I have a Cisco SG300 Small business switch, and the GUI interface is creating a lot of broadcast traffic: Source IP (The GUI IP): 172.16.xx.254:5353, Destination IP (Broadcast) 224.0.0.251:5353
I have disabled Bonjour and CDP globally on the switch.
How can I turn this traffic off?
(Command line answer preferred, but GUI is also OK.)
Edit #1 – JFL's answer prompted me to make a Wireshark capture just to be 100% sure that the traffic was coming from the switch…. it is. The control GUI is broadcasting. I don't need or want that to happen.
I have no bonjour enable globally.
In the Discovery – Bonjour menu Discovery: Enable is uncheked, and the
Bonjour Discovery Interface Control Table is EMPTY.
What am I missing?
Here's a sample packet:
Frame 60: 362 bytes on wire (2896 bits), 362 bytes captured (2896 bits) on interface 0
Interface id: 0 (enp0)
Encapsulation type: Ethernet (1)
Arrival Time: Mar 3, 2017 16:14:17.875849274 EST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1488575657.875849274 seconds
[Time delta from previous captured frame: 1.461698815 seconds]
[Time delta from previous displayed frame: 4.999822643 seconds]
[Time since reference or first frame: 43.461018609 seconds]
Frame Number: 60
Frame Length: 362 bytes (2896 bits)
Capture Length: 362 bytes (2896 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:mdns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: 00:9e:1e:xx:xx:x1 (00:9e:1e:xx:xx:x1), Dst: IPv4mcast_fb (01:00:5e:yy:yy:yb)
Destination: IPv4mcast_fb (01:00:5e:yy:yy:yb)
Address: IPv4mcast_fb (01:00:5e:yy:yy:yb)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: 00:9e:1e:xx:xx:x1 (00:9e:1e:xx:xx:x1)
Address: 00:9e:1e:xx:xx:x1 (00:9e:1e:xx:xx:x1)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.16.xx.254, Dst: 224.0.0.251
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0xe0 (DSCP: CS7, ECN: Not-ECT)
1110 00.. = Differentiated Services Codepoint: Class Selector 7 (56)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 348
Identification: 0x2e4f (11855)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 1
[Expert Info (Note/Sequence): "Time To Live" != 255 for a packet sent to the Local Network Control Block (see RFC 3171)]
["Time To Live" != 255 for a packet sent to the Local Network Control Block (see RFC 3171)]
[Severity level: Note]
[Group: Sequence]
Protocol: UDP (17)
Header checksum: 0xca52 [validation disabled]
[Good: False]
[Bad: False]
Source: 172.16.xx.254
Destination: 224.0.0.251
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 5353 (5353), Dst Port: 5353 (5353)
Source Port: 5353
Destination Port: 5353
Length: 328
Checksum: 0x6346 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 0]
Multicast Domain Name System (response)
Transaction ID: 0x0000
Flags: 0x8000 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 0
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Answers
VSDPb45501._csco-sb-vsdp._mdns._udp.local: type TXT, class IN
Name: VSDPb45501._csco-sb-vsdp._mdns._udp.local
Type: TXT (Text strings) (16)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 25
Data length: 255
TXT Length: 6
TXT: type=0
TXT Length: 9
TXT: version=1
TXT Length: 21
TXT: refresh-age-timeout=0
TXT Length: 10
TXT: priority=0
TXT Length: 14
TXT: refresh-flag=0
TXT Length: 34
TXT: root-mac-address=00:9e:1e:xx:xx:x1
TXT Length: 6
TXT: cost=0
TXT Length: 26
TXT: transm-address=172.16.xx.254
TXT Length: 23
TXT: transm-interface=100049
TXT Length: 16
TXT: voice-vlan-id=10
TXT Length: 16
TXT: voice-vlan-vpt=5
TXT Length: 18
TXT: voice-vlan-dscp=46
TXT Length: 43
TXT: md5-auth=01af9cba5ed0218b0848195834e6a878ae
Edit #2
I found the following by rooting around on the console. Don't know if this gives anybody any ideas, but the documentation doesn't say anything useful.
show bonjour
Bonjour global status: disabled
Bonjour L2 interfaces port list: none
Service Admin Status Oper Status
------- ------------ -----------
csco-sb enabled enabled
http enabled enabled
https enabled enabled
ssh enabled enabled
telnet enabled disabled
Best Answer
224.0.0.251 is the multicast (and not broadcast) address used by the apple Bonjour protocol but also by the associated multicast DNS (rfc6762)
So there's two cause of traffic sent to this multicast address:
So I would first double check that bonjour advertisement are disabled (in Administration > Discovery - Bonjour.) but also check that there's no DNS name ending with .local anywhere.
Analysing the frame sent (with wireshark / tcdump / MS message analyser) could also determine if they are actually bonjour discovery message
If it's actually bonjour discovery packet and it's really off then I'll upgrade the switch with the latest software and see if it persists, then submit the issue to Cisco.