Got it
Huawei Enterprise Support Community
Community Forums Security
BGP Neighbors Are Disconn...

BGP Neighbors Are Disconnected Because of the ARP Broadcast Storm on the Layer-2

Latest reply: Apr 11, 2016 08:35:56 1966 1 0 0 0
View the author 1#
Because the attached switch is not cut over as required, loops occur on the Layer 2 network, which causes a serious broadcast storm on the switched network attached to the NE80E. Slot 1 of the NE80E connects to the downstream network and receives a large number of broadcast packets and then sends these packets upstream. At the same time, the BGP neighbors established through slot 1 are disconnected.
Alarm Information
Null

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Why Cannot View the Created Account under AAA though Command after Creating the
Next: Large Number of Bit Errors Were Caused by Incorrect Duplex Modes
(0) (0)
2#
Selina742
Created Apr 11, 2016 08:35:56

1. Adjust the switched network attached to the NE80E and deploy STP reasonably to avoid loops.
2. Set the timeout time of BGP neighbors to 3 minutes, which is the default value, to reduce the timeout risk of the holder timer.
3. Configure ARP packet bidirectional splitting to ensure that the ARP request messages from the normally working hosts can be received and at the same time to avoid ARP attacks.
ARP packet bidirectional splitting can be configured as follows: (supported in V300R003)
<Quidway> system-view
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] ARP-safeguard enable //Configure this command in the interface view.
After the correction, BGP neighbors are established normally and no exception occurs after the cutover and switchover.
Appendix
The two-way ARP packet separation principle is summarized as follows:
For an ARP request message, as long as its IP address is valid, it is hard to distinguish whether the message is a normal message or an attack message. In actual ARP attacks, ARP request messages and response messages nearly account for 50% respectively. To avoid the large number of ARP attacks, it is important to separate ARP request messages from response messages.
(1) For ARP requests, "stateless response" is adopted. That is, no ARP entry and relevant state are generated after an ARP request message is responded. In addition, the request message is not sent to the CPU for processing. In this manner, no one can use ARP request messages to deceitfully obtain the addresses from the ARP table on the gateway device.
(2) Only responses to the ARP request messages from the CPU are sent to the CPU. The ARP responses to the ARP requests that are not from the CPU are to be discarded. In this manner, the ARP request messages from normally working hosts can be responded and processed in time. Root Cause
Before the cutover, the device runs normally and BGP neighbors are established normally. After the cutover, loops occur. In addition, BGP neighbors in slot 1 are disconnected, but BGP neighbors in other slots run normally.
Through analysis, it is found that a great number of ARP packets are sent through slot 1 during the broadcasting storm:
<YN-KM-ESN-CE-3.CDMA>display cpu-defend slot 1 car index 8
slot : 1
(8)ARP packet information:
passed : 26401961 packets
Dropped: 321617593 -- Lots of packets are dropped. cir : 2000kbps
cbs : 20000bytes
priority : high
min-packet-length : 128bytes
To protect the CPU, the NE80E restricts the number of packets sent from each LPU to the MPU. From the number of dropped packets, you can find that board 1 discards a great number of ARP packets randomly. The interface on which BGP neighbors are established needs to learn the ARP packets from the peer. When the ARP packets at the peer end are discarded, the NE80E cannot correctly send BGP packets. Therefore, BGP neighbors are disconnected.
ARP packets on board 2 are not discarded. Therefore, BGP neighbors of other boards run normally:
<YN-KM-ESN-CE-3.CDMA>display cpu-defend slot 2 car index 8
slot : 2
(8)ARP packet information:
passed : 18083599 packets
Dropped: 0 packets -----Normal entry
cir : 2000kbps
cbs : 20000bytes
priority : high
min-packet-length : 128bytes Solution
Suggestions
Null
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.