Cisco serial interface received broadcasts

Posted on 2011-04-19
Last Modified: 2012-05-11
I have a cisco 2811 ISR router and I am gotting alot of broadcasts on the interface. Does any body know how to find out where the broadcasts are comming from?
Question by:remus91

    Author Comment

    the serial interface is connected to Sprint MPLS network and in less then a day I have received 6568 broadcasts on the interface.I have 3 other sites and those router have 0 bradcasts on the serial going to the same sprint MPLs network.
    LVL 9

    Expert Comment

    what type of protocol you're running on the serial ?
    LVL 17

    Expert Comment

    Can you paste your serial interface configuration?

    Author Comment

    Here is the serial interface configtion:
    interface Serial0/0/0:0
     description T1 to Sprint MPLS
     ip address x.x.x.x
     ip wccp 61 redirect out
     ip wccp 62 redirect in
     no fair-queue
     no cdp enable

    Author Comment

    Here is the sh interface for se0/0/0:0. I cleared the counters at 8:30am today I have got over 700 broadcast on the interface already today.

    WEB-GW1#sh int se 0/0/0:0
    Serial0/0/0:0 is up, line protocol is up
      Hardware is GT96K Serial
      Description: T1 to Sprint MPLS
      Internet address is x.x.x.x/30
      MTU 1500 bytes, BW 1536 Kbit/sec, DLY 20000 usec,
         reliability 255/255, txload 99/255, rxload 23/255
      Encapsulation HDLC, loopback not set
      Keepalive set (10 sec)
      Last input 00:00:00, output 00:00:00, output hang never
      Last clearing of "show interface" counters 01:59:53
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 212
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 141000 bits/sec, 144 packets/sec
      5 minute output rate 600000 bits/sec, 169 packets/sec
         933008 packets input, 109708508 bytes, 0 no buffer
         Received 718 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         1079580 packets output, 477101977 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out

    LVL 17

    Expert Comment

    I can only assume the following.

    By default, Cisco routers does not forward IP packets addressed to any type of broadcast address - routers simply drops them or in case it’s ICMP echo to router’s directly connected broadcast subnet respond via echo reply to requestor.

    Check for "ip-directed broadcast" command (by default it's disabled, so probably you won't find).  

    Something is polling/attacking your router, but the packets are getting dropped. Sprint will not do. You can use "debug ip packet" command to see what's happening in serial. Use it with caution because the debug command might leave your router unresponsive.

    LVL 9

    Expert Comment

    Looking at the choices I would summarize them here:
    1. using a debug ip packet command with and ACL. This would send packet information on the serial port.
    2. using netflow to export traffic flows
    3. using a packet copy from one interface to another. This is what I suggest, it's like SPAN feature on the switch but applied to the router. The nice thing about it you can use an ACL to filter what you need


    Accepted Solution

    I was able to find the answer to this issue. I was working with a tech from Sprint and found that the broadcasts on the serial interface was HDLC keepalives. We turned off keepalives on the serial interface and I stopped recieving broadcasts then turned the keepalives back on and started getting the broadcats again.

    Author Closing Comment

    Sprint helped me find the asnwer to this.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now