cisco hands-on experience


switchport nonegotiate

During my work as a network engineer, i stumble across the switchport nonegotiate command and
i never ever care about this command. There were no need for me to know and to configure this command.
But last week on doing troubleshooting i decide to get a deeper look into ‘switchport nonegotiate’.

  • What take effect with the ‘switchport nonegotiate’ command?
  • Is it useful to configure it?
  • Do i really need an automatism to force the port to be a trunk or access port?


Preface


Enabling Trunking

Trunk links are required to pass VLAN information between switches. A port on a Cisco switch is either an access port or a trunk port. Access ports belong to a single VLAN and do not provide any identifying marks on the frames that are passed between switches. Access ports also carry traffic that comes from only the VLAN assigned to the port. A trunk port is by default a member of all the VLANs that exist on the switch and carry traffic for all those VLANs between the switches. To distinguish between the traffic flows, a trunk port must mark the frames with special tags as they pass between the switches. Trunking is a function that must be enabled on both sides of a link. If two switches are connected together, for example, both switch ports must be configured for trunking, and they must both be configured with the same tagging mechanism (ISL or 802.1Q).

Dynamic Trunking Protocol (DTP) is a standard feature of Cisco switches and allows two switches to dynamically configure interfaces interconnecting each other to be trunked ports. DTP has 5 modes; Auto (default), On, Off, desirable and nonegotiate. See the following table with the DTP modes and the affects:

switchport negotiate modes
mode behavior
auto The default setting allows the port to willingly convert to trunking, however, the port will not trunk unless the neighbor is set to on or desirable. When two switches are connected together and set for auto, they will NOT trunk.
on This setting forces the port to be a trunk regardless of the neighbor’s settings.
off This setting forces the port to not trunk, even if the neighbor is set to on.
off This setting forces the port to not trunk, even if the neighbor is set to on.
desirable This causes the port to attempt to become a trunk, however, the neighbor would have to be set to on, desirable or auto.
nonegotiate This setting, forces the port to be a trunk but disables DTP frames between the two switches. This is useful when you are working with non-Cisco equipment and just want to ensure that the ports won’t do anything you do not want them to.
comparison CATOS vs. IOS
CATOS IOS
set trunk mod/port [auto | desirable | on | nonegotiate | off] (global) interface type mod/port

(interface) switchport mode dynamic [auto | desirable]

(interface) switchport mode trunk

(interface) switchport nonegotiate

On the figure above there are, some differences between IOS and CATOS. But i think in present times, we have to look at IOS commands. The figure is only for comparison purposes only.











Behavior of a Layer 2 Switch (Catalyst 2960)

The Lab is build-on as follows. Two Catalyst 2960 switches. One is at the top and one is on the bottom.
I named the switches top and bottom. Both are connected with a ‘Straight Through’ patch cable. On both switches mdix auto is on.

++++ trunk and accessport is functional and the trunk will negotiated ++++
++++ settings –> dynamic desirable ++++

Layer2 Switch 2960
CAT2960_top#
description testport
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
spanning-tree portfast

CAT2960_bottom#
description testport
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
spanning-tree portfast
end

With this configuration the switch automatically negotiate to a trunk, if the cable is patched from the bottom switch to the appropriate switchports.
Now, when i patched a Client to the top Switch the switchport negotiate as an access port in vlan 2.
If you know set up the command ‘switchport nonegotiate’ you get the output
Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status.

In my opinion this config setting is a security leak.

++++ only the accessport is functional and the trunk will not negotiated ++++
++++ settings –> switchport mode dynamic auto ++++

Layer2 Switch 2960
CAT2960_top#
description testport
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport mode dynamic auto is hidden because it is the default value
spanning-tree portfast

CAT2960_bottom#
description testport
switchport trunk encapsulation dot1q
switchport mode dynamic auto is hidden because it is the default value
spanning-tree portfast
end

The trunk will not negotiated. Only the switchport at the top switch acts as a accessport, if a
Client (PC) is patched. And also:
If you now set up the command ‘switchport nonegotiate’ you get the output
Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status.

++++ trunk and accessport is functional and the trunk will negotiated ++++
++++ settings –> no switchport nonegotiate ++++

Layer2 Switch 2960
CAT2960_top#
description testport
switchport mode access
no snmp trap link-status
no switchport nonegotiate
spanning-tree bpdufilter enable
end

CAT2960_bottom#
description testport
switchport mode access
no snmp trap link-status
no switchport nonegotiate
spanning-tree bpdufilter enable

++++ only an accessport is functional and the trunk will not negotiated ++++
++++ settings –> switchport nonegotiate ++++

Layer2 Switch 2960
CAT2960_top#
description testport
switchport mode access
no snmp trap link-status
switchport nonegotiate
spanning-tree bpdufilter enable
end

CAT2960_bottom#
description testport
switchport mode access
no snmp trap link-status
switchport nonegotiate
spanning-tree bpdufilter enable

Summary for Layer2 switches
  • switchport mode access = form an accessport or a trunk
    you can’t set up the command ‘switchport nonegotiate’, if the port is set to ‘switchport mode dynamic auto | desirable
  • no switchport nonegotiate = the port form an accessport or a trunk
  • switchport nonegotiate = the port form only an accessport
  • switchport mode dynamic auto(on both sites) = no trunk will be formed
  • switchport mode dynamic desirable(on one site) = a trunk will be formed


Summary for Layer3 switches
  • switchport mode access = port will form an accessport
  • switchport mode trunk = port will form a trunkport
  • switchport mode dynamic auto | desirable = auto will not form a trunk(on both sites), if explicit the command ‘switchport mode trunk’ is missing
  • switchport mode trunk = port will be a trunkport



At my own option, the only reason to use the ‘switchport nonegotiate’ is, if you don’t want to propagate DTP messages on the appropriate port. Or if you have an uplink to a router and you will prevent sending DTP packets. The other reason is, if you use components from 3rd party vendors. The last reason is to prevent vlan hopping.

Leave a Reply

*

captcha *