cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
0
Helpful
4
Replies

Foreign Traffic bleeding on switch user ports

gc2carvajal
Level 1
Level 1

Hello:

It?s supposed a switch port configured with "siwtchport mode access" can only see its own traffic and the generic one (broadcast..), but...

In my 2950 and 2960 switches, every user port shows traffic with another destinations, almost as it were a hub...

This happens on every new switch, with a simple trunk connection to the network (via a "switchport mode trunk") and the user ports configured with "switchport mode access" and no more...any idea ?

Carlos Sanchez, Network Analyst, Carvajal S.A.

4 Replies 4

avmabe
Level 3
Level 3

So... you say every user port shows traffic with other destinations...

What kind of traffic? TCP traffic? UDP traffic? do a packet capture and see what kind of traffic specifically and they troubleshoot from there.

Hi avmabe:

Thanks for your answer; sorry I didnt tell you before but I have already done some research with both Ethereal and NI Observer and so far I cant find any cause/effect relationship; the traffic is any kind both TCP and UDP (VoIP, SNMP, DNS etc)and is confined to every VLAN...if I switch the monitoring port to another VLAN, I can see the same behavior...our cores at this segment are two redundant 4506s feeding about 150 2950/2960s.

Regards

paul.matthews
Level 5
Level 5

On a switchport, configured and working correcly with no special features, the traffic I would expect to see would be broadcast and multicast traffic, traffic to the device attached, and traffic to unknown devices - ie no mac-table entry for the destination. That would be any device that has not transmitted for 5 minutes. This can be worsened by not using portfast. I have seen large flat networks (over 1,000) devices in one subnet, not using portfast and a high number of transient users - ie notebooks that come and go. non-use of portfast can reduce that 5 minute timer on some switches to 15 seconds. any user port should be set to portfast.

Hi Paul, thanks for your answer; as you say, I can see broadcast, multicast & unknown devices but also traffic from/for "third parties", by example DNS requeriments/answers to servers that are active indeed. By the way, all my user ports are set to portfast.

I assume the sniffer I am using (Ethereal with winpcap 3.1 in promiscuous mode) captures frames that aren?t really seen by a network card set to normal mode, but anyway I can?t understand why they arrive to a user port.

Usually the aliens are UDP (SNMP, etc) but there are also TCPs; If I set the monitoring switch port to another VLAN, I can see the same phenomena, that is always restricted to traffic belonging to the same VLAN.

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: