our security posture
HQ-Access-SW1
HQ-Distro-SW1
HQ-Distro-SW2
HQ-Core-SW1
To Summarize the scenario, I have disabled DTP on all access and trunk ports amongst the Cisco switches and verified DTP negotiation is off using the pipe '|' parameter in the show command to filter the output to specific lines.
Interface Configuration Commands
- Disable DTP
- switchport nonegotiate
- Verify DTP Negotiation is Off
- show interface <InterfaceID> switchport
- show interface <interfaceID> switchport | include Name:|Administrative Mode:|Operational Mode:|Negotiation of Trunking: