switchport nonegotiate
Disables Dynamic Trunking Protocol (DTP) on a switch port, preventing it from sending or receiving DTP frames to negotiate trunking.
switchport nonegotiateWhen to Use This Command
- Securing an access port by disabling DTP to prevent trunk negotiation attacks.
- Configuring a port as a static trunk without DTP negotiation to ensure it remains trunking.
- Preventing a switch port from automatically becoming a trunk when connected to a device that sends DTP frames.
- Ensuring a port remains in access mode when connected to a non-Cisco device that might misinterpret DTP.
Command Examples
Disable DTP on an access port
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiateThe command is entered without producing output. The port is set to access mode and DTP is disabled, preventing any trunk negotiation.
Disable DTP on a trunk port
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiateThe port is set to trunk mode and DTP is disabled. The trunk will remain active but will not send or receive DTP frames.
Understanding the Output
The switchport nonegotiate command does not produce any output when executed. To verify its effect, use 'show interfaces switchport' or 'show interfaces trunk'. In 'show interfaces switchport', look for 'Negotiation of Trunking: Off' to confirm DTP is disabled. In 'show interfaces trunk', the port will appear in the trunking table but will not show DTP status. A correctly configured port with nonegotiate will not send DTP frames, which is visible in packet captures or by checking the port's DTP mode.
CCNA Exam Tips
CCNA exam tip: DTP is enabled by default on all switch ports; 'switchport nonegotiate' disables it.
CCNA exam tip: You must set the port mode (access or trunk) before using 'switchport nonegotiate'.
CCNA exam tip: Disabling DTP is a security best practice to prevent VLAN hopping attacks.
CCNA exam tip: On a trunk port, 'switchport nonegotiate' does not affect trunking; it only stops DTP frames.
Common Mistakes
Mistake 1: Using 'switchport nonegotiate' without first setting the port mode, which may cause the port to default to dynamic desirable and still negotiate.
Mistake 2: Assuming 'switchport nonegotiate' changes the port mode; it only disables DTP negotiation.
Mistake 3: Forgetting that DTP is Cisco proprietary; 'switchport nonegotiate' is unnecessary on non-Cisco devices but still safe to use.
Related Commands
show interfaces switchport
Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.
show interfaces trunk
Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.
switchport mode access
Configures a switch interface as an access port, placing it in a single VLAN and removing any trunking functionality.
switchport mode trunk
Configures a switch interface as a trunk port, allowing multiple VLANs to traverse the link using IEEE 802.1Q tagging.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions