DTP - the Dynamic Trunking Protocol - is Cisco's way of having two switches automatically agree to form a trunk. It works. It is also a security and operational risk: an attacker can plug into a port and convince the switch to trunk to them, exposing every VLAN on the switch. Modern best practice: turn DTP off and explicitly configure trunk mode. This lab shows you what DTP is doing under the hood and how to disable it.
What you will learn
- The four DTP modes: dynamic auto, dynamic desirable, trunk, access
- What "Operational Mode" tells you vs. "Administrative Mode"
- The DTP state machine via
show dtp interface - How to disable DTP on a port (
switchport nonegotiate) - The security case for hardcoding access mode on every user-facing port
What this lab does NOT cover
- VLAN hopping attacks (we cover the defense, not the offensive tooling)
- VTP - that was na-03
Topology
Download the STP+VLAN Reference Lab .yaml
Drop this into CML's Import dialog. Three IOSvL2 switches in a triangle with VLANs 10/20/99, dot1q trunks, rapid-PVST root election, and an LACP EtherChannel between SW1 and SW2.
