Cisco Switchport Mode Best Practices - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Saturday, June 8, 2013

Cisco Switchport Mode Best Practices

For Access Mode: 
switchport mode access
switchport nonegotiate
switchport access vlan 100

For Trunk Mode:
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10,100
switchport trunk native vlan 1

The reason why switch port can automatically form trunk is because of DTP (Dynamic Trunk Protocol).
For access layer switches, default configuration is switchport mode dynamic auto , which means it will not send DTP packets initially but will pro-actively send it after received one.
For Distribution layer switches, default configuration is switchport mode dynamic desirable , which means it will send DTP packets actively.

witchport mode dynamic desirable
Makes the interface actively attempt to convert the link to a trunking link. The interface becomes a trunk interface if the neighboring interface is set to trunkdesirable, or auto mode.

switchport mode access
Puts the interface into permanent nontrunking mode and negotiates to convert the link into a nontrunking link. The interface becomes a nontrunk interface even if the neighboring interface does not change.

Desirable is the default state of a switch port. It means that if a device connected to the other end of the cable is trying to trunk, your switch will form a trunk thus voiding switchport access vlan 10 command.

If you want to get rid of this line in your config and prevent a port from trunking you should issue switchport mode access command.

desirable + trunk = trunk
desirable + desirable = trunk
desirable + auto = trunk
desirable + access = access

Dynamic desirable is the new default for DTP in Cisco IOS, old IOS uses dynamic auto as default. You can turn off DTP (and therefore don't see link in desirable or auto state) using 'switchport nonegotiate' command. This command will leave your port the way it's previously configured (either as access or trunk, explicitly).

No comments:

Post a Comment