Involved Products and Versions
S9300 V100R002
Networking
None.
Symptom
A switch frequently displays logs indicating that a large number of ARP Request and ARP Miss packets are dropped because the rate exceeds the CPCAR.
Cause Analysis
The switch receives a large number of ARP attack packets, of which the rate exceeds the CPCAR.
Procedure
Step 1 Run the display logbuffer command to check logs, finding that there are logs indicating that ARP Request and ARP Miss packets are dropped because the rate exceeds the CPCAR.
Jun 1 2017 16:19:40 Switch
%QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in
slot 2. (Protocol=arp-miss, Drop-Count=023006)
Jun 1 2017 16:18:31 Switch %HWCM/4/TRAPLOG(l): OID 1.3.6.1.4.1.2011.6.10.2.1
configure changed. (EventIndex=107, CommandSource=1, ConfigSource=3,
ConfigDestination=2)
Jun 1 2017 16:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=06987)
Jun 1 2017 15:49:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08175)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 3. (Protocol=arp-miss, Drop-Count=013508)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=0888)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08011)
Jun 1 2017 15:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=0159)
Jun 1 2017 15:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=07680)
Jun 1 2017 15:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=031350)
Jun 1 2017 15:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=040420)
Jun 1 2017 14:59:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are
dropped by cpcar on the LPU in slot 3. (Protocol=arp-request,
Drop-Count=050405)
Step 2 Run the display arp statistics command to check ARP entry statistics.
<switch> display arp
statistics
Total:452 Dynamic:388 Static:0 Interface:64
The switch functions as the gateway and does not have many ARP entries, but a large number of ARP packets are dropped on cards. It is suspected that ARP attacks occur on the network. You are advised to deploy attack source tracing and then run the display auto-defend attack-source command to check attack source tracing information.
<Switch> display auto-defend
attack-source
-- Attack Source Port Table (MPU) ----------
InterfaceName Vlan:Outer/Inner TOTAL
--------------------------------------------
GigabitEthernet3/0/2 2102 10560
GigabitEthernet2/0/19
2161 80
GigabitEthernet2/0/19
2133 16
GigabitEthernet2/0/18
2137 48
GigabitEthernet3/0/3
2103 16
GigabitEthernet2/0/19
2139 16
--------------------------------------------
-- Attack Source User Table (MPU)
--------------------------------------------
InterfaceName Vlan:Outer/Inner
MacAddress ARP DHCP
IGMP TOTAL
------------------------------------------------------------------------------
GigabitEthernet3/0/2
2102 0810-7523-9ec2 10288 0
0 10288
GigabitEthernet3/0/2
2102 940c-6dd0-7519 16
0 0 16
------------------------------------------------------------------------------
The preceding command output shows that GE3/0/2 is under an ARP attack. After locating the attack source, you need to configure the punishment action to prevent the attack source from attacking the switch.
To configure the automatic punishment function, you need to load the latest patch V100R002SPH032 or upgrade the software version to V200R010 and load the latest patch of V200R010.
----End