08-25-2008 11:36 AM - edited 03-06-2019 12:59 AM
Hi all,
I have a Cisco 2960, Version 12.2(25)SEE.
Each interface is in trunk mode: a ip-phone (alcatel) and a PC are connected to each interface. And DATA and VOICE are in two different VLAN.
It works fine.
However, I notice today that when I sniff, with Ethereal for example, any port, I see ALL the unicast trafic!
Is it the normal behaviour of a trunk port? Does the switch send by dafault all unicast VLAN trafic to any trunk port configured on it? Even if a host is connected to this trunk interface?
How can I solve this security point?
Thanks you by advance for your help!
08-25-2008 11:42 AM
Yes the switch will send all vlan traffic on a trunk port because by default all vlans are allowed on the trunk.
You can restrict the vlans allowed by using the "switchport trunk allowed ..." command under the interface configuration mode. Only allow the respective data and voice on the trunk ports.
Jon
08-25-2008 11:48 AM
Hi,
Thanks you for your quickness!
However, you misunderstood me...
here is my problem:
Suppose I have a host, let's say 192.168.10.10 in DATA VLAN. this host is connected to an IP-Phone, let's say 192.168.5.10. This IP-phone is connected to a port of my 2960, Fast0/5 for example.
When I lauch an ethereal on my host 192.168.10.10, I see ALL trafic, even packets with source IP AND destination IP which are different from 192.168.10.10.
Example on my host 192.168.10.10, I can see unicast trafic from 192.168.10.15 to 192.168.10.20 for example. I check subnet masks, all are correct.
Exactly as if I have configured a monitor session on my host...
Quite weird!
Any suggestion?
08-25-2008 01:06 PM
well if the trunk port is a transit interfaces between the two hosts communicating and you're mirroring all traffic to ethereal then yes, you will see it. if they're connected on the same switch then no you should not. No reason for that traffic to leave that one switch.
Correct me if i miss-understood you.
08-25-2008 01:39 PM
Hi Yandy,
The trunk port isn't a transit interfaces between the two hosts communicating. And these two hosts are not connected to this switch...
For an unknown reason, this traffic arrives however to the uplink of the switch. And these trafic is then forwarded to all trunk ports of this switch: that's why I see these trafic when I capture packets on my trunk port...
The more I think about it, the more it seems strange!
08-26-2008 04:58 PM
how many users? is it possible for someone to have flooded your mac-address-table on any of those switches, and now your switch is acting pretty much as a HUB? could you be mirroring traffic from those ports and not know? just trying to see why? It is strange. We had a problem like that recently on our network, and thats cause someone decided they wanted to learn security on a production network.. lol
Thanks
08-27-2008 05:09 AM
Seems like a switch problem.
Try to boot the switch with another IOS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide