The DTP is used by Cisco switches to negotiate whether an interconnection between two switches should be put into access or trunk mode. It is meant both to ease the initial deployment of a switched network and to minimize configuration errors that result from mismatched port configuration on an interconnection between two switches.
The DTP helps to automatically negotiate whether the port should be put into access or trunk mode and what trunking protocol (802.1Q or ISL) should be used. The individual DTP modes are:
- dynamic auto - the port will negotiate the mode automatically, however, it prefers to be an access port
- dynamic desirable - the port will negotiate the mode automatically, however, it prefers to be a trunk port
DTP datagrams are also sent if the port is set statically to the trunk mode. However, if the port is set statically to the access mode, both sending and processing DTP datagrams on that port is deactivated.
The individual combinations of port settings lead to following results:
- dynamic auto + dynamic auto = access
- dynamic auto + dynamic desirable = trunk
- dynamic desirable + dynamic desirable = trunk
- dynamic auto or dynamic desirable + trunk = trunk
- dynamic auto or dynamic desirable + access = access
As you can see, if both ports are dynamic auto, they will act as access ports. If either of them is dynamic desirable, both will agree on trunking. If one of them is dynamic and the other is static, the mode is dictated by the statically set port.
The DTP protocol is unauthicated which means that a station can send false DTP packets, pretending to be a switch. If the switchport is configured as a dynamic port, an attacker can lure the switchport to become a trunk port and he will gain access to all VLANs allowed on that trunk. Therefore, after a network has been installed, it is the best practice to set the mode statically and deactivate the DTP protocol on a port using the command
switchport nonegotiate (this command is necessary only for trunk ports, as the static access ports do not send DTP packets automatically).
No comments:
Post a Comment