A strange DTP infomation

ntrung · ‎10-09-2005

Hello,

I have 2 switchs: Cat2950 and Cat3550 connected via Fa0/10

On my cat2950, i configure port fa0/10 to mode dynamic auto and the other end

with dynamic desirable. The trunking works fine but when i look at dtp

information, i see something strange:

DTP information for FastEthernet0/10:

TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK <---trunking is on

TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q <---encap dot1q

But int the statistics:

2204 native, 2204 software encap isl, 0 isl hardware native <-----what does this mean: 2204 packets encap isl ? ---->

we all know that cat2950 does not support isl, so what does this infomation mean ?

Thanks

-------------------------------------------------

Switch3550#sh run int fa0/10

!

interface FastEthernet0/10

switchport mode dynamic desirable

end

Switch3550#sh dtp int fa0/10

DTP information for FastEthernet0/10:

TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK <---trunking is on

TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q <---encap dot1q

Neighbor address 1: 000C85A5700A

Neighbor address 2: 000000000000

Hello timer expiration (sec/state): 9/RUNNING

Access timer expiration (sec/state): 279/RUNNING

Negotiation timer expiration (sec/state): never/STOPPED

Multidrop timer expiration (sec/state): never/STOPPED

FSM state: S6:TRUNK

# times multi & trunk 0

Enabled: yes

In STP: no

Statistics

----------

2200 packets received (3 good)

2197 packets dropped

0 nonegotiate, 0 bad version, 2197 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

4408 packets output (4408 good)

2204 native, 2204 software encap isl, 0 isl hardware native <-----what does this from: 2204 packets encap isl ? ---->

0 output errors

-----------------------------------------------------

and this is on Cat2950:

Switch2950#sh run int fa0/10

Building configuration...

Current configuration : 69 bytes

!

interface FastEthernet0/10

switchport mode dynamic auto

end

Switch2950#sh dtp int fa0/10

DTP information for FastEthernet0/10:

TOS/TAS/TNS: TRUNK/AUTO/TRUNK

TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q

Neighbor address 1: 000DBCA8838A

Neighbor address 2: 000000000000

Hello timer expiration (sec/state): 25/RUNNING

Access timer expiration (sec/state): 294/RUNNING

Negotiation timer expiration (sec/state): never/STOPPED

Multidrop timer expiration (sec/state): never/STOPPED

FSM state: S6:TRUNK

# times multi & trunk 0

Enabled: yes

In STP: no

Statistics

----------

2212 packets received (12 good)

2200 packets dropped

0 nonegotiate, 0 bad version, 2200 domain mismatches,

0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other

4408 packets output (4408 good)

2208 native, 2200 software encap isl, 0 isl hardware native

0 output errors

0 trunk timeouts

4 link ups, last link up on Mon Mar 01 1993, 04:26:15

3 link downs, last link down on Mon Mar 01 1993, 04:25:43

wong34539 · ‎10-14-2005

Yes,u r right.right from 2950 series switches, they don't support ISL, support only 802.1q.But,check out the version of the ios in your switches.

Do u get any of the error messages like the one below from 3550.if so, a remedy is also provided here.

Error Message DTP-5-ILGLCFG: Illegal config (on, isl--on, dot1q) on [chars].

Explanation This message means that one end of the trunk is configured as on, ISL, and the other end is configured as on, 802.1Q. [chars] is the interface.

Recommended Action This configuration is illegal and will not establish a trunk between two switches. You must change the encapsulation type so that both ends of the trunk match

ntrung · ‎10-26-2005

Unfortunately, i didn't get any error message as you listed above.

The 2950 running 12.1(22)EA1 and 3550 running 12.2(25)SEA.

I was thinking that it's an ios bug maybe ???

Thanks

------------------------------------------------

SW3550-2#sh ver

Cisco IOS Software, C3550 Software (C3550-I5Q3L2-M), Version 12.2(25)SEA, RELEAS

E SOFTWARE (fc)

Compiled Tue 25-Jan-05 18:57 by antonino

ROM: Bootstrap program is C3550 boot loader

SW3550-2 uptime is 8 hours, 22 minutes

System returned to ROM by power-on

System image file is "flash:/c3550-i5q3l2-mz.122-25.SEA.bin"

Cisco WS-C3550-24 (PowerPC) processor (revision J0) with 65526K/8192K bytes of m

emory.

Processor board ID CAT0746Y0KD

Last reset from warm-reset

Running Layer2/3 Switching Image

----------------------------------------------------

Switch_6#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA1, RELEASE SOFTWARE

(fc1)

Compiled Mon 12-Jul-04 08:18 by madison

Image text-base: 0x80010000, data-base: 0x8055C000

ROM: Bootstrap program is C2950 boot loader

Switch_6 uptime is 2 hours, 16 minutes

System returned to ROM by power-on

System image file is "flash:/c2950-i6q4l2-mz.121-22.EA1.bin"

cisco WS-C2950-24 (RC32300) processor (revision G0) with 20873K bytes of memory.

Processor board ID FOC0806Z177

Last reset from system-reset

Running Standard Image

24 FastEthernet/IEEE 802.3 interface(s)

sbhadrav@cisco.com · ‎04-30-2018

Cisco's Dynamic Trunking Protocol can facilitate the automatic creation of trunks between two switches. When two connected ports are configured in dynamic mode, and at least one of the ports is configured as desirable, the two switches will negotiate the formation of a trunk across the link. DTP isn't to be confused with VLAN Trunking Protocol (VTP), although the VTP domain does come into play.

DTP on the wire is pretty simple, essentially only advertising the VTP domain, the status of the interface, and it's DTP type. These packets are transmitted in the native (or access) VLAN every 60 seconds both natively and with ISL encapsulation (tagged as VLAN 1) when DTP is enabled.

DTP is enabled by default on all modern Cisco switches. But a responsible network engineer has to ask himself, "why?" Do you really want switches to form trunks on their own? I certainly don't, for several reasons.

First, it's simply bad design; trunks should be present where they were intended, and only where they were intended. Second, leaving switch ports set to dynamic mode is a gaping security hole. If all it takes is the right DTP packet to form a trunk from an access port, an intruder can easily inject traffic into whatever VLANs are allowed on the port (by default, all of them). Fortunately, these two issues can be resolved by configuring a static switchport mode, either "access" or "trunk", as best practice dictates.

! Access port

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 10

! Trunk port

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk encapsulation dot1q

However, even when a port is statically configured in such a manner, DTP is still active on the port. If you've ever attempted to setup a trunk between two switches in different VTP domains and received the following error, you can thank DTP:

%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of

VTP domain mismatch.

Recall that DTP advertisements include the VTP domain name. A switch won't form a trunk on a DTP-enabled port to a switch advertising a different VTP domain, even if the ports are manually configured in trunking mode. Nice, eh? Fortunately we can kill DTP once and for all with the switchport nonegotiate command on the interface.

Switch(config-if)# switchport nonegotiate

This configuration prevents DTP packets from being sent, effectively disabling trunk negotiation and evaluation of the VTP domain.