Trunk port on a Cisco 2960

Unanswered Question
Aug 25th, 2008
User Badges:

Hi all,


I have a Cisco 2960, Version 12.2(25)SEE.

Each interface is in trunk mode: a ip-phone (alcatel) and a PC are connected to each interface. And DATA and VOICE are in two different VLAN.


It works fine.

However, I notice today that when I sniff, with Ethereal for example, any port, I see ALL the unicast trafic!


Is it the normal behaviour of a trunk port? Does the switch send by dafault all unicast VLAN trafic to any trunk port configured on it? Even if a host is connected to this trunk interface?


How can I solve this security point?


Thanks you by advance for your help!





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 08/25/2008 - 11:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes the switch will send all vlan traffic on a trunk port because by default all vlans are allowed on the trunk.


You can restrict the vlans allowed by using the "switchport trunk allowed ..." command under the interface configuration mode. Only allow the respective data and voice on the trunk ports.


Jon

huynhkhay Mon, 08/25/2008 - 11:48
User Badges:

Hi,


Thanks you for your quickness!

However, you misunderstood me...


here is my problem:


Suppose I have a host, let's say 192.168.10.10 in DATA VLAN. this host is connected to an IP-Phone, let's say 192.168.5.10. This IP-phone is connected to a port of my 2960, Fast0/5 for example.


When I lauch an ethereal on my host 192.168.10.10, I see ALL trafic, even packets with source IP AND destination IP which are different from 192.168.10.10.

Example on my host 192.168.10.10, I can see unicast trafic from 192.168.10.15 to 192.168.10.20 for example. I check subnet masks, all are correct.


Exactly as if I have configured a monitor session on my host...


Quite weird!


Any suggestion?

yandy_ramirez Mon, 08/25/2008 - 13:06
User Badges:

well if the trunk port is a transit interfaces between the two hosts communicating and you're mirroring all traffic to ethereal then yes, you will see it. if they're connected on the same switch then no you should not. No reason for that traffic to leave that one switch.


Correct me if i miss-understood you.

huynhkhay Mon, 08/25/2008 - 13:39
User Badges:

Hi Yandy,


The trunk port isn't a transit interfaces between the two hosts communicating. And these two hosts are not connected to this switch...


For an unknown reason, this traffic arrives however to the uplink of the switch. And these trafic is then forwarded to all trunk ports of this switch: that's why I see these trafic when I capture packets on my trunk port...


The more I think about it, the more it seems strange!

yandy_ramirez Tue, 08/26/2008 - 16:58
User Badges:

how many users? is it possible for someone to have flooded your mac-address-table on any of those switches, and now your switch is acting pretty much as a HUB? could you be mirroring traffic from those ports and not know? just trying to see why? It is strange. We had a problem like that recently on our network, and thats cause someone decided they wanted to learn security on a production network.. lol


Thanks

georgecatana Wed, 08/27/2008 - 05:09
User Badges:

Seems like a switch problem.


Try to boot the switch with another IOS.


Actions

This Discussion