cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


4088
Views
0
Helpful
6
Replies
Highlighted
Explorer

Lots of ARP Broadcasts from SG300-28P for its GW Address

In troubleshooting another issue I set up another SG300 on the same VLAN as my SG300-28P and then setup a Monitor Port on it to see what Broadcasts I was getting.

Low and behold the SG300-28P is sending out quite a few Broadcast Packets. Most of them are the same, ARP Request for its Default Gateway Address. Others are for a few other AD Servers on our network.

Arp Entry Age Out is set to the default of 600000 with "

This is the Wireshark Packet.   The Frame check sequence is Bad, what can cause that?

No.     Time           Source                Destination           Protocol Length Info
   1737 67.457763000   Cisco_a9:93:84        Broadcast             ARP      64     Who has 10.1.0.3?  Tell 10.1.2.3 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

Frame 1737: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Interface id: 0
    WTAP_ENCAP: 1
    Arrival Time: Jan  8, 2013 14:44:06.952611000 Pacific Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1357685046.952611000 seconds
    [Time delta from previous captured frame: 0.000106000 seconds]
    [Time delta from previous displayed frame: 0.000106000 seconds]
    [Time since reference or first frame: 67.457763000 seconds]
    Frame Number: 1737
    Frame Length: 64 bytes (512 bits)
    Capture Length: 64 bytes (512 bits)
    [Frame is marked: True]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
    [Coloring Rule Name: ARP]
    [Coloring Rule String: arp]
Ethernet II, Src: Cisco_a9:93:84 (b8:be:bf:a9:93:84), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Cisco_a9:93:84 (b8:be:bf:a9:93:84)
        Address: Cisco_a9:93:84 (b8:be:bf:a9:93:84)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
    Frame check sequence: 0x00000000 [incorrect, should be 0xf26cfd38]
        [FCS Good: False]
        [FCS Bad: True]
            [Expert Info (Error/Checksum): Bad checksum]
                [Message: Bad checksum]
                [Severity level: Error]
                [Group: Checksum]
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: Cisco_a9:93:84 (b8:be:bf:a9:93:84)
    Sender IP address: 10.1.2.3 (10.1.2.3)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 10.1.0.3 (10.1.0.3)

Everyone's tags (3)
6 REPLIES 6
Advocate

Lots of ARP Broadcasts from SG300-28P for its GW Address

Hi again Scott, I think this may be spanning tree related. Can you try to filter the BPDU on the links where the ARP originate?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Explorer

Lots of ARP Broadcasts from SG300-28P for its GW Address

Thank you for your reply...   Filter the Bridge Protocol Data Unit?  I'm not sure how to do that.

Speaking of Spanning Tree, After I told wireshark to Filter out the Traffic from b8:be:bf:a9:93:84 I then ran across the Following:

Where:

54:78:1a:e5:fe:24  I have no Idea. Seems like its part of the Test SG300 from below.

54:78:1a:e5:fe:08 is the SG300 That I'm using for testing and Port Mirroring, so only the VLAN 101 and Wireshark are on it

00:22:6b:1b:2d:a7 is a SFE2000P - Its a PoE that is on the same Subnet as VLAN 101 and has all Avaya IP Phones

No.     Time           Source                Destination           Protocol Length Info
  11001 3129.413142000 Cisco_e5:fe:24        Spanning-tree-(for-bridges)_00 STP      60     RST. TC + Root = 32768/0/00:22:6b:1b:2d:a7  Cost = 20000  Port = 0x804c

Frame 11001: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
    Interface id: 0
    WTAP_ENCAP: 1
    Arrival Time: Jan  8, 2013 16:37:21.853048000 Pacific Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1357691841.853048000 seconds
    [Time delta from previous captured frame: 0.482385000 seconds]
    [Time delta from previous displayed frame: 1.999897000 seconds]
    [Time since reference or first frame: 3129.413142000 seconds]
    Frame Number: 11001
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:llc:stp]
    [Coloring Rule Name: Broadcast]
    [Coloring Rule String: eth[0] & 1]
IEEE 802.3 Ethernet
    Destination: Spanning-tree-(for-bridges)_00 (01:80:c2:00:00:00)
        Address: Spanning-tree-(for-bridges)_00 (01:80:c2:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Cisco_e5:fe:24 (54:78:1a:e5:fe:24)
        Address: Cisco_e5:fe:24 (54:78:1a:e5:fe:24)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Length: 39
    Padding: 00000000000000
Logical-Link Control
    DSAP: Spanning Tree BPDU (0x42)
    IG Bit: Individual
    SSAP: Spanning Tree BPDU (0x42)
    CR Bit: Command
    Control field: U, func=UI (0x03)
        000. 00.. = Command: Unnumbered Information (0x00)
        .... ..11 = Frame type: Unnumbered frame (0x03)
Spanning Tree Protocol
    Protocol Identifier: Spanning Tree Protocol (0x0000)
    Protocol Version Identifier: Rapid Spanning Tree (2)
    BPDU Type: Rapid/Multiple Spanning Tree (0x02)
    BPDU flags: 0x7d (Agreement, Forwarding, Learning, Port Role: Designated, Topology Change)
        0... .... = Topology Change Acknowledgment: No
        .1.. .... = Agreement: Yes
        ..1. .... = Forwarding: Yes
        ...1 .... = Learning: Yes
        .... 11.. = Port Role: Designated (3)
        .... ..0. = Proposal: No
        .... ...1 = Topology Change: Yes
    Root Identifier: 32768 / 0 / 00:22:6b:1b:2d:a7
        Root Bridge Priority: 32768
        Root Bridge System ID Extension: 0
        Root Bridge System ID: 00:22:6b:1b:2d:a7
    Root Path Cost: 20000
    Bridge Identifier: 32768 / 0 / 54:78:1a:e5:fe:08
        Bridge Priority: 32768
        Bridge System ID Extension: 0
        Bridge System ID: 54:78:1a:e5:fe:08
    Port identifier: 0x804c
    Message Age: 1
    Max Age: 20
    Hello Time: 2
    Forward Delay: 15
    Version 1 Length: 0

Advocate

Lots of ARP Broadcasts from SG300-28P for its GW Address

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Explorer

Lots of ARP Broadcasts from SG300-28P for its GW Address

Thank you for your reply...

I noticed that your STP is disabled for the port you are changing to Filtering from Flooding.  So you are not using STP on that Specific Port.   So that makes sence.

If I read about STP correctly, its there to prevent Layer 2 Looping and infinate Packet forwarding.  All of the switches I have are cascaded. There are no redundant links from any one switchg to any other switches.  Sure there might be a posibility of someone mistakingly connect up one switch to multiple uplink Switched and it does take the network down, though I'd rather find that then have the Switch 'fix' it.   We have a Server Room with some switches and a few remote closets connected by Fiber.  All of the remogte Closets have the one Connection to the server room and any sub switch is connected to the switch that has the incoming fiber.   Seems like I should be able to turn off STP on all of these switches, or am i misreading about STP?

Thank you,

   Scott<-

Advocate

Lots of ARP Broadcasts from SG300-28P for its GW Address

You're right, spanning tree's intention is to prevent network loops. But this technology comes with penalties. A network loop can destroy a whole network in seconds, it can be a catastrophe that is easily made. So the small concept of preventing network loops is a massive counter-measure.

A lot of problems are introduced with spanning-tree and the way it interacts switch a switch. There are 2 types of BPDU, a TCN and configuration. The problem is, every time a TCN (topology change notification) is generated the spanning-tree topolgy will eventually receive an update. If for whatever reason you have a port flapping or several users connect/disconnect or similar situations, when the root bridge updates the topology, the max age timer will expire then update the configuration BPDU.

As a result of this, the cam table will drop. If the cam table drops, you will get a lot of ARP. So, let's filter the BPDU and see if it clears up. Or, disable spanning-tree all together, either or, which I don't recommend removing spanning tree because if someone decides to get smart and hook up a small hub and make a loop, you will get hurt, quickly.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Explorer

Lots of ARP Broadcasts from SG300-28P for its GW Address

Seems like the BPDU setting is used only if STP is disabled?

BPDU Handling

—Select how Bridge Protocol Data Unit (BPDU) packets are managed when STP is disabled on the port or the switch. BPDUs are used to transmit spanning tree information.

I think I know enought to be dangerous! (-;  so It would seem like I would want STP and Flooding enabled on the core Switch and any of the Ports that then connect to other Managed switches.

If I have some SR2024's that connect up the remote Fiber Closets, there is no configuring of them, so I would not need to enable STP on the ports that Connect up to those switches and thus any sub switch that they connect to.

I think I'm almost there!   Thank you for your help!

Scott<-