A simpler and more effective method might be to run the registry hack as part of a network login script.

Hope this helps.

This is a dumb question, but do you have multiple protocols loaded on each PC? I have seen environments where the desktop technicians load everything -- TCP/IP, NWLink IPX/SPX, and NetBEUI -- on each PC. Within each broadcast domain/VLAN, there will be browser elections held for each of the protocols.

Are you routing some protocols, and bridging others? This can be a problem with the non-routed protocols because the browser elections will take place across VLANs, since those protocols are bridged.

I have had two customers who were routing IP and IPX, and bridging all others. Needed to bridge for DEC LAT enterprise-wide, but also got NetBEUI bridged as a side effect. Wasn't a problem until they each went above 250+ PCs across the enterprise with NetBEUI loaded. We put a stop to the NetBEUI browser wars by filtering bridged traffic based on protocol type (passed anything DEC, dropping the rest).

how about "no ip directed broadcasts"?

We are having the same exact issues on our network. We have done the following and it STILL does not fix the master browser issue.

Our vlans are configred as follows:

ip access-group 100 out

ip helper-address 172.19.1.1

ip helper-address 172.19.1.2

ip helper-address 172.19.1.3

no ip redirects

no ip directed-broadcast

And Access-Group 100 is as follows:

access-list 100 deny udp any any eq netbios-ns

access-list 100 deny udp any any eq netbios-dgm

access-list 100 permit ip any any

Any other suggestions?

I know your primary goal is to find out how the broadcast-based NetBIOS packets are traversing VLANs and to stop the disfunction from a network device approach...

However, "fixing" the problem from a Windows application level is another approach. It was touched upon briefly about stopping the computer-browser service with a logon script. It sounds like you are running a mixed NT4 Server/Win2000 Workstation environment since you mentioned PDCs. I have more experience with Win2000 servers than NT4 servers, but I did work in a 2000+ PC environment where a lot of daily changes were accoplished with NT logon scripts. Whenever any domain-based PC logs into its domain, it is forced domain policy, startup + logon scripts that override any local policies. In both NT + 2000 Domain controllers, there is a shared Sysvol folder that all workstations get their policies through. You can either change policies by running scripts that change registry settings, run executables, etc or you can "cleanly" target specific domain policy settings with a simple mouse click.

In Win2000's active directory User's + Computers, you locate the top of the domain hierarchy, which can be either the forest or domain level, choose properties, and view/edit the policy associted with the hierarchy level you desire. In the policy is pretty much every desirable workstation/security/windows/etc feature you could want... specifically, there is the computer browser service. You simply check to "enable" this policy and choose what you want to do with the policy. Disable would disable the service for every single workstation that logs into the domain. Of course if you don't have DNS or WINS services running, then your PCs with disabled computer browser services will not be able to "find" any other PCs int heir Windows Network Neighborhood... You should only disable browsing if you have some other non-broadcast based service running for name resolution. Since I run Win2000 servers with DNS in my home lab with my 15 PCs, I turn of the browser service on all domain controllers and workstations... and rely soly on unicast-based DNS for all name resolution functions.

If you have a Windows "specialist" that works with you (you being the network engineer/net device specialist), the two of you should be able to get the script/domain policy working with minimal time + trouble. To clarify how the scripting/policy propagation works, just checkout Microsoft's Technet web site. You should be able to test this change in a small test lab with a single PDC, a few VLANs, and a few workstations...

Then of course there is the issue with the Catalysts and why they are propagating those pesky NetBIOS packets...