This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Frequent ARP request broadcast for Who has x.x.255.255? from S-Series root switch in RSTP VLAN

Frequent ARP request broadcast for Who has x.x.255.255? from S-Series root switch in RSTP VLAN

Edwin
New Contributor

‎04-21-2016 01:25 PM

We are getting average of 1 pps and peaks of 60 pps of these packets, from Wireshark trace.

Please kindly share information on what is the cause of these broadcasts and how to minimize the frequency.

TIA.

Screenshots of Wireshark decode and IO graph below:

5cb74c14bb95440081ded7d93f80958f_RackMultipart20160421-66535-b2kn23-arp_001_inline.jpg



5cb74c14bb95440081ded7d93f80958f_RackMultipart20160421-4448-17w0crf-arp_002_inline.jpg





0 Kudos
14 REPLIES 14

Edwin
New Contributor

‎04-22-2016 05:50 PM

Just found an article from Juniper.net, http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/ip-directed-broadcast-ex-series.html which details the mechanics of IP Directed Broadcast from a remote administration task (such as a backup server) to the hosts in a specified subnet. We have several servers north of the RSTP VLAN in a firewalled DMZ, that handle backup and patch management tasks for the workstations in the subject subnet. So, perhaps the root and backup root switches are forwarding the remote IP Directed Broadcasts as ARP requests for Who has x.x.255.255 in the subject subnet? How best to check / confirm this? Mirror the suspect interfaces to the Wireshark PC interface, perhaps and collect and analyze traces?
0 Kudos

Edwin
New Contributor

‎04-22-2016 09:00 AM

I will check on the parallel patch cords next week WPL; it's weekend her now. Just a side query please, what is the probable cause or reason for an ARP request from the root and backup root switches for an IP address that is actually the subnet mask for our RSTP VLAN, and on a regular or periodic basis? Will all hosts in the subnet respond to these broadcasts? The Wireshark trace captured only broadcasts and unicasts to and from the PC running Wireshark. Thanks.
0 Kudos

Mel78__CISSP__E
New Contributor III

‎04-21-2016 02:06 PM

Then likely is a loop. Do you have 2 or more parallel patch cords connected betwwen the root switch and backup root switch ?
0 Kudos

Edwin
New Contributor

‎04-21-2016 01:58 PM

Sorry, the source IP addresses are for the root and backup root S-series switches for the RSTP VLAN network.
0 Kudos

Mel78__CISSP__E
New Contributor III

‎04-21-2016 01:52 PM

Theres nothing i can do when you mask out the source ip of the broadcast storm.

Likely is a STP loop that causes broadcast storm.

You can use ELRP to protect your own switch but you can never eliminate the root cause if you cannot block the source.

0 Kudos
GTM-P2G8KFN