switchport mode {access | trunk }

Folks:
when configuring a trunk or access port, is it best practice to always configure the mode of the port? I understand that the IOS of switch can dynamicly use the port for a trunk port and ignore the VLAN configuration; however, won't only the ports that have a cable to another switch become a trunk port?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

hexem

Hard cording is always best practise when it comes to switchports. This prevents any attacks attempting to form a trunk with the switch with custom dtp packets or in general any user who may attempt to plug a switch into the network somewhere (altho not a problem unless it's cisco) but best done for peace of mind.

switchport mode nonegotiate is best used where ever possible, both on trunks and access ports.

e24ohm

hexem wrote: »

Hard cording is always best practise when it comes to switchports. This prevents any attacks attempting to form a trunk with the switch with custom dtp packets or in general any user who may attempt to plug a switch into the network somewhere (altho not a problem unless it's cisco) but best done for peace of mind.

switchport mode nonegotiate is best used where ever possible, both on trunks and access ports.

thanks for the help mate!!! Cheers

e24ohm

hexem wrote: »

Hard cording is always best practise when it comes to switchports. This prevents any attacks attempting to form a trunk with the switch with custom dtp packets or in general any user who may attempt to plug a switch into the network somewhere (altho not a problem unless it's cisco) but best done for peace of mind.

switchport mode nonegotiate is best used where ever possible, both on trunks and access ports.

If the switchport nonnegotiate interface subcommand is used, the port will not swtich to dynamically trunking, but you mention to perform this on trunk ports. will the port still trunk; however, it will manually need to be set with the switchport mode trunk?

Forsaken_GA

You're best off setting the mode you want on purpose because different switch models have different defaults set. For example, 3550's have switchport mode dynamic desirable set by default for all the fast ethernet ports. This could result in a trunk forming where you didn't want one. This is why when I'm configuring a new switch, one of the very first things I do (using the range commands) is A) issue shutdown for all ports

set all ports as switchport mode access

That way for anything else, I'll have to explicitly allow it