03-03-2011 06:33 PM - edited 03-09-2019 11:25 PM
Hello,
I have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.
Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps)
I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network.
With help of wirewhark I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.
There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.
This computer has configured:
DHCP with WINS
Its on a windows domain
has netbios over TCP (which i think is the problem, but I cant figure out since I don't really know how it normally behaves)
Sorry but I cant upload the Pcap file since it has lots of confidential information.
Thank you
03-15-2011 04:49 PM
Responding my own question, my dhcp was giving out the primary wins server as secondary and vice-versa. My secondary wins server was not synchronizing with the primary because I had a problem on the configuration.
My wins works as H-mode, the clients consult the wins server, if not successfully then broadcasts itself over the network . Since my secondary wins was configured as my primary and it was not synchronized the queries failed therefore the clients were broadcasting itself over the network.
Once everyone learned about this client broadcasting itself, everyone tried to established a unicast communication and everyone sent at the same time a ARP Request, and then the client replied with a ARP Response for every single Request at the same time, causing the switch to put the client's port in err-disable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide