DTP - switchport nonegotiate - switchport trunk

Hi,

Each of these commands will disable DTP on an interface. 

  1. Is the main purpose for using switchport nonegotiate to prevent trunking to an interface on a new switch or one where defaults are in effect? 
  2. Won't switchport mode access accomplish the same thing?

Ernie

Comments

  • “switchport mode access” turns DTP off, so a device on the other end of the link can’t negotiate it as a trunk.  This is a security mechanism to prevent against Layer 2 Man-In-The-Middle (MiM) attacks.

     

    “switchport nonegotiate” turns DTP off on trunk links for the purpose of very high availability environments.  If DTP is on, and the link flaps, a non-negligible amount of time is spent negotiating DTP before the link can be handed over to the layer 2 STP process or the layer 3 routing process.  If DTP is off this delay is eliminated, which improves convergence times in HA environments.

     

     

    HTH,

     

    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of Ernie_07
    Sent: Sunday, February 20, 2011 8:56 PM
    To: Brian McGahan
    Subject: [ccnp] DTP - switchport nonegotiate - switchport trunk

     

    Hi,

    Each of these commands will disable DTP on an interface. 

    1. Is the main purpose for using switchport nonegotiate to prevent trunking to an interface on a new switch or one where defaults are in effect? 
    2. Won't switchport mode access accomplish the same thing?

    Ernie




    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

  • Thanks for the quick clarification.

    Ernie

  • I was doing a quick review on this and noticed that the Cisco Press CCIE Routing and Switching Exam Certification Guide 4th edition Page 53. stated that "switchport mode access means: Never trunks; sends DTP to help other side reach same conclusion" Ruhanns notes said the same.  Basically i got conflicting ideas from differnent sites.  So i labbed it up and turned on "debug dtp al"l and recieved the following:

    "DTP-queue:Fa0/13:Not queuing DTP packet: DTP not enabled ../dyntrk/dyntrk_process.c:1355" every 30 seconds while in access mode. 

    Then i added the switchport nonegotiate command on the interface to see if anything would change and there was no change in the debug output.  When i removed the nonegotiate command then I got this message:

    13:07:57: DTP-state:Fa0/13:Starting state transition from state S1:OFF, event 4':CFG NO CHG ../dyntrk/dyntrk_fsm.c:631
    13:07:57: DTP-state:Fa0/13:Ending state transition to state S1:OFF ../dyntrk/dyntrk_fsm.c:659

    Then I kept getting the:

    "DTP-queue:Fa0/13:Not queuing DTP packet: DTP not enabled ../dyntrk/dyntrk_process.c:1355" every 30 seconds again.

    sh dtp int fa0/13 showed enable = no

    sh int fa0/13 showed Negotiation of trunking = off

    So i then made the port to a trunk and boom! dtp packets are flying all over the place.

    What I don't understand is why are other people and Cisco claiming that switchport mode access sends DTP?

    Would i lose points if i DON'T put the switchport nonegotiate command but have switchport mode access, if the Lab task says DO NOT send negotiate trunking?

     

    Thanks,

  • Hi,

    Here are some excepts from another post:

    Create a standards-based trunk between SW1 and SW4 according to the Layer 2 diagram provided.

    How would the proctor (or a Cyborg Grading Script) grade this task?!?! Yes, you guessed it. They would use SHOW INTERFACE TRUNK on each device perhaps! In your mind, run through the parameters that must exist.

    • 802.1Q
    • Correct two devices
    • Correct two interfaces
    • UP/UP status
    switchport trunk encapsulation dot1q
    switchport mode trunk

    or

    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate

    In each case, trunking was required. In the second case, DTP was disabled.

    HTH

    Ernie

     

Sign In or Register to comment.