Question

Very excessive and repetitive "who has" ARP traffic on my core switch?

  • 22 January 2019
  • 3 replies
  • 359 views

Userlevel 5
I seem to have an insane amount of ARP traffic on my network - to the point that I think it's the reason that all my lights are flickering! It's all "who has" requests coming from my core switch, and it appears to be happening on every single VLAN but with different IP addresses.

It keeps looking for the same two or three hosts, and never stops. The hosts being different for various VLANs, but the request (tell ______) is always my core switch which owns the gateway and it's IP.

Could it be something I did with my bootprelay configuration? Here is an example of one of my VLAN's ...


configure vlan MainHosp1FLD ipaddress 10.10.10.1 255.255.255.0
enable ipforwarding vlan MainHosp1FLD

enable bootprelay ipv4 vlan MainHosp1FLD

configure bootprelay add 10.60.60.10 vr VR-Default
configure bootprelay add 10.60.60.11 vr VR-Default


Here is what I am seeing in Wireshark ...


3 replies

Userlevel 7
Do those 3 IP addresses mean anything to you? If a device keep sending traffic to those IP addresses (syslog as an example) and those devices are not replying to the ARP then it will keep trying.

You could also look for a loop utilizing elrp. Running "show l2stat" a couple times can help determine which vlan's broadcast counters are increasing rapidly. run elrp on that VLAN and see if it detects a loop.
Userlevel 6
As @Patrick Voss said, It's probably a device in your network reaching out to these IPs in the ARP requests and our switch is trying it's best to find them with ARP with no success. To stop this you simply need to make the unknown device stop sending to these IPs. 🙂

Finding these devices are not always easy, but you can find it by creating an ACL's to match the dest IPs seen in the arp request and count the traffic. You then will apply the ACL to ports on the core to see what port it's comming in on. Once you find the port the traffic is coming in on you can mirror that port or simply change your ACL to mirror. Then you will see the source IP of the traffic and hunt it down.

Hope this helps.
Userlevel 5
Hello folks, I spent some more time on this issue last week. I seem to be chasing my tail. When connected to one particular Cisco switch and doing a capture on the default VLAN, I am seeing broadcast packets (such as the ARP "who has") repeated 30 times.

When I connect to one of my Extreme switches and monitor that same VLAN, I am only seeing it once.

I have run the ELRP several times on all of my Extreme devices, and no loop has ever been detected. I wish Cisco had something similar, because I still think there is a loop somewhere. It's not enough that it's affecting anything on my network. But I am a little annoyed with the activity lights of my equipment flickering like mad. It's a constant reminder that something ain't right! :-D

I have also been cautiously enabling STP where it was not already enabled. So far - no loops or blocking is taking place.

Reply