Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3078
Views
0
Helpful
2
Replies

Is this excessive ARP requests on network?

JamesLutter
Level 1
Level 1

‎01-12-2016 10:51 AM - edited ‎03-08-2019 03:22 AM

This is related to another question I asked on here but more specifically about ARP on the network...

I have a network of 8 SG300-52 switches.   I have around 200 active IPs on the network.  (Yes there are a lot of unused ports on the switches)

I am concerned that I see a lot of ARP requests on the network when I use Wireshark.  I see 5-10 requests per second, usually it seems like its one IP asking who has another IP, and then that other IP asking who has the original requester's IP.  ie:

Who has 192.168.1.189? Tell 192.168.1.4
Who has 192.168.1.4? Tell 192.168.1.189
Who has 192.168.1.45? Tell 192.168.1.113
Who has 192.168.1.113? Tell 192.168.1.45
Who has 192.168.1.208? Tell 192.168.1.5
Who has 192.168.1.13? Tell 192.168.1.2
Who has 192.168.1.155? Tell 192.168.1.8
Who has 192.168.1.176? Tell 192.168.1.4
Who has 192.168.1.4? Tell 192.168.1.176

It doesn't seem like its a single IP or set of IPs.

Is this expected to constantly be happening on the network (5-10 per second, sometimes as much as 20)?  Does it hurt performance? Is there anyway to decrease this traffic?  

Labels:
0 Helpful
2 Replies 2

pwwiddicombe
Level 4
Level 4

‎01-12-2016 11:23 AM

This is pretty much "normal" activity in a flat network; particularly if they are running Netbios.  Remember that they need to broadcast to find each other's MAC address before sending other packets; and ARP is how that's accomplished.  This will also be a 2-way street; so when one requests the other's address, in turn it needs to determine the MAC address to send a reply to.

This really shouldn't be a cause for concern; although that IS one of the reasons why flat networks don't scale well.  At 200 addresses, this shouldn't be a problem.  If you see growth past 500 or so, then consider segmenting.

0 Helpful

JamesLutter
Level 1
Level 1
In response to pwwiddicombe

‎01-14-2016 07:38 AM

Hi, thanks for the answer.  I will just be happy with the amount of activity I have.  If its not causing performance issues, there's no problem.  Honestly, the driving factor for my foray into this subject was the constant, incessant, very rapid port LED blinking in unison over every port on every switch of my network. It caused me to think something was drastically wrong as the only other time I saw that was before STP and a network loop happened.

Disabling NetBIOS at the DHCP server and removing "phantom" printers from PC's and servers seems to have quieted things down quite a bit.  Instead of capturing ~1000 packets in a 20 second wireshark capture, I now capture 100-200.  There are now even moments of a quarter to half second of no activity now and then. heh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card