Is DTP (Dynamic Trunking Protocol) enabled by default on the newest Cisco devices?
I have been using Cisco 2960 switches and DTP is enabled by default. I was wondering if this was the same for the latest and greatest switches? I am assuming it depends on the IOS version and I couldn't find anything specific for the newest versions.
The reason I ask is because I was doing a demonstration of a VLAN hopping attack in which you first initiate trunking from your attacking device. Then once you get the trunk (assuming DTP is enabled) you can use 802.1Q double-tagging to reach a device outside of the native vlan. At the end of demonstration, I was asked if the newest Cisco devices still enabled DTP by default and told the person I would get back to them.
Thanks!
Best Answer
The newest small campus access switches are 2960X switches, and they still have DTP enabled by default.
Nexus switches are designed for datacenter use, not for user-facing ports.
DTP is also enabled by default on 3850s, 3650s, and every other switch I get my hands on.
I'm still waiting on a global disable command for it - a 'no dtp run' or similar. For the time being, it's still strongly recommended to hardcode your port as an access or trunk port, configure "switchport nonegotiate" on the port, and for trunk ports, configure a dead VLAN as the native (I like to use 999 and make sure it doesn't exist in my VLAN database).