Cisco – Why wireshark captures foreign / non relevant traffic on the plain access switchport

cisco

On a company main switch (Cisco 3750) I have connected a simple Windows XP physical PC on a switchport (switchport mode access, switchport access vlan 30). NO monitor sessions exists on the 3750. Also, the PC has a single IP address on a single NIC.
However, when I start a Wireshark promiscuous capture on the WinXP PC, several foreign conversations appear, either LAN-to-LAN or WAN-to-LAN (that is src IP and dst IP does not match the PC's IP address). This traffic is NOT broadcast (neither L2 broadcast nor L3 broadcast). The switch's configuration is a simple layer 3 and layer 2 configuration. Nothing fancy (ommited for cluttering the reasons)

I have checked the switch's MAC and ARP table and all seems normal: the PC's switchport shows only 1 MAC address and the other foreign MAC and IP addresses resolve to their normal ports (using "show ip arp" and "show mac-addr" etc.)

The whole capturing idea was initiated because we want to troubleshoot frequent application lags (according to other captures, many TCP retransmissions are the possible culprit).

Any ideas?

======================

EDIT
after an IOS research it seems that there is a pretty big chance that my IOS version (12.2(25)SEB4) may have serious bugs about CAM tables and such. I will upgrade next week and revisit to update.

Best Answer

[Sorry for being late to the party, but came across this when looking for something else] When you say "several foreign conversations appear", do you mean multiple packets in both directions, or just the occasional packet?

If it is full conversations, then you definitely have a problem with your switch.

If it is occasional packets, then I'd blame spanning tree changes. Recall that a switch remembers MAC addresses for 300 seconds by default. So if your switch had NOT seen a frame from a particular device for 300 seconds, and frames were sent to that MAC address, they would be forwarded to all other ports, including your WinXP/Wireshark monitor. This would continue until the owner of the MAC address sent a frame.

For devices running modern operating systems, the chances of a device NOT sending a frame for 300 seconds is pretty slim, although other more passive devices may be silent for that kind of time.

Back to spanning tree. If there is a spanning tree topology change (such as a device connecting/disconnecting to a switch port), a Topology Change Notification event is sent to the root bridge. The root bridge then sets the TCN bit on all BPDUs for the next FWD_DELAY period (15 seconds). When bridges see BPDUs with the TCN bit set, they reduce the ageing timers for the MAC address table to FWD_DELAY (15 seconds). [This is one reason why you should always enter the global configuration command spanning-tree portfast default - to stop the creation of TCNs whenever a switch port is activated/de activated]

So IF there are spanning tree changes, you are more likely to see occasional packets to MAC addresses other than your own.

You do not specifically say if any of the packets you see were from another subnet (= another VLAN if your design is correct). BUT if you ARE seeing packets from another subnet/VLAN, then I would suggest that you look very carefully at your inter-switch cabling, and check the native vlan configuration and Trunk port status of all these links. If there is any "subnet/VLAN" leakage, then it could create multiple topology changes which in turn could keep the ageing timer to 15 seconds leading to many more unexpected frames arriving on your Wireshark capture.

Related Solutions

Can’t Ping Other VLAN on Same Stack Switch

In general, a VLAN SVI will not be "UP" if there are no ports within that VLAN that are up. As only 2 of your VLANs are assigned to interfaces (as per the limited bit of config provided), only 2 VLANs should be operational.

Cisco router + cable modem – How to configure routing

I'm making some assumptions on your setup and how exactly your ISP is giving you these IPs, so if any of this is wrong I apologize and will happily change my answer

For your internal network I would suggest you setup a DHCP pool for your workstations and statically assign IPs to your servers. I'll leave the DHCP pool setup for you, as I think you're mainly aiming to make sure both public IPs are utilized by the proper networks.

i.e.
  172.16.1.0/24 for your workstations, with DHCP, assigned to VLAN10
  172.16.2.0/29 for your servers, statically assigned, on VLAN20

That all being said here is what I personally would try and setup to get your gear online.

int g0/0
  ip address dhcp

This will pull an IP from your modem and give it to your external port. I suspect it will be an ISP internal IP because I doubt they'd give your modem a publicly routable IP. That'd be weird.

In this scenario, you should not be manually inputting any default routes on your router as it should all be supplied from the DHCP pull.

int g0/1.10
  ip address 172.16.1.1 255.255.255.0
int g0/1.20
  ip address 172.16.2.1 255.255.255.248

This setups the internal gateways for your two networks. So all your workstations will be pointing to 172.16.1.1 and your servers to 172.16.2.1

After that you'll need to setup NAT rules on the router to handle passing of traffic outwards for your workstations.

int g0/0
  ip nat outside

This setups your external facing interface as your outside nat interface.

int g0/1.10
  ip nat inside

This setups your internal facing interface as an inside nat interface.

Router(config)# ip nat pool internet 128.66.0.2 128.66.0.2 prefix 24

Creates a NAT pool named internet being translated to one of your public IPs.

Router(config)# ip nat inside source list 7 pool name internet overload

This says to NAT all IPs in list 7 to the NAT pool you just created and that you can overload it. Which is to say more than one internal IP can use the same external IP.

Router(config)# access-list 7 172.16.1.0 0.0.0.255

Creates the list referenced in the previous command. Now onto NAT for your servers, which I suggest be statically assigned if you want them publicly available.

int g0/1.20
  ip nat inside

Same as before, this setups your internal interface as an inside NAT interface.

Router(config)# ip nat inside source static 172.16.2.(2-6) 128.66.1.(2-6)

A new line for each static assignment is needed. This creates a static translation between your internal IP and your external IP that was assigned to you.

As for your switch; all you would need to do is properly tag your ports depending on what is plugged in and make sure your trunk is passing both VLANs.

At this point both subnets should hitting your router, and your router should know where to pass the traffic, be it internally (your workstations getting to your servers) or externally (internet). Access control can either be setup with ACLs on the router, a stand-alone firewall, or firewalls on your servers.

Now this all hinges on how your ISP has your modem setup. If it works the way I think it works, when your external interface pulls it's information through DHCP, your router should populate both your public IP ranges so that when your router NATs it knows where to send your traffic.

I suspect someone will give a better written answer, but hopefully this points you in the correct direction.

I also referenced the following link for help on the NAT parts as they are definitely not something I play with very often.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Best Answer

Related Solutions

Can’t Ping Other VLAN on Same Stack Switch

Cisco router + cable modem – How to configure routing

Related Topic