trunk and switchport status

Ok, I've been staring at configs all day. For some reason this config has me baffled, does it not look right?

interface fastethernet0/20
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk

Now help me understand why the switchport would be set to "access vlan 10" when it is also set to "mode trunk" as well as using encapsulation dot1q.

Clearly it looks like the fellow who did this is expecting to trunk on this port no?

So what is the significance of trying to apply it to vlan 10?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

WillTech105

"interface fastethernet0/20
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk"

Yeah that vlan10 looks little funny. dot1 and trunk look OK but thats actually a pretty good question. Is there any reason to assign the trunk port in a VLAN? I'm sure with VLAN purning the trunk would still work. Maybe theres some reason for it being in VLAN10 -- is there a description for the vlan?

Heero

I believe all it does is set the vlan if the interface is not trunking, and since it is set to trunking only, the line is irrelevant. If you had a dynamic trunk, that line would be helpful for when the port was not trunking.

kyoji

My guess is for security. Perhaps he meant to use "switchport trunk native vlan"? Security wise, you should never leave any thing in the default vlan.

For a good read, Google: "Virtual LAN Security: weaknesses and countermeasures".

notgoing2fail

Thanks for the suggestions guys.

There is no comments about this port so it's really up to me to either assume it was intentional or it was just a misuse of the commands. Tough to say, thought maybe it was worth posting here to see if others have ran into anything like this?

*BB*

If the port was previously an access port set to access vlan 10, then changed to a trunk, the "switchport access vlan 10" statement will remain regardless.

If they are not using vlan 10 for anything, it doesnt explain why it was configured in the first place. Are they not using vlan 10?

notgoing2fail

*BB* wrote: »

If the port was previously an access port set to access vlan 10, then changed to a trunk, the "switchport access vlan 10" statement will remain regardless.

If they are not using vlan 10 for anything, it doesnt explain why it was configured in the first place. Are they not using vlan 10?

They are, VLAN 10 is the primary network. What you just said seems to make the most sense.

So the port was probably apart of VLAN10, and at some point, someone must have wanted to make it a trunk without removing that command.

I suppose in this way, if it no longer is a trunk port, it will naturally fall back to being a VLAN 10 access port?

greenerek

notgoing2fail wrote: »

They are, VLAN 10 is the primary network. What you just said seems to make the most sense.

So the port was probably apart of VLAN10, and at some point, someone must have wanted to make it a trunk without removing that command.

I suppose in this way, if it no longer is a trunk port, it will naturally fall back to being a VLAN 10 access port?

Hi, enable a sh interf fa0/20 switchport. The port can be either trunk or access. If Switchport mode trunk was the last command I think the port will be in Trunking mode , and vlan access it doesn't matter.

SteveO86

notgoing2fail wrote: »

Ok, I've been staring at configs all day. For some reason this config has me baffled, does it not look right?

interface fastethernet0/20
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk

Now help me understand why the switchport would be set to "access vlan 10" when it is also set to "mode trunk" as well as using encapsulation dot1q.

Clearly it looks like the fellow who did this is expecting to trunk on this port no?

So what is the significance of trying to apply it to vlan 10?

Can't think of any logical reason for this..

Ports should either be access or trunk.. Leaving it in desirable mode is not best practice (they go over that in the CCNA:Sec), plus when you issue the switchport mode access command it can't be negotiated to be a trunk in the future.

Why would some one they go back and change the ports function? I suppose that depends what's on the other side of the port and the topology of the network.

As far as setting the native VLAN, you want the native VLAN to be one that is not used. (Using the switchport mode trunk native vlan ###, another topic covered in the CCNA:Security to stop double tagging).

chmorin

I'm pretty sure it is just set there not doing anything. Say you have a port that was orginially an access port, and you had it configured with an access vlan. If you then change it over the trunk the access vlan command stays. It does not do anything, but it is still there.

kyoji

SteveO86 wrote: »

As far as setting the native VLAN, you want the native VLAN to be one that is not used. (Using the switchport mode trunk native vlan ###, another topic covered in the CCNA:Security to stop double tagging).

Correct, with the new info brought forth, this does not seem to be security oriented. My thought process was, perhaps he read about dedicated trunk vlans and tried to implement it using the wrong command.

Correct me if i'm wrong. Having dedicated trunk vlans helps add an extra layer of security, in case the attacker is able to gain "Trunk" he will have one more obstacle. As trunks must be in the same vlan.

SteveO86

kyoji wrote: »

Correct, with the new info brought forth, this does not seem to be security oriented. My thought process was, perhaps he read about dedicated trunk vlans and tried to implement it using the wrong command.

Correct me if i'm wrong. Having dedicated trunk vlans helps add an extra layer of security, in case the attacker is able to gain "Trunk" he will have one more obstacle. As trunks must be in the same vlan.

That's what I foresee, a security measure gone. However mis-configurations are typically more a security weakness then the unsuspecting end user

Not sure about the term "dedicated trunk vlan", but as far as trunk security, setting the native VLAN to an un-used VLAN it a great practice, and if you want to go another step further, you can specify what VLANs are allowed to cross the trunk using the switchport trunk allowed vlan add #

Plus it's also best practice to remove the trunk negotiation, set them as either trunk or access ports specifically, so an attacker can not create other trunks in your network and access other VLANs.

That limits the attack surface.

(Of course that is more CCNA:Security/SWITCH material, I almost forgot this the CCENT/CCNA forum)

After reading it again, by "dedicated trunk vlan" I assume you have the trunk links/ports in it's own VLAN, separate from the other VLANs passing client data.. The "trunk vlan" would have it's own subnet requiring some Layer 3 routing, if you've got a L3 switch or the classic router on a stick setup you can do that as well. For Layer 2 switches/connections I find that setting the native VLAN just easier.

(Forgive me if I mis-interpreted the dedicated trunk vlan, it's not a term I am familiar with feel free to correct me)

*BB*

You guys are reading into to this way too much. Vlan 10 is the vlan thats being used on the switch already. Most likely this was originally an access port that was changed to a trunk, in which case the switchport access vlan 10 statement- while still there, is negated unless they change it back to an access port.

SteveO86

*BB* wrote: »

You guys are reading into to this way too much. Vlan 10 is the vlan thats being used on the switch already. Most likely this was originally an access port that was changed to a trunk, in which case the switchport access vlan 10 statement- while still there, is negated unless they change it back to an access port.

It's not that were reading too much into it, just one question leading to another, and what best practice is. Maybe I did steer the thread in a more security oriented way.

Either way, I prefer to keep my own configs clean.. I would have to remove the switchport mode access (or trunk) statement, that's just me.

jojopramos

+ 1 for *BB*. If it configured for trunk, then it is trunked. No need to add the vlan10. If you need to use it for access port then it is easy to configure it to vlan10.

notgoing2fail

SteveO86 wrote: »

Either way, I prefer to keep my own configs clean.. I would have to remove the switchport mode access (or trunk) statement, that's just me.

I'm the same way, I hate having leftover commands floating around when they are of no use. Especially description on interfaces that no longer connect to the proper end device!

Forsaken_GA

*BB* wrote: »

You guys are reading into to this way too much. Vlan 10 is the vlan thats being used on the switch already. Most likely this was originally an access port that was changed to a trunk, in which case the switchport access vlan 10 statement- while still there, is negated unless they change it back to an access port.

+1

just a lazy admin who didn't clean up his configurations after himself. Probably didn't set a description on the interface either