For S series switches, what is the impact of excessive ARP Replies on the CPU

3

For S series switches:
If excessive ARP Reply packets are sent to the CPU, the CPU may be overloaded. Run the display cpu-defend configuration packet-type arp-reply all or the display cpu-defend statistics packet-type arp-reply all command to check whether excessive ARP Reply packets are sent to the CPU.
In the display cpu-defend statistics packet-type arp-reply all command output. if the value of the Drop (Bytes) field is large, excessive ARP Reply packets are sent to the CPU.
In this case, adjust the CPCAR value for the ARP Reply packet. When an attack occurs, determine the attack source. You can use the packet obtaining function or enable debugging to check the attack source and configure the blacklist to reject the attack source.
Note: Improper CPCAR settings may affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings.

Other related questions:
What is the effect of excess ARP reply packets on the CPU
If excess ARP Reply packets are sent to the CPU, the CPU may be overloaded. Run the display cpu-defend configuration packet-type arp-reply all and display cpu-defend statistics packet-type arp-reply all commands to whether excess ARP Reply packets are sent to the CPU. In the display cpu-defend statistics packet-type arp-reply all command output. if the value of the Drop (Bytes) field is large, excess ARP Reply packets are sent to the CPU. In this case, adjust the CIR value for the ARP Reply packet. If the CPU is attacked, obtain the packet header or enable the debugging to trace the attack source and add the attack source to the blacklist.

Handling of many ARP request or replay packets received on S series switches
When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur: -Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network. -The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline. -Ping delay, packet loss, or failure occurs. You can perform the following steps to troubleshoot the preceding problems: Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel. 1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing. -If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6. If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2. 2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU. - If the CPU usage is in the normal range, go to step 3. - If the CPU usage is higher than 70%, go to step 5. 3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets. Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. The car command takes effect after you apply the attack defense policy. If the fault persists or the fault is removed but the CPU usage is still high, go to step 4. 4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source. Run the arp speed-limit source-ip [ ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations. By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address. After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s), --If the fault persists, go to step 5. -- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6. 5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. If the fault persists, go to step 6. 6. Collect the following information and contact Huawei technical support personnel: Results of the preceding troubleshooting procedure Configuration files, logs, and alarms of the switches

What are the OIDs of CPU and memory usage MIBs on S series switch
On S series switches (except S1700), you can view CPU usage and memory usage through MIB OIDs: - hwEntityCpuUsage 1.3.6.1.4.1.2011.5.25.31.1.1.1.1.5, used to query CPU usage - hwEntityCpuUsageThreshold 1.3.6.1.4.1.2011.5.25.31.1.1.1.1.6, used to query CPU usage alarm threshold - hwEntityMemUsage 1.3.6.1.4.1.2011.5.25.31.1.1.1.1.7, used to query memory usage - hwEntityMemUsageThreshold 1.3.6.1.4.1.2011.5.25.31.1.1.1.1.8, used to query memory usage alarm threshold

Gratuitous ARP on S series switches
An S series switch (except the S1700 switch�? sends an ARP Request packet with the destination address being its own IP address. This operation is called gratuitous ARP. Gratuitous ARP provides the following functions: 1. Checks the repetitious IP addresses. Normally, the device should not receive an ARP Reply after it sends an ARP Request with the destination address being its own IP address. If the device receives a reply, another device on the network is configured with the same IP address. 2. Declares a new MAC address. If the device has replaced its NIC and the MAC address changes, the device sends a gratuitous ARP packet to declare the change to all hosts before the aging of ARP entries.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top