We are getting average of 1 pps and peaks of 60 pps of these packets, from Wireshark trace.
Please kindly share information on what is the cause of these broadcasts and how to minimize the frequency.
Screenshots of Wireshark decode and IO graph below:
Just a side query please, what is the probable cause or reason for an ARP request from the root and backup root switches for an IP address that is actually the subnet mask for our RSTP VLAN, and on a regular or periodic basis? Will all hosts in the subnet respond to these broadcasts? The Wireshark trace captured only broadcasts and unicasts to and from the PC running Wireshark.
which details the mechanics of IP Directed Broadcast from a remote administration task (such as a backup server) to the hosts in a specified subnet.
We have several servers north of the RSTP VLAN in a firewalled DMZ, that handle backup and patch management tasks for the workstations in the subject subnet. So, perhaps the root and backup root switches are forwarding the remote IP Directed Broadcasts as ARP requests for Who has x.x.255.255 in the subject subnet? How best to check / confirm this? Mirror the suspect interfaces to the Wireshark PC interface, perhaps and collect and analyze traces?
The root and backup root switches have 2 interconnecting patch cords.
The root and backup-root switches were recently upgraded from N-series to S-series, and we did not have these ARP broadcasts for x.x.255.255 earlier.
Checking the Wireshark trace, I find that the ARP requests for x.x.255.255 are being generated right after the NTP broadcasts to the same x.x.255.255 address. The SNTP Server has a Satellite GPS timesync card and is on one of the subnets.
Does the label, "all-subnets-directed broadcast" apply to the NTP broadcasts, even though the source is on one of the subnets?
The Wireshark IO graph (using stacked bars) is shown below; with the NTPs in blue at 2 pkts every 16 seconds, ARPs from root switch in yellow, and ARPs from backup root switch in purple:
Why are there 6 sets of ARPs per switch for every other NTP?
Your advice and guidance on this matter is very much appreciated.
IMHO, the switches should not create ARP requests for the subnet broadcast address.
You might want to enable directed broadcasts on the S-Series, since your SNTP server uses them:
configureThe output of "show ip interface" tells you if directed broadcasts are enabled on an SVI.
Thank you Erik,
Do we know why the ARP requests for the subnet broadcast address are particular to the S-series?
We started seeing these packets only after replacing the N-series root and backup root switches under an upgrade program.
The N-series Configuration Guide states that IP-directed broadcasts are disabled in the default setting -- the configuration files did not have any reference to directed-broadcast.
The start of the N-series root switch config file is as shown below; I am still trying to secure copy of the config file for the S-series.
## Config File was imported 12-14-2015 09:24:21 from SWROOT (7C103) N3 Chassis ##
set banner motd "Configuration imported from SWROOT on 12-14-2015 09:24:21 running firmware rev DFE-P-6123-0003"
set ip address x.x.81.1 mask 255.255.0.0
set ip route default x.X.81.1