cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
383
Views
0
Helpful
3
Replies

TCP unicast conversations showing up on several ports

andy
Level 1
Level 1

We are seeing just recently some unicast TCP conversations (like Terminal service conversations over TCP 3389 from source IP address to destination IP address) showing up on a port that doesn't have either IP address plugged into it. An ethereal capture from the physical port of a 3560 switch (port FA0/11) with only an IP phone (7905 10MB/Half Duplex) plugged into it shows this traffic. Has anybody seen this?

Also important to note: many ports will go into a "port set to untrusted" state once or twice a week. A clearing of ARP on the switch seems to clear up the problem. We have checked and there are no switching loops in the network.

3 Replies 3

Prashanth Krishnappa
Cisco Employee
Cisco Employee

Check to see if you have any unicast flooding in your network due to STP TCNs or any asymmetric Routing

http://www.cisco.com/warp/public/473/143.html

Try matching your ARP and MAC-address aging timer and see if it makes any difference.

mheusinger
Level 10
Level 10

Hello,

are you sure there is nothing connected to the IP phone? Usually you connect a PC to the phone and the phone to the switch. Both MACs (PC and phone) will then show up at the switch port. The PC could be the source of your TCP 3389 traffic. Does CDP show you the phone attached to the switch port at the time the suspicious traffic is showing up?

You might have a security issue there. I would check the phone in case such traffic shows up. Someone might either connect a device to the pone or replace the phone with a PC with spoofed IP address fitting into the segment.

Hope this helps! Please rate all posts.

Regards, Martin

This behavior is only happening on devices with a single port (7905, 7902, ATA). Also, we have confirmed that there is nobody attaching devices (PCs) in place of the phones. We can do a show CDP and still see the phones attached.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco