Do you have access to a packet sniffer, such as the Nework Associates's SNIFFER product or the Etherreal product?
If your ports are being shutdown at 500 packets per second broadcast rate, I would look for signs of a large ARP query.  Ususally that is a sign of a virus attack, or some misconfigured software that is dynamically detecting what devices are on the same subnet as the workstation the code is running on.
How much broadcast is too much depends upon your traffic pattern.  I would run the protocol analyzer and see what it states.  If you need more help, let me know.