01-19-2010 09:05 PM
We have 2 physical telco lines connected into the same sw. it should be configured not to allow the traffic from one to another.
However, it seems like it does which shouldn't be the case. Telco vendor confirmed that it is.
Here is what our router shows when we do “show cdp neighbor” on our Cisco router. You can see that the it can see the same devices via port 1/44 and 1/14. They should only be able to route via circuit on Gi1/14 .
appreciate any comment or suggestion?
A_End_Router1>sh cdp neighbors gigabitEthernet 1/44
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
B_End_Router1
Gig 1/44 163 R S I 2811 Fas 0/1
B_End_Router2
Gig 1/44 153 R S I 2811 Fas 0/1
B_End_Router3
Gig 1/44 155 R S I 2811 Fas 0/1
B_End_Router4
Gig 1/44 173 R S I 2811 Fas 0/1
B_End_Router5
Gig 1/44 120 R S I 2811 Fas 0/1
B_End_Router6
Gig 1/44 150 R S I 2811 Fas 0/1
B_End_Router7
Gig 1/44 156 R S I 2811 Fas 0/1
B_End_Router8
Gig 1/44 178 R S I 2811 Fas 0/1
A_End_Router1
Gig 1/44 175 R S I WS-C4948 Gig 1/14
A_End_Router1>sh cdp neighbors gigabitEthernet 1/14
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
B_End_Router1
Gig 1/14 145 R S I 2811 Fas 0/1
B_End_Router2
Gig 1/14 135 R S I 2811 Fas 0/1
B_End_Router3
Gig 1/14 137 R S I 2811 Fas 0/1
B_End_Router4
Gig 1/14 154 R S I 2811 Fas 0/1
B_End_Router5
Gig 1/14 162 R S I 2811 Fas 0/1
B_End_Router6
Gig 1/14 132 R S I 2811 Fas 0/1
B_End_Router7
Gig 1/14 138 R S I 2811 Fas 0/1
B_End_Router8
Gig 1/14 160 R S I 2811 Fas 0/1
A_End_Router1
Gig 1/14 171 R S I WS-C4948 Gig 1/44
Solved! Go to Solution.
01-20-2010 07:29 AM
How are you blocking traffic on the second port? CDP is a layer 2 protocl and a layer 3 ACL will not block the traffic. Are you looking to also block layer 2 protocols?
01-20-2010 07:29 AM
How are you blocking traffic on the second port? CDP is a layer 2 protocl and a layer 3 ACL will not block the traffic. Are you looking to also block layer 2 protocols?
01-20-2010 07:45 AM
Thanks Collin.
actually I don't kno
we for i don't have a direct access to the router.
we are 2 telco providers with 2 ckts each.both interface above are connected to telco#1, but different ckt.
The other 2 ports(the same router) that are both connected to the other 2 circuits of telco#2 doesn't show the same output.
I assumed it was with the telco, but it doesn't look like it.
I am assuming it has something to do with the router setting etc, or anything that we could change from other side which of course would not affect the performance of the cisco box. we have 6 pipes connected to it overall.
01-20-2010 07:49 AM
Is the telco saying that traffic is flowing across both or are you just concerned that you see a CDP neighbor across both links?
01-20-2010 07:51 AM
basically, just concerned that we see the same neighbor output from both links
01-20-2010 07:55 AM
As I stated before you will see both links because CDP is a layer two protocol and is not being blocked. You can always turn off CDP on devices that connect to carriers which is a good security practice.
Turn off CDP on the entire device
router(config)# no cdp run
Turn off CDP on a specific interface
router(config)# interface fa0/44
router(config-if)# no cdp enable
Hope that helps
01-20-2010 07:40 AM
A switch will not use CDP to decide on what port it will send traffic.
It uses the destination mac address
If you expect to see traffic on only the "active" port then your idea is wrong.
The normal outgoing traffic will got out of the port Gi1/14 .
Any broadcast, multicast or unknown destinations however will go out of both ports.
If the active router sends out multicast or broadcasts it is likely that the other router on port GI 1/44 will see this traffic too.
Cheers,
Michel
01-20-2010 07:50 AM
Thanks Michel.
in short, you mean to say it is a normal behavior, right?
we actually have another router(for dual) and we don't see the same output. That is why I am wondering if there's anything wrong or missing with our config.
01-20-2010 07:54 AM
I think if there is something that needs to be fixed, it is not on the switch.
You may have some issue on the routers that send traffic to the telco's.
Cheers,
Michel
01-20-2010 11:35 AM
jsheriony,
For the other router (for dual) you don't see the same output is because the router has CDP disabled.
You can also disable CDP on the switch or per port as stated earlier.
Regards,
Sal
01-20-2010 08:02 AM
I think normaly CDP packets from the routers will be absobed by the switch.
If they are somehow forwarded to other ports turning of CDP wont resolve ths
cheers,
Michel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide