Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

TCP unicast conversations showing up on several ports

Unanswered Question
Feb 14th, 2006
User Badges:

We are seeing just recently some unicast TCP conversations (like Terminal service conversations over TCP 3389 from source IP address to destination IP address) showing up on a port that doesn't have either IP address plugged into it. An ethereal capture from the physical port of a 3560 switch (port FA0/11) with only an IP phone (7905 10MB/Half Duplex) plugged into it shows this traffic. Has anybody seen this?

Also important to note: many ports will go into a "port set to untrusted" state once or twice a week. A clearing of ARP on the switch seems to clear up the problem. We have checked and there are no switching loops in the network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mheusinger Tue, 02/14/2006 - 14:48
User Badges:
  • Green, 3000 points or more


are you sure there is nothing connected to the IP phone? Usually you connect a PC to the phone and the phone to the switch. Both MACs (PC and phone) will then show up at the switch port. The PC could be the source of your TCP 3389 traffic. Does CDP show you the phone attached to the switch port at the time the suspicious traffic is showing up?

You might have a security issue there. I would check the phone in case such traffic shows up. Someone might either connect a device to the pone or replace the phone with a PC with spoofed IP address fitting into the segment.

Hope this helps! Please rate all posts.

Regards, Martin

andy@netsource-... Wed, 02/15/2006 - 05:10
User Badges:

This behavior is only happening on devices with a single port (7905, 7902, ATA). Also, we have confirmed that there is nobody attaching devices (PCs) in place of the phones. We can do a show CDP and still see the phones attached.


This Discussion