Cisco: vlan access port configured with switchport mode dynamic desirable

Can someone tell me why a port on a switch would be configured with:

interface FastEthernet 0/12
switchport access vlan 10
switchport mode dynamic desirable
end


I'm asking this because the "switchport mode dynamic desirable" is considered a security vulnerability in our scans, and I'm wondering what the risk is of removing the "switchport mode dynamic desirable" would be?

Thank you,
Dave
dsterlingAsked:
Who is Participating?
 
Craig BeckConnect With a Mentor Commented:
Further to what donjohnston said, if you really don't want DTP on that port (or your security scan still flags it as a risk) you should use the nonegotiate command to disable DTP on that port...

interface FastEthernet 0/12
switchport access vlan 10
switchport nonegotiate
end
0
 
Don JohnstonConnect With a Mentor InstructorCommented:
With the port configured as "dynamic desirable", the port will become a trunk if it can successfully negotiate with another device that is running DTP.  This is done so when a switch is connected to the port, it automatically becomes a switch. Which means that other device (usually a switch but not necessarily) would be able to communicate with all VLANs. So if it's NOT a switch, then you've just provided that device access to all your VLANs.

Forcing the port to access mode is a best practice on ports that are not connected to other switches and supposed to be trunk links.

So configuring the port with "switchport mode access" would be prudent... Unless you want it to be a trunk.
0
 
AkinsdConnect With a Mentor Network AdministratorCommented:
To answer your questions.

Can someone tell me why a port on a switch would be configured with:

interface FastEthernet 0/12
switchport access vlan 10
switchport mode dynamic desirable
end

The ports were probably never fully configured aside from assigning vlans to them
All switches (at least Cisco) are configured to dynamic desirable by default. Cisco intended to make the switches usable out of the box especially for less experienced engineers.

I'm wondering what the risk is of removing the "switchport mode dynamic desirable" would be?

There is no risk removing it. It is actually safer and best practice to configure all designated ports as access ports and shutdown all unused ports.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.