Lesson Contents
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that automatically negotiates whether a switchport should become an access port or a trunk. There are two modes: dynamic auto and dynamic desirable. Depending on which combination you use on two interfaces, the interface becomes either an access port or trunk. This might sound convenient, but it’s a security risk. Depending on your switch model and version, DTP is enabled by default, which means an attacker could try to connect to your switch, negotiate a trunk, and gain access to all your VLANs.
In this lesson, we’ll take a look at DTP, how it works, and how to disable it.
Key Takeaways
- DTP is enabled by default on Cisco switches in “dynamic auto” or “dynamic desirable” mode
- Configuring an interface in access mode automatically disables DTP negotiation
- Configuring an interface in trunk mode does NOT disable DTP – you must use the
switchport nonegotiatecommand - Best practice: Always disable DTP on production networks to prevent VLAN hopping attacks
- Default DTP mode varies by switch model (Catalyst 3560 uses “dynamic auto”)
Prerequisites
Before working through this lesson, you should have a basic understanding of VLANs and understand how to configure trunks.
Configuration
Let’s take a look at DTP negotiation and how to disable it. I’ll be using two switches for this:
I didn’t configure anything on my switches. Let’s see what the default settings are:
SW1#show interfaces fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
SW2#show interfaces fastEthernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: OnWithout configuring anything on the interfaces, we are using dynamic auto mode, and as a result, the interfaces are in access mode.
There are two ways to disable DTP negotiation:
- Configure the interface for access mode.
- Use the
switchport nonegotiatecommand on the interface.
Configuring the interface for trunking does not disable DTP negotiation. Let me give you an example. First, we’ll configure the interfaces for access mode:
SW1(config)#interface fastEthernet 0/24
SW1(config-if)#switchport mode accessSW2(config)#interface fastEthernet 0/24
SW2(config-if)#switchport mode access When we look again at the switchport settings, we can see that DTP negotiation is now disabled:
SW1#show interfaces fastEthernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: OffSo configuring an interface yourself to use access mode disables DTP negotiation. How about creating a trunk ourselves?
Thanks Rene very useful
Dear René,
Is it to avoid a security issue that we disable DTP ? If someone bring a rogue switch and plug it et voilà we negociate a trunk ?
Thks,
Prince
Hi Prince,
That’s correct, this could be dangerous if your interface is configured for “dynamic auto” or “dynamic desirable”.
If you configured the interface in static “access” or “trunk” then negotiatin can’t change it anymore but you are still sending DTP packets which is a bit pointless, better to just disable them.
Rene
Thanks for the reply René,
Prince
Rene,
Watching you switching videos and I like the background of your terminal. Tale me, which terminal program and font are you using. I would like to use such a background.