How to handle switch receives a lot of ARP request?

Latest reply: Jul 8, 2018 16:30:40 1692 4 0 0
How to handle switch receives a lot of ARP request?
  • x
  • convention:

Created Apr 17, 2017 17:52:27 Helpful(0) Helpful(0)

When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur:
-Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network.
-The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline.
-Ping delay, packet loss, or failure occurs.

You can perform the following steps to troubleshoot the preceding problems:
Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel.
1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing.
-If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6.
If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2.
2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU.
- If the CPU usage is in the normal range, go to step 3.
- If the CPU usage is higher than 70%, go to step 5.
3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets.
Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings.
The car command takes effect after you apply the attack defense policy.
If the fault persists or the fault is removed but the CPU usage is still high, go to step 4.
4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets.
If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source.
Run the arp speed-limit source-ip [ <ip-address> ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ <mac-address> ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations.
By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address.
After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s),
--If the fault persists, go to step 5.
-- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6.
5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets.
If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source.
If the fault persists, go to step 6.
6. Collect the following information and contact Huawei technical support personnel:
Results of the preceding troubleshooting procedure
Configuration files, logs, and alarms of the switches
  • x
  • convention:

Created May 25, 2018 16:04:12 Helpful(0) Helpful(0)

If device received ARP Probe packet which the sender IP is 0.0.0.0 , Device has alarm :ARP/4/ARP_DUPLICATE_IPADDR(l)[6]:Received an ARP packet with a duplicate IP address from the interface. (IPAddress=10.3.58.1, InterfaceName=Vlanif1101, MACAddress=xxxx-ssss-935f) , how to do troubleshooting ?
  • x
  • convention:

Created Jun 26, 2018 14:16:39 Helpful(0) Helpful(0)

Posted by Skay at 2018-05-25 16:04 If device received ARP Probe packet which the sender IP is 0.0.0.0 , Device has alarm :ARP/4/ARP_DUP ...
Hello, you received an ARP packet with a conflictive IP address from the interface specified.
Troubleshoot:
1.Check whether another interface in the network is configured with the same IP address.Modify the interface IP address according to the address planning to remove the address conflict.
2.Check whether the interface was attacked. Find the attack source according to the conflicting interface, and IP address in the log, and configure the device to prevents ARP spoofing attacks.
  • x
  • convention:

Created Jul 8, 2018 16:30:40 Helpful(0) Helpful(0)

Here I'd like share another case that how to handle ARP attach in the network, it always happens when there is loop in the network. we can try to optimize the network with below methods.

1. Configure broadcast storm suppression on the interfaces on access switches that have the chance to meet the loop issue, so that, the broadcast traffic can be suppressed even if a loop occurs in the network. When the broadcast traffic exceeds the configured threshold, the system discards excess broadcast packets and reduces the broadcast traffic to a reasonable range. Please note that, this function has been enabled in default from V2R2 version. So, if you upgrade to this version, you needn’t configure this command any more. The command is as follows:
[~HUAWEI-10GE1/0/1] storm suppression broadcast 6

2. Configure attack source tracing on GW switches to detect attacks and identify attack sources. With this function enabled, the switches can report alarms for attacks and take punishment actions on attack sources. By default, a switch only identifies attack sources to help users in fault location, and does not take punishment actions. The punishment action can be set to dropping attack packets or setting the packet receiving ports to error-down state.

Configure ARP attack source tracing as follows:
# Configure an attack defense policy.
cpu-defend policy test
auto-defend enable
auto-defend alarm enable //Enable the system to report an alarm when the rate of ARP packets exceeds the alarm threshold.
auto-defend alarm threshold 180 //Set the alarm threshold based on the actual ARP packet rate on the customer network.
auto-defend attack-packet sample 1
auto-defend threshold 200 //Set the attack source check threshold based on the actual ARP packet rate on the customer network.
auto-defend trace-type source-mac source-ip
auto-defend protocol arp

# Apply the attack defense policy to all the switches.
cpu-defend-policy test



3. Run the arp detect times 6 command to set the number of ARP probes for aging dynamic ARP entriss.
You can run this command to increase the number of ARP probes for aging dynamic ARP entries and reduce the ARP entry aging probability. By default, the number of ARP probes for aging dynamic ARP entries is 3. The system performs a probe at an interval of 5s and starts the probe for an ARP entry 15s before the entry is aged out. If the number of ARP probes for aging dynamic ARP entries is increased to 6, the system starts a probe for an ARP entry 30s before the entry is aged out, reducing the ARP entry aging probability.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top