We are seeing just recently some unicast TCP conversations (like Terminal service conversations over TCP 3389 from source IP address to destination IP address) showing up on a port that doesn't have either IP address plugged into it. An ethereal capture from the physical port of a 3560 switch (port FA0/11) with only an IP phone (7905 10MB/Half Duplex) plugged into it shows this traffic. Has anybody seen this?
Also important to note: many ports will go into a "port set to untrusted" state once or twice a week. A clearing of ARP on the switch seems to clear up the problem. We have checked and there are no switching loops in the network.