[All About Switches] A Switch Displays Logs Indicating that a Large Number of Packets Are Dropped Because the Rate Exceeds the CPCAR

Latest reply: Mar 9, 2018 00:38:26 1161 1 0 0

Involved Products and Versions

S9300 V100R002

Networking

None.

Symptom

A switch frequently displays logs indicating that a large number of ARP Request and ARP Miss packets are dropped because the rate exceeds the CPCAR.

Cause Analysis

The switch receives a large number of ARP attack packets, of which the rate exceeds the CPCAR.

Procedure

                          Step 1     Run the display logbuffer command to check logs, finding that there are logs indicating that ARP Request and ARP Miss packets are dropped because the rate exceeds the CPCAR.

Jun 1 2017 16:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=023006)
Jun 1 2017 16:18:31 Switch %HWCM/4/TRAPLOG(l): OID 1.3.6.1.4.1.2011.6.10.2.1 configure changed. (EventIndex=107, CommandSource=1, ConfigSource=3, ConfigDestination=2)
Jun 1 2017 16:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=06987)
Jun 1 2017 15:49:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08175)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-miss, Drop-Count=013508)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=0888)
Jun 1 2017 15:29:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08011)
Jun 1 2017 15:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=0159)
Jun 1 2017 15:19:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=07680)
Jun 1 2017 15:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=031350)
Jun 1 2017 15:09:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=040420)
Jun 1 2017 14:59:40 Switch %QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-request, Drop-Count=050405)

                          Step 2     Run the display arp statistics command to check ARP entry statistics.

<switch> display arp statistics
Total:452 Dynamic:388 Static:0 Interface:64

The switch functions as the gateway and does not have many ARP entries, but a large number of ARP packets are dropped on cards. It is suspected that ARP attacks occur on the network. You are advised to deploy attack source tracing and then run the display auto-defend attack-source command to check attack source tracing information.

<Switch> display auto-defend attack-source
  -- Attack Source Port Table (MPU) ----------
  InterfaceName     Vlan:Outer/Inner  TOTAL
  --------------------------------------------
  GigabitEthernet3/0/2        2102    10560 
  GigabitEthernet2/0/19       2161    80 
  GigabitEthernet2/0/19       2133    16 
  GigabitEthernet2/0/18       2137    48 
  GigabitEthernet3/0/3        2103    16 
  GigabitEthernet2/0/19       2139    16 
 
  --------------------------------------------
 
  -- Attack Source User Table (MPU) --------------------------------------------
  InterfaceName     Vlan:Outer/Inner MacAddress     ARP    DHCP   IGMP   TOTAL
  ------------------------------------------------------------------------------
GigabitEthernet3/0/2           2102 0810-7523-9ec2  10288  0      0      10288 
GigabitEthernet3/0/2           2102 940c-6dd0-7519   16    0      0      16 
 
  ------------------------------------------------------------------------------

The preceding command output shows that GE3/0/2 is under an ARP attack. After locating the attack source, you need to configure the punishment action to prevent the attack source from attacking the switch.

To configure the automatic punishment function, you need to load the latest patch V100R002SPH032 or upgrade the software version to V200R010 and load the latest patch of V200R010.

----End

  • x
  • convention:

Admin Created Mar 9, 2018 00:38:26 Helpful(0) Helpful(0)

thanks for your sharing!
  • x
  • convention:

Come on!

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top