Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

TCP unicast conversations showing up on several ports

We are seeing just recently some unicast TCP conversations (like Terminal service conversations over TCP 3389 from source IP address to destination IP address) showing up on a port that doesn't have either IP address plugged into it. An ethereal capture from the physical port of a 3560 switch (port FA0/11) with only an IP phone (7905 10MB/Half Duplex) plugged into it shows this traffic. Has anybody seen this?

Also important to note: many ports will go into a "port set to untrusted" state once or twice a week. A clearing of ARP on the switch seems to clear up the problem. We have checked and there are no switching loops in the network.

3 REPLIES
Cisco Employee

Re: TCP unicast conversations showing up on several ports

Check to see if you have any unicast flooding in your network due to STP TCNs or any asymmetric Routing

http://www.cisco.com/warp/public/473/143.html

Try matching your ARP and MAC-address aging timer and see if it makes any difference.

Re: TCP unicast conversations showing up on several ports

Hello,

are you sure there is nothing connected to the IP phone? Usually you connect a PC to the phone and the phone to the switch. Both MACs (PC and phone) will then show up at the switch port. The PC could be the source of your TCP 3389 traffic. Does CDP show you the phone attached to the switch port at the time the suspicious traffic is showing up?

You might have a security issue there. I would check the phone in case such traffic shows up. Someone might either connect a device to the pone or replace the phone with a PC with spoofed IP address fitting into the segment.

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: TCP unicast conversations showing up on several ports

This behavior is only happening on devices with a single port (7905, 7902, ATA). Also, we have confirmed that there is nobody attaching devices (PCs) in place of the phones. We can do a show CDP and still see the phones attached.

174
Views
0
Helpful
3
Replies
CreatePlease to create content