Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1433
Views
0
Helpful
6
Replies

Trunk port on a Cisco 2960

huynhkhay
Level 1
Level 1

‎08-25-2008 11:36 AM - edited ‎03-06-2019 12:59 AM

Hi all,

I have a Cisco 2960, Version 12.2(25)SEE.

Each interface is in trunk mode: a ip-phone (alcatel) and a PC are connected to each interface. And DATA and VOICE are in two different VLAN.

It works fine.

However, I notice today that when I sniff, with Ethereal for example, any port, I see ALL the unicast trafic!

Is it the normal behaviour of a trunk port? Does the switch send by dafault all unicast VLAN trafic to any trunk port configured on it? Even if a host is connected to this trunk interface?

How can I solve this security point?

Thanks you by advance for your help!

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎08-25-2008 11:42 AM

Yes the switch will send all vlan traffic on a trunk port because by default all vlans are allowed on the trunk.

You can restrict the vlans allowed by using the "switchport trunk allowed ..." command under the interface configuration mode. Only allow the respective data and voice on the trunk ports.

Jon

0 Helpful

huynhkhay
Level 1
Level 1
In response to Jon Marshall

‎08-25-2008 11:48 AM

Hi,

Thanks you for your quickness!

However, you misunderstood me...

here is my problem:

Suppose I have a host, let's say 192.168.10.10 in DATA VLAN. this host is connected to an IP-Phone, let's say 192.168.5.10. This IP-phone is connected to a port of my 2960, Fast0/5 for example.

When I lauch an ethereal on my host 192.168.10.10, I see ALL trafic, even packets with source IP AND destination IP which are different from 192.168.10.10.

Example on my host 192.168.10.10, I can see unicast trafic from 192.168.10.15 to 192.168.10.20 for example. I check subnet masks, all are correct.

Exactly as if I have configured a monitor session on my host...

Quite weird!

Any suggestion?

0 Helpful

yandy_ramirez
Level 1
Level 1
In response to huynhkhay

‎08-25-2008 01:06 PM

well if the trunk port is a transit interfaces between the two hosts communicating and you're mirroring all traffic to ethereal then yes, you will see it. if they're connected on the same switch then no you should not. No reason for that traffic to leave that one switch.

Correct me if i miss-understood you.

0 Helpful

huynhkhay
Level 1
Level 1
In response to yandy_ramirez

‎08-25-2008 01:39 PM

Hi Yandy,

The trunk port isn't a transit interfaces between the two hosts communicating. And these two hosts are not connected to this switch...

For an unknown reason, this traffic arrives however to the uplink of the switch. And these trafic is then forwarded to all trunk ports of this switch: that's why I see these trafic when I capture packets on my trunk port...

The more I think about it, the more it seems strange!

0 Helpful

yandy_ramirez
Level 1
Level 1
In response to huynhkhay

‎08-26-2008 04:58 PM

how many users? is it possible for someone to have flooded your mac-address-table on any of those switches, and now your switch is acting pretty much as a HUB? could you be mirroring traffic from those ports and not know? just trying to see why? It is strange. We had a problem like that recently on our network, and thats cause someone decided they wanted to learn security on a production network.. lol

Thanks

0 Helpful

georgecatana
Level 1
Level 1

‎08-27-2008 05:09 AM

Seems like a switch problem.

Try to boot the switch with another IOS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card