Skip to content

Why Disable DTP?

https://learningnetwork.cisco.com/s/question/0D53i00000Kt5PXCAZ/why-bother-to-disable-dtp

"Good question that deserves a good answer, and its pretty much answered here: VLAN, DTP and switchport nonegotiate command

But they left out one important point: I could just set up a switch in my office, attach the RJ45, change the port to switchport mode dynamic desirable (note: some IOS versions default to that), and if the other switchport is in its default mode of dynamic auto, voila, I can now sniff the traffic or inject traffic by vlan hopping.

So, yes, you could prevent that in ways other than disabling DTP (e.g, simply setting ports to access), but as pointed out by Darren, its a best practice to shut down unused services. It also might be part of the network policy.

Also note that by not disabling DTP, even if you have both ends as static trunk, DTP messages are still flowing, and they include VTP domain information, so that is yet another reason to shut DTP down.

Connecting to a non cisco switch is another reason to disable DTP."

https://learningnetwork.cisco.com/s/question/0D53i00000KsxHJCAZ/why-switchport-mode-access-and-nonnegotiate-together-to-secure-port

"VLAN hopping attack have two variants, and one of them is executing DTP on ports that shouldn't have DTP enabled, i.e. access ports, so you should never have DTP enabled on ports that should be access only, that being said why should you execute the "switchport nonegotiate" command? This is often done for best pratice because the switch will not have to process DTP packets in and out of the interface, so you will save some CPU cicles of your device, this would be often used on high availability enviroments. Note that if you execute the "switchport mode trunk" it will have to negotiate a trunk unconditionally, so why have DTP frame process enabled? Just a waste of CPU cicles as i said.

Remember, the VLAN hopping attack would be executed on a switched interface that is, for example, as "dynamic auto", so the PC attached could spoof and send DTP packets and form a trunk connection with your switch and negotiate a trunk link that by default have all the VLANs implicitly allwed. Linux machines can do negotiate trunk connections (i think there is an application called Yersinia that is used for that, but not sure right now) be careful with this because some trusted users often install "mini-networks" on their cubicles, i mean they will bring a switch, negotiate a trunk connection to have access to all VLANs on your network, so the VLAN hopping attack can be easily unleashed on this way."