Section 2.1.d Implement and Troubleshoot Trunking
There was no section to discuss Cisco’s Dynamic Trunking Protocol (DTP) so I decided to do it here.
DTP allows us to dynamically form trunks on ports where two devices are speaking the DTP protocol.
In theory this sounds great, it makes the network plug-n-play. In reality it is a security nightmare.
The biggest issue with DTP is it is enabled by default on all links, and it’s hard to tell without knowing it or doing a packet capture. (The mode it runs is dynamic auto)
There are no DTP commands in the interface config, you just have to know.
It is very easy, and proven very often that one can run a DTP emulator on a PC to form a trunk with a switch that has default DTP settings, thus forming a trunk with the switch for all vlans.
Remember that in a vlan trunk if we do not specifically which vlans are allowed, all are allowed.
DTP will try to form a trunk on an interface, actively, and the only way to disable it is it set the port to be a static trunk, static access, it is also possible to disable the dtp negotiation via commands.
There are technically 4 trunk modes:
switchport nonenegotiate
This setting turns off DTP negotiation messages on the port.
switchport mode trunk
This command specifically configures a trunk which stops DTP messages (because the goal of DTP is to make a trunk)
switchport mode dynamic desirable
This mode is specific to DTP, it means it will actively send DTP messages, the other side must be dynamic auto or dynamic desirable to complete the trunk.
switchport mode dynamic auto
This mode is specific to DTP, it means it will only listen for DTP messages, the other side must be desirable (actively sending DTP).
Note: Statically defining a static trunk still sends DTP messages out, you sitll need the “switchport nonegotiate”
DTP encapsulation (NOTE THIS IS ONLY NEEDED FOR OLDER SWITCHES OR SWITCHES WHICH SUPPORT ISL):
By default DTP will prefer ISL encapsulation to dot1q encapsulation, and the default on a trunk is to negotiate it (ISL)
The following commands statically set the encapsulation to ISL or dot1q (note newer switches remove ISL completely)
switchport mode trunk encapsulation dot1q
switchport mode trunk encapsulation ISL
switchport mode trunk negotiate
the last command allows DTP to negotiate the protocol based on what the other side wants or what they both prefer (ISL)
Again this is only needed on older switches or switches which support ISL (basically none now)
When DTP is on, A trunk will NOT form in these 3 scenarios:
dynamic auto on both sides
manual trunk (static) and dynamic auto on other
Mismatched VTP domains (VTP domain goes in DTP packet)
By default DTP messages go out every 30 seconds.
DTP is encapsulated in 802.3 Ethernet, the frame structure looks like this.
There are 5 fields in the DTP PDU.
Domain:The VTP domain (yes VTP)
Trunk Status: If set to dynamic auto or dynamic desirable
Trunk Type: desirable or auto
Sender ID: the MAC address who sent this DTP frame
verify commands:
show interface g0/1 switchport
show interface trunk
show dtp
show dtp int g0/1
