Why You Should Never Use Dynamic Trunking

Protocol(DTP)Wire-shark

DTP VLAN Hopping Lab

With Wire-shark Capture

<date/time> <footer> 1
 What is DTP?
INTRODUCTION
Dynamic Trunking Protocol is Cisco proprietary protocol, this allows trunk to be formed with much configuration. It simply streamlines the
configuration process of trunk and access ports based on DTP datagrams messages.
A negotiation process occurs based of DTP messages.
DTP messages are sent by what I call "influence" switch. This is the switch that is actively trying to convert the other side to form a 802.1q
encapsulated trunk link.

In my personal DTP should never be used, I will explain the reason behind my opinion. I will also provide you with a demonstration of the
actual reason!

However before I go further, I will provide with in-depth explanation of what DTP is and how negotiation occurs between two switches. It's
crucial that we understand what DTP is and conditions under how DTP datagram messages are exchanged, what these messages look like
in real-time. Gaining a static as well a dynamic overview of DTP, will help us understand why it should never be used in a production
environment.

2/13/2024 2
 What is DTP?
DTP has two main modes dynamic desirable and dynamic auto. Depending on the outcome of the negotiation process, a link will be either
a trunk or an access.
The fundamental process of DTP is to ease the initial configuration of a switch port. The other major advantage of DTP is to prevent port
configuration error
When a switchport has DTP dynamic desirable enabled, it will constantly send DTP datagram messages to the connected switch port,
these messages will actively try to convert the connected switchport to a trunk with 802.1q or ISL encapsulation allowing VLANS to
transverse between switches.

2/13/2024 3
 How Does DTP work?

Above diagrams shows a visualisation of these messages being sent by the DTP dynamic mode switch port sending messages to the other
switch in an attempt to “influence” the connected to turn into a trunk.
DTP DYNAMIC Auto mode is a passive switchport which will await incoming DTP datagram messages, it too sends DTP messages to
notify neighboring switchport of it's status. By default DTP dynamic auto is a switch port, however upon receiving DTP datagram messages
from a static trunk or DTP dynamic desirable, it will automatically convert the DTP dynamic auto switch port into trunk. By default majority of
Cisco switches ports are in DTP auto.

2/13/2024 4
 DEEP DIVE: DTP Data TLV
DTP protocol uses TLV in order to encode data. TLV stands for Type Length Variable. It’s the element within the DTP protocol that’s used to
describe and encode data. The Type and Length of TLV fields within DTP are fixed. However the Value field is variable.
The type field indicates what the data is, the length is the actual it’s length octate and because it’s serialized data the length is in bytes , and
variable is the actual value.
TLV is essentially the encoding schema utilised by DTP
TLV is a type of data structure that provides a variable/dynamic protocol header.
In order to understand TLV, one has to go back to protocols with fixed header such as TCP. majority of lower layer protocols 2-4 have a
fixed header. For example IEEE ethernet frame, IP and TCP. The common denominator in these protocols is they have a fixed predefined
header.

DTP TLV Header

Type Length Value
Trunk 5 bits 0x83 or
status 0x84

2/13/2024 5
 DEEP DIVE: DTP Data TLV
TLV packet header has the following Format:
⚫ Defined Type( e.g format date/string/boolean etc) of data
⚫ value(Attribute and Value)
⚫ length(Bytes)

Protocols that heavily relies on TLV are DTP/VTP/CDP/LLDP and dynamic routing protocols such as IS-IS and ERIGP.

DTP TLV Header

Type Length Value
Trunk 5 bits 0x83 or
status 0x84

2/13/2024 6
 Wirecapture of DTP TLV Packets
⚫ DTP Dyanamic Auto
⚫ (T)Type
⚫ (L)Length
⚫ (V)Value

2/13/2024 7
 Wirecapture of DTP TLV Packets
⚫ DTP Dynamic Desirable
⚫ (T)Type
⚫ (L)Length
⚫ (V)Value

2/13/2024 8
 VLAN Hopping on DTP
⚫ The following interface Gi1/0/1 has been set dynamic auto
⚫ It’s connected to the attacker’s PC
⚫ The static access switchport is VLAN 10

2/13/2024 9
 VLAN Hopping on DTP
⚫ The Attacker launches Yersinia
⚫ Yersinia is a packet formation tool
⚫ It’s a penteration L2 testing tool on Linux

2/13/2024 10
 VLAN Hopping on DTP
⚫ The Attacker sends spoofed TLV packets
⚫ In this case it’s a Dynamic Desirable TLV
⚫ The Value field of the TLV will be 0x83

2/13/2024 11
 VLAN Hopping on DTP
⚫ The attacker has
now changed the
static access port
into a trunk port

2/13/2024 12