Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Foreign Traffic bleeding on switch user ports


It?s supposed a switch port configured with "siwtchport mode access" can only see its own traffic and the generic one (broadcast..), but...

In my 2950 and 2960 switches, every user port shows traffic with another destinations, almost as it were a hub...

This happens on every new switch, with a simple trunk connection to the network (via a "switchport mode trunk") and the user ports configured with "switchport mode access" and no more...any idea ?

Carlos Sanchez, Network Analyst, Carvajal S.A.


Re: Foreign Traffic bleeding on switch user ports

So... you say every user port shows traffic with other destinations...

What kind of traffic? TCP traffic? UDP traffic? do a packet capture and see what kind of traffic specifically and they troubleshoot from there.

New Member

Re: Foreign Traffic bleeding on switch user ports

Hi avmabe:

Thanks for your answer; sorry I didnt tell you before but I have already done some research with both Ethereal and NI Observer and so far I cant find any cause/effect relationship; the traffic is any kind both TCP and UDP (VoIP, SNMP, DNS etc)and is confined to every VLAN...if I switch the monitoring port to another VLAN, I can see the same behavior...our cores at this segment are two redundant 4506s feeding about 150 2950/2960s.


Re: Foreign Traffic bleeding on switch user ports

On a switchport, configured and working correcly with no special features, the traffic I would expect to see would be broadcast and multicast traffic, traffic to the device attached, and traffic to unknown devices - ie no mac-table entry for the destination. That would be any device that has not transmitted for 5 minutes. This can be worsened by not using portfast. I have seen large flat networks (over 1,000) devices in one subnet, not using portfast and a high number of transient users - ie notebooks that come and go. non-use of portfast can reduce that 5 minute timer on some switches to 15 seconds. any user port should be set to portfast.

New Member

Re: Foreign Traffic bleeding on switch user ports

Hi Paul, thanks for your answer; as you say, I can see broadcast, multicast & unknown devices but also traffic from/for "third parties", by example DNS requeriments/answers to servers that are active indeed. By the way, all my user ports are set to portfast.

I assume the sniffer I am using (Ethereal with winpcap 3.1 in promiscuous mode) captures frames that aren?t really seen by a network card set to normal mode, but anyway I can?t understand why they arrive to a user port.

Usually the aliens are UDP (SNMP, etc) but there are also TCPs; If I set the monitoring switch port to another VLAN, I can see the same phenomena, that is always restricted to traffic belonging to the same VLAN.