Sunday, July 26, 2009

sunday's tip: Disabling DTP on access ports

Hi all,
this sunday morning I'm changing the spanning-tree mode for some switches (from pvst to rapid-pvst) and I noticed that DTP was enabled on several access ports.

Remember that DTP (Dynamic Trunking Protocol) is used to negotiate trunks between switches, so it's not a good idea to keep it enabled on access ports, especially if access ports are in public places...

This is the configuration I've found:

2950_1#sh ver | inc IOS
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE (fc1)

2950_1#sh run int fa 0/10 | beg int
interface FastEthernet0/10
switchport access vlan 55
spanning-tree portfast

Nothing strange here, the port is working in access mode (see "operational mode" below), but without the "switchport mode access" command, DTP still enabled on port:

2950_1#sh dtp int fa 0/10
DTP information for FastEthernet0/10:
TOS/TAS/TNS: ACCESS/DESIRABLE/ACCESS
TOT/TAT/TNT: NATIVE/802.1Q/802.1Q
Neighbor address 1: 000000000000
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): 11/RUNNING
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S2:ACCESS
# times multi & trunk 0
Enabled: yes
In STP: no

Statistics
----------
0 packets received (0 good)
0 packets dropped
0 nonegotiate, 0 bad version, 0 domain mismatches,
0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
857578 packets output (857578 good)
428789 native, 428789 software encap isl, 0 isl hardware native
0 output errors
0 trunk timeouts
20 link ups, last link up on Fri Feb 27 2009, 13:15:09
19 link downs, last link down on Fri Feb 27 2009, 13:15:07

2950_1#sh int fa 0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 55 (Ingresso)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none


So, it can happen that a malicius user see the DTP hellos coming out from that port and try to negotiate a trunk.
To avoid this, let's disable DTP through the static access mode:


2950_1#sh run int fa 0/10 | beg int
interface FastEthernet0/10
switchport access vlan 55
switchport mode access
spanning-tree portfast
end


Now DTP must be disabled, let's check:

2950_1#sh dtp int fa 0/10
DTP information for FastEthernet0/10:
TOS/TAS/TNS: ACCESS/OFF/ACCESS

TOT/TAT/TNT: NATIVE/802.1Q/NATIVE
Neighbor address 1: 000000000000
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): never/STOPPED
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S1:OFF
# times multi & trunk 0
Enabled: no
In STP: no

Statistics
----------
0 packets received (0 good)
0 packets dropped
0 nonegotiate, 0 bad version, 0 domain mismatches,
0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
0 packets output (0 good)
0 native, 0 software encap isl, 0 isl hardware native
0 output errors
0 trunk timeouts
20 link ups, last link up on Fri Feb 27 2009, 13:15:09
20 link downs, last link down on Sun Jul 26 2009, 12:12:22

2950_1#sh int fa 0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access

Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 55 (Ingresso)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none


Well done, now the port state is "static access", no more negotiation.

No comments: