Foreign Traffic bleeding on switch user ports

Unanswered Question
Sep 18th, 2007

Hello:

It?s supposed a switch port configured with "siwtchport mode access" can only see its own traffic and the generic one (broadcast..), but...

In my 2950 and 2960 switches, every user port shows traffic with another destinations, almost as it were a hub...

This happens on every new switch, with a simple trunk connection to the network (via a "switchport mode trunk") and the user ports configured with "switchport mode access" and no more...any idea ?

Carlos Sanchez, Network Analyst, Carvajal S.A.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
avmabe Tue, 09/18/2007 - 11:06

So... you say every user port shows traffic with other destinations...

What kind of traffic? TCP traffic? UDP traffic? do a packet capture and see what kind of traffic specifically and they troubleshoot from there.

gc2carvajal Tue, 09/18/2007 - 14:38

Hi avmabe:

Thanks for your answer; sorry I didnt tell you before but I have already done some research with both Ethereal and NI Observer and so far I cant find any cause/effect relationship; the traffic is any kind both TCP and UDP (VoIP, SNMP, DNS etc)and is confined to every VLAN...if I switch the monitoring port to another VLAN, I can see the same behavior...our cores at this segment are two redundant 4506s feeding about 150 2950/2960s.

Regards

paul.matthews Tue, 09/18/2007 - 11:50

On a switchport, configured and working correcly with no special features, the traffic I would expect to see would be broadcast and multicast traffic, traffic to the device attached, and traffic to unknown devices - ie no mac-table entry for the destination. That would be any device that has not transmitted for 5 minutes. This can be worsened by not using portfast. I have seen large flat networks (over 1,000) devices in one subnet, not using portfast and a high number of transient users - ie notebooks that come and go. non-use of portfast can reduce that 5 minute timer on some switches to 15 seconds. any user port should be set to portfast.

gc2carvajal Tue, 09/18/2007 - 14:06

Hi Paul, thanks for your answer; as you say, I can see broadcast, multicast & unknown devices but also traffic from/for "third parties", by example DNS requeriments/answers to servers that are active indeed. By the way, all my user ports are set to portfast.

I assume the sniffer I am using (Ethereal with winpcap 3.1 in promiscuous mode) captures frames that aren?t really seen by a network card set to normal mode, but anyway I can?t understand why they arrive to a user port.

Usually the aliens are UDP (SNMP, etc) but there are also TCPs; If I set the monitoring switch port to another VLAN, I can see the same phenomena, that is always restricted to traffic belonging to the same VLAN.

Regards.

Actions

This Discussion