Cisco DTP (Dynamic Trunking Protocol) Negotiation

Hello Pradyumna

Let’s assume you have a trunk link between SW1 and SW2. If you configure the port on SW1 as a trunk and you also configure the switchport nonegotiate command, the result is you will have a trunk port on this end that will not send out DTP messages.

In order to get this trunk link to function, you must configure the port on SW2 manually as a trunk as well. If you don’t, it will try to listen for DTP messages, it will hear none, and it will remain in the default state of access and the link will not function.

If you configure SW2 as a trunk, then the link will come up. At this point it doesn’t matter if SW2 is sending DTP messages, the result will be the same. But it is good practice to disable it, because at some point in the future, when you disconnect the switches and connect them in a different topology, the state of DTP may affect what the link ends up becoming, possibly causing undesired behaviour.

I hope this has been helpful!

Laz

Thanks Laz understood now

Hi,

I have one question. So the trunk negotiation would works if the two switches belong to the same VTP domain. The switch will throw an error says “Unable to perform trunk negotiation on port Et0/1 because of VTP domain mismatch.” My understanding is VTP will work after a trunk link establishes. So if I want to do a trunk between two VTP domain, I have to do the trunk in a nonnegotiable way , correct? Since trunk is the prerequisite for VTP to work, why Cisco won’t allow DTP to work if the two switches are not in the same VTP domain? It’s kinda like which comes first, the chicken or the egg . Sorry my question is kinda like I try to find quarrel in a straw. I’m just confused why they design it this way , is there any reason for it?

Appreciate your help like always.

Helen

Hello Helen

When DTP is enabled, ports will send a DTP packet every 60 seconds. The DTP packet itself contains, among other things, the name of the VTP domain (if it exists) that is configured on the switch. Take a look at this wireshark capture taken from this cloudshark capture.

image

So even before any VTP advertisements are exchanged, the VTP domain is contained within the DTP negotiation packets, and this is how devices know if they can form a trunk or not.

No need to apologize, it is great to see that you want to get really deep into the understanding of how these things work. That’s an important part of learning and understanding the concepts… way to go!!

I hope this has been helpful!

Laz

Hi Should we configure

switchport no negotiate on trunk ports & even on access ports ?

thank you

Hello Abdul

Yes, that is best practice. If you keep DTP enabled, a user in an enterprise network environment can bring in their own switch and connect it to the network jack that their PC was connected to. If they configure the switch correctly, they could configure a trunk with access to all VLANs on the network, thus causing a security breach. The best practice is to disable negotiation on all ports.

I hope this has been helpful!

Laz

hi switchport nonegotiate on accessports will help to prevent any hacker on access port. even if he bring some bad software .

But using switchport no negotiate on trunk links how it will be more secured ? how it will protect the network switch is already connected to another switch so no one can come?

sorry im revising so conceprs are getting clear

Hello Abdul

You are correct that the switchport nonegotiate command will not be very beneficial for protecting a switch from an attacker that wants to spoof a switch. It is more beneficial for use on access ports.

However, this command on a trunk port can be useful. It can make configuration and network modification much easier. It makes the switch behaviour much more predictable. What if you modify your topology and the port you used as a trunk is now used for an access port? You won’t remember on which ports you have disabled negotiation and on which you haven’t What if you change your topology around often? In such cases, it is safest to disable negotiation on all ports to ensure that any changes in the future won’t cause your network to become vulnerable.

I hope this has been helpful!

Laz