From: James Ventre (messageboard@ventrefamily.com)
Date: Sun Apr 23 2006 - 08:30:10 GMT-3
Correct. Use that on both ends. Keep your native VLAN as 1 and don't
include it in the allowed vlan list (or you can use the 802.1Q Tag All
feature). That will help prevent VLAN hoping.
James
Ben wrote:
> So I'm sure I understand where you're coming from....
>
> The default configuration for ports that you would like to become
> trunks in the following:
> interface FastEthernet0/24
> switchport mode dynamic desirable
> end
> With an optional setting of the trunking protocol (dot1q or isl)?
>
> Is this correct?
>
> Ben
>
>
> James Ventre wrote:
>> Cisco's best practice is to use DTP for trunk formations wherever
>> possible. This is suggested so you can actually trust your DTP
>> messages. When you nail up a trunk with "ON" all it takes is link on
>> that interface for it to show "trunking" when you do a "show int trunk".
>>
>> What if someone unplugged your switch and plugged in a PC? As long
>> as you've got link - it'll still say trunking. That isn't optimal.
>> With DTP/Desirable when I do a "show int trunk" and it says trunking
>> I know (with reasonable certainly) that there is a switch on the
>> other end. It really helps in troubleshooting.
>>
>> I say "with reasonable certainly" because all a hacker type needs to
>> do is sniff the port - wait for you to send a DTP packet - and
>> regurgitate it back into the switch and it'll form a trunk.
>>
>> James
>>
>>
>>
>>
>>
>> Ben wrote:
>>> I had to try it.... I guess I've always 'nailed-up' my trunks so I
>>> never discovered this.
>>>
>>> CAT2(config)#vtp domain TPSREPORT
>>> Changing VTP domain name from CCIE to TPSREPORT
>>> CAT2(config)#^Z
>>> CAT2#
>>> 9w6d: %SYS-5-CONFIG_I: Configured from console by console
>>> CAT2#
>>> 9w6d: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on
>>> port Fa0/23 because of VTP domain mismatch.
>>> CAT2#
>>> 9w6d: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on
>>> port Fa0/24 because of VTP domain mismatch.
>>> CAT2#show ru int fa0/23
>>> Building configuration...
>>>
>>> Current configuration : 98 bytes
>>> !
>>> interface FastEthernet0/23
>>> description to CAT1 fa 0/23
>>> switchport mode dynamic desirable
>>> end
>>>
>>> CAT2#show ru int fa0/24
>>> Building configuration...
>>>
>>> Current configuration : 98 bytes
>>> !
>>> interface FastEthernet0/24
>>> description to CAT1 fa 0/24
>>> switchport mode dynamic desirable
>>> end
>>>
>>> Ben
>>> James Ventre wrote:
>>>> Try it for yourself.
>>>>
>>>> "To autonegotiate trunking, the interfaces must be in the same VTP
>>>> domain. Use the trunk or nonegotiate keywords to force interfaces in
>>>> different domains to trunk. For more information on VTP domains, see
>>>> "Understanding and Configuring VTP."
>>>>
>>>> Trunk negotiation is managed by the Dynamic Trunking Protocol
>>>> (DTP). DTP
>>>> supports autonegotiation of both ISL and 802.1Q trunks."
>>>>
>>>> http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800f0d62.html
>>>>
>>>>
>>>> James
>>>>
>>>> Matt White wrote:
>>>>
>>>> I do not believe that to be correct. For VLAN ID to propagate
>>>> form a
>>>> server to a client, you ned the VTP domain to match.
>>>> For DTP to work on a trunk, one needs to be switchport dynamic
>>>> auto
>>>> and the other end desirable. Trunk encapsulation will
>>>> auto-negotiate
>>>> as well if left to the default.
>>>> DTP has nothing to do with VTP.
>>>> On 4/22/06, James Ventre <messageboard@ventrefamily.com>
>>>> wrote:
>>>>
>>>> Let me clarify a bit further:
>>>> For DTP to form a trunk with the other end, your VTP domain
>>>> needs to
>>>> match on both ends. This would be an instance where you need
>>>> to set
>>>> the domain with a mode of transparent.
>>>>
>>>> James
>>>>
>>>> James Ventre wrote:
>>>>
>>>> For DTP to form a trunk it has to match on both ends of the
>>>> link.
>>>>
>>>> Hash Aminu wrote:
>>>>
>>>> Hello GS,
>>>> just to clear this issue if i am running in VTP
>>>> Transparent mode , do
>>>> i need
>>>> to make sure that the VTP domain name is the same or
>>>> configure it at
>>>> all? i
>>>> feel there is no need since i am not running VTP, but can
>>>> anyone think of
>>>> any situation where we need to configure the VTP domain
>>>> name in
>>>> Transparent
>>>> mode .
>>>> TIA
>>>> Hash
>>>>
>>>>
>>>> _______________________________________________________________________
>>>>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>> _______________________________________________________________________
>>>>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>> _______________________________________________________________________
>>>>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3