UPD broadcast in LAN

Unanswered Question
Sep 11th, 2007

HI all,

Required your valued clarification on a basic and a stupid question I have. I hope you dont mind to reply.

I have installed an etheral in one of my LAN broadcast domain where I am getting around 40 to 70 percent UDP traffic of my total subnet traffic.

Need your esteemed advice on this.. I personaly guess its normal. Does it ? I have mostly use of internet. I have a SNMP server in this subnet, HSRP is also configured for this subnet. Please advice. When I figure out this traffic it explains me about the listed protocols that works on UDP.

Please advice.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Tue, 09/11/2007 - 04:50


It's difficult to say without more specifics. Are you saying that the UDP traffic is broadcast traffic or just that the majority of traffic on that LAN is UDP.

What UDP ports are being used ?


shanus_id Wed, 09/12/2007 - 04:09

I mean the majority of the LAN traffic is UDP. UDP protocols mainly used are SNMP and HTTP.

I do feel it perfect. please advice.

fmshea Tue, 09/11/2007 - 07:04

For the past two weeks we had the case where, a server was broadcasting UDPs We just found the source problem) and our CAT4506 was pegged at 95% (show processes CPU) Cat4k Mgmt LoPri was 85.29% ! The SysAdmmin says we need to close or filter UDP Destination Port 6669 on our Cat3560 (first level Switch) or or Router (4506)

What can we do to stop the Packets at the Port???


lgijssel Tue, 09/11/2007 - 10:45

As a rule of thumb, it is always better to adjust the behaviour of the host that is generating the traffic than to adjust it at the network level.

When you know what (which host) the cause is, shut it down or restrict it's access.

The first question that I would ask here is: what does this traffic on port 6669 do?

Is this an essential network-service or not?

When it is, you will have to facilitate it one way or the other. When it is not, contact the server admin and shut it down, take any measures that you see fit to solve the needs of the moment.

An access-filter like below will suffice for this:

access-list 199 deny udp any any 6669

access-list 199 permit ip any any

int vlan XX (where the source is)

access-group 199 in



fmshea Tue, 09/11/2007 - 10:54

Thank we mployed this on the 4506, we are now down to 10 to 17% !

It was very hard intially to find the source of the problem. I wished I had some software to alert me. As it happened someone remembered complaint from a particular server from months agao, and it was the same problem here.



This Discussion