Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1110
  • Last Modified:

Cisco: vlan access port configured with switchport mode dynamic desirable

Can someone tell me why a port on a switch would be configured with:

interface FastEthernet 0/12
switchport access vlan 10
switchport mode dynamic desirable
end


I'm asking this because the "switchport mode dynamic desirable" is considered a security vulnerability in our scans, and I'm wondering what the risk is of removing the "switchport mode dynamic desirable" would be?

Thank you,
Dave
0
dsterling
Asked:
dsterling
3 Solutions
 
Don JohnstonInstructorCommented:
With the port configured as "dynamic desirable", the port will become a trunk if it can successfully negotiate with another device that is running DTP.  This is done so when a switch is connected to the port, it automatically becomes a switch. Which means that other device (usually a switch but not necessarily) would be able to communicate with all VLANs. So if it's NOT a switch, then you've just provided that device access to all your VLANs.

Forcing the port to access mode is a best practice on ports that are not connected to other switches and supposed to be trunk links.

So configuring the port with "switchport mode access" would be prudent... Unless you want it to be a trunk.
0
 
Craig BeckCommented:
Further to what donjohnston said, if you really don't want DTP on that port (or your security scan still flags it as a risk) you should use the nonegotiate command to disable DTP on that port...

interface FastEthernet 0/12
switchport access vlan 10
switchport nonegotiate
end
0
 
AkinsdNetwork AdministratorCommented:
To answer your questions.

Can someone tell me why a port on a switch would be configured with:

interface FastEthernet 0/12
switchport access vlan 10
switchport mode dynamic desirable
end

The ports were probably never fully configured aside from assigning vlans to them
All switches (at least Cisco) are configured to dynamic desirable by default. Cisco intended to make the switches usable out of the box especially for less experienced engineers.

I'm wondering what the risk is of removing the "switchport mode dynamic desirable" would be?

There is no risk removing it. It is actually safer and best practice to configure all designated ports as access ports and shutdown all unused ports.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now