Global Config Technology Solutions, Inc.

Technology Insights, Tutorials and Course Development

  • Home
  • My Video Courses
  • About Me
    • Disclaimers
  • Contact Me
  • Subscribe Options
You are here: Home / Certifications / CCIE Security: Using and Disabling DTP

CCIE Security: Using and Disabling DTP

November 14, 2013 by bcarroll 4 Comments

By default, all non-modular Cisco Catalyst switches running IOS have all ports enabled as layer2 ports with DTP (Dynamic Trunking Protocol) enabled. The only exception here is for switches which have a dedicated out-of-band management port, this being a layer3 port, which cannot be converted to layer2. Dynamic Trunking Protocol is a protocol that allows two switches to negotiate the interconnecting links as trunk, and negotiates the trunking protocol used between then. The trunking protocol can be 802.1q or ISL, with ISL having priority over 802.1Q. With DTP there is no required configuration. It just happens. It looks like magic, but it’s not.

Depending on the switch you use there are two possible default port states:

  • Dynamic Desirable (DTP Active), which means the port actively sends DTP messages, thus it initiates trunk formation.
  • Dynamic Auto (DTP Passive), which means the port sits back and waits for DTP messages from the other end. It doesn’t respond and finalize the trunk formation until it’s initiated by the other side.

If you connected two switches which default is to have the ports in Dynamic Auto mode, as is the case for Catalyst 3750-X, no trunk will be formed as neither switch will initiate the DTP negotiation. This is why it’s common in trunk port configurations to specify the trunking protocol and administratively set the port as trunk. This ensures trunking will take place as desired. To configure trunking use the following commands:

switchport trunk encapsulation dot1q
switchport mode trunk

Ports administratively configured as trunks still have DTP enabled, while ports administratively configured as access have DTP disabled. The command to disable DTP statically is switchport nonegotiate. Using this command makes it visible in the configuration, however when configuring an access port, the switchport mode access command is what disables DTP.

Filed Under: Certifications Tagged With: 802.1q, ccie, ccie security, DTP, ISL, Trunking

Comments

  1. Deep Gajjar says

    February 2, 2016 at 6:39 pm

    I maybe wrong but I read somewhere that using access mode still sends DTP messages. To completely disable we have “non-negotiate” command. If the access mode and non-negotiate serve the same purpose, what is the purpose of having the latter command?

    Thanks,
    Deep.

    Reply
    • Brandon Carroll, CCIE #23837 says

      February 6, 2016 at 9:08 pm

      You might be right, and it could be one of those “it depends” situations. If you can find documentation otherwise please share. Always happy to stand corrected. Wouldn’t be the first time.

      BC

      Reply
      • Deep Gajjar says

        February 29, 2016 at 10:52 am

        Here is the link I found which says access mode sends DTP messages. I still doubt that it would send DTP messages because I confirmed it on CPT and found that access mode does not send DTP. However as Adam says that it may still receive DTP messages and having switchport non-negotiate completely disables DTP.

        http://bradhedlund.com/2007/11/27/switchport-configurations-explained/

        Reply
    • adam says

      February 16, 2016 at 8:23 am

      If the port is set as an access port it will not send DTP frames, but it can still receive them.

      If you have an switch port that is configured as an access port it doesn’t really matter because even if the neighboring interface is set to dynamic auto/ dynamic desirable / trunk it will still (the access port) end up as an access port.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Find Me Online

  • Facebook
  • Twitter
  • YouTube

Archives

Copyright © 2017 · Global Config Technology Solutions, Inc. · Log in