[Issue]
Issue 1 :
ARP-ATTACK- Occurs in CORE SWITCHES and most of IPTV channels are affected
Issue 2 :
IPTV issue and channels are not working properly
[Analysis]
Issue 1 :
Ports GE2/0/22, GE 2/0/23,GE 2/0/24 receives millions of arp broadcast packets
Issue 2 :
We have tested it in the CORE switch, and find the Multicast source is not sending multicast traffic to switch of the issue IPTV channels.
So that the main reason is about the Multicast source device, not on our switch.
The analysis process as follows:
1. After checking the l2-multicast forwarding-table in VLAN 121 on CORE switch, we can’t find the IPTV channels of group 2XX.2XX.0.63/64/65.
that means the CORE did not received the traffic of those IPTV channels.
<CORE>dis l2-multicast forwarding-table vlan 121
VLAN ID : 121, Forwarding Mode : IP
Total Group(s) : 85
--------------------------------------------------------------------------------
(Source, Group) Interface Out-Vlan
--------------------------------------------------------------------------------
(*, 2xx.2xx.0.1) Eth-Trunk4 121
(*, 2xx.2xx.0.2) Stream 121
(*, 2xx.2xx.0.3) Stream 121
……
(*, 2XX.2XX.0.60) Eth-Trunk2 121
(*, 2XX.2XX.0.61) Stream 121
(*, 2XX.2XX.0.62) Stream 121
(*, 2XX.2XX.0.66) Eth-Trunk8 121
(*, 2XX.2XX.0.67) Stream 121
2. Then we configure the traffic-policy to do the statistic of some IPTV channels.
Two group 2XX.2XX.0.63/64 have problem, one group 2XX.2XX.0.67 is working normal, and the statistic result shows only group 2XX.2XX.0.67 has the Passed packets.
That proves the Multicast source is not sending the 2XX.2XX.0.63/64 traffic to core switch again.
#
acl 3100
rule 5 permit ip destination 2XX.2XX.0.63 0
rule 10 permit ip destination 2XX.2XX.0.64 0
rule 20 permit ip destination 2XX.2XX.0.67 0
#
traffic classifier test
if-match acl 3100
#
traffic behavior test
statistic enable
#
traffic policy test
classifier test behavior test
#
vlan 121
traffic-policy test inbound
#
[CORE]dis traffic policy statistics vlan 121 inbound verbose rule-base
Vlan: 121
Traffic policy inbound: test
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: test operator or
Behavior: test
Board : 1/1
rule 5 permit ip destination 2XX.2XX.0.63 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 10 permit ip destination 2XX.2XX.0.64 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 20 permit ip destination 2XX.2XX.0.67 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Board : 1/2
rule 5 permit ip destination 2XX.2XX.0.63 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 10 permit ip destination 2XX.2XX.0.64 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 20 permit ip destination 2XX.2XX.0.67 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 8,818
| Bytes: 12,010,116
| Rate(pps): 3
| Rate(bps): 34,464
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Board : 2/1
rule 5 permit ip destination 2XX.2XX.0.63 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 10 permit ip destination 2XX.2XX.0.64 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 20 permit ip destination 2XX.2XX.0.67 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Board : 2/2
rule 5 permit ip destination 2XX.2XX.0.63 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 10 permit ip destination 2XX.2XX.0.64 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
rule 20 permit ip destination 2XX.2XX.0.67 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
[Root cause]
- Ports GE2/0/22, GE 2/0/23,GE 2/0/24 receives millions of arp broadcast packets
- IPTV source issue
[Solution]
Issue 1 :
We suggested to add this configuration on core switch
1)
cpu-defend policy mpu
auto-defend threshold 30
cpu-defend policy lpu
auto-defend threshold 30
EFFECT :
This is arp tracking and has no effect on service
2)
system view
cpu-defend-policy mpu
cpu-defend-policy lpu global
2)system view
arp topology-change disable
mac-address update arp
EFFECT :
When receive STP BPDU TC packets, arp and mac address will not be cleared. When output interface of arp is changed, it will be updated
Issue 2 :
- Check with the IPTV team about the IPTV source why not sending muslicast traffic
