How do S series switches suppress ARP Miss logs and alarms

8

For S series switches:
To filter ARP Miss logs, you can run the info-center source SECE channel 4 log state off command.
To filter ARP Miss alarms:
- ARP Miss message rate limit based on source IP addresses
In the system view, run the arp-miss speed-limit source-ip [ ip-address ] maximum 0 command to disable ARP Miss message rate limit based on source IP addresses.
If ip-address is not specified, the rate limit is not implemented on ARP Miss messages from all source IP addresses. If a device with a source IP address generates a large number of ARP Miss messages, high CPU usage may be caused.
If the ip-address parameter is specified, the ARP Miss message rate limit will not be implemented based on the source IP address. If the source IP address generates a large number of ARP Miss messages, high CPU usage may be caused.
Run the info-center source SECE channel 4 log state off command in the system view to disable the device from sending SECE alarms.
- ARP Miss message rate limit configured globally, based on VLAN, or based on interfaces
Run the undo arp-miss anti-attack rate-limit alarm enable command in the global, VLAN, or interface view to disable the alarm function for the ARP Miss messages discarded when the rate of ARP Miss messages exceeds the maximum rate.
After this function is disabled, when the number of ARP Miss messages ignored by the switch exceeds the alarm threshold, the switch does not send an alarm to notify the network administrator.
Run the info-center source SECE channel 4 log state off command in the system view to disable the device from sending SECE alarms.

Other related questions:
How do S series switches generate ARP Miss messages
For S series switches (except S1700 switches): If a host sends an IP packet with an irresolvable destination IP address to attack an S series switch, ARP Miss messages are generated on the device because the device has a route to the destination IP address but has no ARP entry matching the next hop in the route. The device generates and delivers temporary ARP entries based on ARP Miss messages and sends ARP Request packets to the destination network.

For S series switches, how to handle the failure to learn ARP entries caused by ARP Miss packets
For S series switches, the reasons for the failure to learn ARP entries caused by ARP Miss messages are as follows: - The rate limit on ARP Miss messages is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network depending on ARP Miss messages. - The CPCAR value of the ARP Miss packet is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network. - The attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Perform the following steps to locate the fault. Save the results of each troubleshooting step so that you can provide collected information for Huawei technical support engineers if the fault fails to be rectified. 1. Run the display arp all command in the user view to check statistics about ARP entries. If the MAC address field is in Incomplete state, the device fails to learn the ARP entry. IP address and interface information can be obtained through the ARP entry. 2. Capture the packet header on the interface used to connect to a user and check the source IP address of the ARP packet. 3. Run the display cpu-defend statistics packet-type arp-miss all command in the user view to check whether the number of the dropped ARP Miss packets is increasing. - If the number of dropped ARP Miss packets is 0, no ARP Miss packets are discarded by the switch. ARP entry learning fails because the rate limit on ARP Miss messages is too small. Go to step 5. Increase the ARP Miss message rate limit according to the actual network environment. - If the number of dropped ARP Miss packets is not 0, the rate of ARP Request packets exceeds the CPCAR rate limit and excessive ARP request packets are discarded. Check whether the CPCAR value of ARP Miss messages is configured correctly. -- If not, go to step 4. Increase the CPCAR value of ARP Miss messages. -- If so, ARP entry learning fails because the attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Find the attacker based on the source IP address, and check whether the user is infected with viruses. Alternatively, add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP Request packets sent by the attacker. 4. Run the car command in the attack defense policy view to increase the CIR value for ARP Miss messages. Note: Improper CPCAR settings may affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. After the configuration is complete, the attack defense policy takes effect only after it is applied. After the preceding steps are performed, if the fault persists or has been rectified but the CPU usage is high, go to step 5. Decrease the rate limit on ARP Miss messages. 5. Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command to view the ARP rate limit configuration. 6. If the fault persists, collect the following information and contact Huawei technical support. Results of the preceding troubleshooting procedure Configuration file, logs, and alarms of the switch

How to configure ARP Miss message rate limit on S and E series switches
For S and E series switches (except S1700 switches): You can configure the rate limit on ARP Miss messages in one of the following methods as required (supported by the S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches): - Limiting the rate on ARP Miss messages based on source IP addresses # Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 to 100, and by other source IP addresses to 60. [HUAWEI] arp-miss speed-limit source-ip maximum 60 [HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100 - Limiting the rate on ARP Miss messages globally, in a VLAN, or on an interface # Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from the Layer 2 interface GE0/0/1 in 10 seconds. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

When ARP rate suppression is configured and MFF is enabled in the VLAN on S series switches, can the rate of ARP packets processed by the MFF module be suppressed
For S series switches: In versions earlier than V200R001, the switch limits only the rate of ARP packets destined to the switch. Therefore, the switch does not limit the rate of ARP packets processed by the MFF module (ARP packets destined to other devices). In V200R001 and later versions, the switch checks the VLAN ID in an ARP packet to determine whether MFF is enabled in the VLAN. If MFF is enabled in the VLAN, the switch limits the rate of the ARP packet and then the MFF module processes the ARP packet.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top