Dynamic Trunking Protocol

Posted: December 3, 2013 in General Security Features

 

 

#sh spanning-tree vl 13                              !–Determine which interfaces run STP in VLAN 13

VLAN0013

Spanning tree enabled protocol ieee

Root ID    Priority    32781

Address     b4a4.e354.4800
This bridge is the root
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Bridge ID  Priority    32781  (priority 32768 sys-id-ext 13)

Address     b4a4.e354.4800
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————————–

Fa0/10              Desg FWD 19        128.10   P2p                                   !– trunking port
Fa0/11              Desg FWD 19        128.11   P2p                                   !– trunking port
Fa0/38              Desg FWD 19        128.38   P2p Edge                         !– port assigned to vl 13
Fa0/40              Desg FWD 19        128.40   P2p Edge                         !– port assigned to vl 13
Gi0/1               Desg FWD 4         128.49   P2p                                      !– trunking port between two switches

 

SW1-p25#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type

Fa0/1     ** R1 et0/0 **  notconnect   11           auto   auto 10/100BaseTX
Fa0/10    *ESX LAN 2 *    connected    trunk      a-full  a-100 10/100BaseTX
Fa0/11    *ESX LAN 1 *   connected    trunk      a-full  a-100 10/100BaseTX
Fa0/38    R3 f0/1            connected    13         a-full  a-100 10/100BaseTX
Fa0/40                       connected    13         a-full  a-100 10/100BaseTX
Gi0/1     ** Trunk DM-CoreSW connected    trunk      a-full a-1000 10/100/1000BaseTX

 

SW1-p25#sh run int f0/38

interface FastEthernet0/38
description R3 f0/1
switchport access vlan 13
switchport mode access
switchport nonegotiate               !– this shows in config that DTP is disabled on the port.
spanning-tree portfast

!– You disabled DTP on the switch port by switchport mode access command but to have it more visible you can put in port configuration one extra line: switchport nonegotiate. If the remote end still runs DTP, as is our case for trunk ports because DTP is enabled on SW2, you’ll see the dropped packets counter increasing, as each DTP message received inbound is dropped.

SW1-p25#sh dtp int f0/38

DTP information for FastEthernet0/38:

TOS/TAS/TNS:                              ACCESS/OFF/ACCESS

TOT/TAT/TNT:                              802.1Q/802.1Q/802.1Q

Neighbor address 1:                       00000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       never/STOPPED                 !– shows DTP is disabled on the switch
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S1:OF
# times multi & trunk                     0
Enabled:                                  no
In STP:                                   no

 

Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

0 packets output (0 good)

0 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

0 link ups

14 link downs, last link down on Mon Dec 02 2013, 09:12:23

 

on trunk ports:

SW1-p25#sh dtp int f0/10

DTP information for FastEthernet0/10:

TOS/TAS/TNS:                              TRUNK/ON/TRUNK
TOT/TAT/TNT:                              802.1Q/802.1Q/802.1
Neighbor address 1:                       000000000000
Neighbor address 2:                       000000000000
Hello timer expiration (sec/state):       24/RUNNING
Access timer expiration (sec/state):      never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state):   never/STOPPED
FSM state:                                S6:TRUNK
# times multi & trunk                     0
Enabled:                                  yes
In STP:                                   no
Statistics

———-

0 packets received (0 good)

0 packets dropped

0 nonegotiate, 0 bad version, 0 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

51672 packets output (51672 good)

51672 native, 0 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

1 link ups, last link up on Fri Nov 15 2013, 10:19:26

0 link downs

 

SW1-p25#sh int f0/38 switchport                          !–A commonly used method to identify DTP state for interfaces is to view layer 2 port state information

Name: Fa0/38
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off    !!!
Access Mode VLAN: 13 (VLAN0013)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

SW1-p25#

 

##### Theory #####

DTP is the protocol that makes two switches negotiate the interconnecting links as trunk, as well as the trunking protocol (802.1q or ISL, with ISL having priority over 802.1q), without any required configurations. There are two possible DTP default port states:
     Dynamic Desirable (DTP Active):  the port actively sends DTP messages so it initiates trunk formation.
     Dynamic Auto (DTP Passive):  the port waits for DTP messages from the other end in order to respond and negotiate the trunk formation.

If you connect two switches that outside of the box have ports in Dynamic Auto mode, no trunk would be formed because there is no switch to initialize the DTP negotiation.
In common trunk port configurations, at a minimum you specify the trunking protocol and administratively set the port as trunk, with the following interface-level commands:

          switchport trunk encapsulation dot1q
switchport mode trunk

In common access port configuration, at a minimum you specify the VLAN membership and administratively set the port as access, with the following interface-level commands:

          switchport access vlan 13
switchport mode access

Ports administratively configured as trunks still have DTP enabled, whereas ports administratively configured as access have DTP disabled. Even if you configure a port as static trunk, you still want DTP enabled because the other end of the link might not yet be configured as static trunk, and you don’t want to break it. After you have configured a port as static access, you do not want it to be trunk, so there is no need to leave DTP enabled.

The inteface-level command to manually disable DTP is switchport nonegotiate.
You might want to use this command on access ports just to make it visible in the configuration, whereas on trunk ports it is mandatory to disable DTP.
The command that implicitly disables DTP on access ports is switchport mode access

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s