[All About Switches] A Switch Displays Logs Indicating that a Large Number of Packets Are Dropped Because the Rate Exceeds the CPCAR

Hello everyone,

Today, I will introduce how to handle the problem that a switch displays logs indicating that a large number of packets are dropped because the rate exceeds the CPCAR.

Involved Products and Versions

S9300 V100R002

Networking

None.

Symptom

A switch frequently displays logs indicating that a large number of ARP Requests and ARP Miss packets are dropped because the rate exceeds the CPCAR.

Cause Analysis

The switch receives a large number of ARP attack packets, of which the rate exceeds the CPCAR.

Procedure

Step 1. Run the display logbuffer command to check logs, finding that there are logs indicating that ARP Request and ARP Miss packets are dropped because the rate exceeds the CPCAR.

Jun 1 2017 16:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=023006)
Jun 1 2017 16:18:31 Switch %HWCM/4/TRAPLOG(l): OID 1.3.6.1.4.1.2011.6.10.2.1 configure changed. (EventIndex=107, CommandSource=1, ConfigSource=3, ConfigDestination=2)
Jun 1 2017 16:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=06987)
Jun 1 2017 15:49:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08175)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-miss, Drop-Count=013508)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=0888)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08011)
Jun 1 2017 15:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=0159)
Jun 1 2017 15:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=07680)
Jun 1 2017 15:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=031350)
Jun 1 2017 15:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=040420)
Jun 1 2017 14:59:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=050405)

Step 2. Run the display arp statistics command to check ARP entry statistics.

<switch> display arp statistics
Total:452 Dynamic:388 Static:0 Interface:64

The switch functions as the gateway and does not have many ARP entries, but a large number of ARP packets are dropped on cards. It is suspected that ARP attacks occur on the network. You are advised to deploy attack source tracing and then run the display auto-defend attack-source command to check attack source tracing information.

<Switch> display auto-defend attack-source
  -- Attack Source Port Table (MPU) ----------
  InterfaceName     Vlan:Outer/Inner  TOTAL
  --------------------------------------------
  GigabitEthernet3/0/2        2102    10560 
  GigabitEthernet2/0/19       2161    80 
  GigabitEthernet2/0/19       2133    16 
  GigabitEthernet2/0/18       2137    48 
  GigabitEthernet3/0/3        2103    16 
  GigabitEthernet2/0/19       2139    16 
 
  --------------------------------------------
 
  -- Attack Source User Table (MPU) --------------------------------------------
  InterfaceName     Vlan:Outer/Inner MacAddress     ARP    DHCP   IGMP   TOTAL
  ------------------------------------------------------------------------------
GigabitEthernet3/0/2           2102 0810-7523-9ec2  10288  0      0      10288 
GigabitEthernet3/0/2           2102 940c-6dd0-7519   16    0      0      16 
 
  ------------------------------------------------------------------------------

The preceding command output shows that GE3/0/2 is under an ARP attack. After locating the attack source, you need to configure the punishment action to prevent the attack source from attacking the switch.

To configure the automatic punishment function, you need to load the latest patch V100R002SPH032 or upgrade the software version to V200R010 and load the latest patch of V200R010.

That is all I want to share with you!