S Switch High CPU Usage Troubleshooting - How to Relieve the CPU Load Highlighted

Latest reply: Dec 22, 2016 11:28:14 15530 1 1 1

This post is regarding the S Switch high CPU usage troubleshooting - how to relieve the CPU load. Please read further down for details.


7 How to Relieve CPU Load

1.         Plan the network configurations, configure loop prevent protocol, and enable loop detection to prevent loops.

Run the loopback-detect untagged mac-address ffff-ffff-ffff command in the system view to broadcast BPDUs for loop detection and prevent them from being terminated by unexpected devices.

Run the loopback-detect enable command in the interface view to enable loop detection.

2.         Configure ARP security to protect the device against ARP or ARP Miss attacks.

For details about ARP security, see ARP Security Solutions in section ARP Security Configuration in the Configuration Guide - Security.

3.         On the network prone to DHCP and ARP attacks, such as campus networks, configure local attack defense policies for DHCP and ARP protocol packets.

This section provides suggestions on local attack defense policies in general situations. The requirements on different protocol packets sent to the CPU may vary according to the model and version. In practice, configure CPU attack defense based on service requirements; otherwise, the configuration may fail or services may be affected.

           Control board on modular switch


cpu-defend policy main-board
 auto-defend enable
 undo auto-defend trace-type source-portvlan
 undo auto-defend protocol tcp igmp telnet ttl-expired  
 auto-defend action deny  
 auto-defend whitelist 1 interface GigabitEthernet x/x/x  //Add interconnected interfaces to the whitelist.
 auto-defend whitelist 2 interface GigabitEthernet x/x/x  //Add uplink interfaces to the whitelist.
#
cpu-defend-policy main-board
#

           Interface card on modular switch


cpu-defend policy io-board
 auto-defend enable 
 undo auto-defend trace-type source-portvlan 
 undo auto-defend protocol tcp igmp telnet ttl-expired 
 auto-defend action deny 
 auto-defend whitelist 1 interface GigabitEthernet x/x/x  //Add interconnected interfaces to the whitelist.
 auto-defend whitelist 2 interface GigabitEthernet x/x/x  //Add uplink interfaces to the whitelist.

cpu-defend-policy io-board global
#

           Fixed switches


cpu-defend policy main 
 auto-defend enable 
 undo auto-defend trace-type source-portvlan 
 undo auto-defend protocol tcp igmp telnet ttl-expired 
 auto-defend action deny 
 auto-defend whitelist 1 interface GigabitEthernet x/x/x  //Add interconnected interfaces to the whitelist.
 auto-defend whitelist 2 interface GigabitEthernet x/x/x  //Add uplink interfaces to the whitelist.
#
cpu-defend-policy main global
#

4.         Log in to the switch as an administrator through SSH, Telnet, and SNMP. Configure an ACL to allow only the administrator to log in.

# In VTY 0-14, configure the ACL to allow only the user with source IP address 10.1.1.1/32 to log in to the switch.

<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-adv-2001] rule 5 permit source 10.1.1.1 0
[HUAWEI-acl-adv-2001] quit
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] acl 2001 outbound

5.         When a port group has more than 40 member ports and you add these member ports to 4K VLANs at the same time, the CPU usage may jump to over 80% in a short period. Therefore, you are advised to add the member ports to no more than 500 VLANs at a time.

6.         Changing the type of more than 20 ports together may cause a CPU usage of over 80% in a short period. Therefore, you are advised to change the type of ports one by one.

7.         Frequent MAC address flapping may result in a high CPU usage. If MAC address flapping may occur frequently on an interface, run the mac-address flapping action error-down command on the interface to enable the system to set the interface to error-down state after detecting a MAC address flapping.

8.         When the total number of VLANs on the interfaces with loopback detection enabled exceeds 1024 VLANs, run the loopback-detect action shutdown command on these interfaces to set the action for a detected loopback to shutdown. (The VLAN counter increases by 1 every time an interface is added to a VLAN, even when multiple interfaces are added to the same VLAN.)

9.         Load and activate the patch files of the corresponding software version.

Visit http://support.huawei.com/enterprise/ to obtain the corresponding patch file and documents (patch release notes and installation guide).

10.      Scan virus on the PCs or servers connected to the switch periodically.

11.      The switch provides CPCAR values for each protocol. Generally, the default CPCAR values can meet requirements. If service traffic volume is too high, contact Huawei switch agents to adjust the CPCAR values.

8 A Appendix

8.1 Commands/Alarms/Logs/OIDs Related to High CPU Usage

8.1.1 Commands

Table 8-1 Command information

Command

Description

display interface [ interface-type ] counters { inbound | outbound }

Displays number of packets sent and received on each interface.

display cpu-usage [ slave | slot slot-id ]

Displays CPU usage statistics.

display cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ]

Displays statistics on protocol packets sent to the CPU.

display arp packet statistics

Displays ARP packet statistics.

display dhcp statistics

Displays DHCP packet statistics.

display cpu-defend rate [ packet-type packet-type ] [ slot slot-id | all ]

Displays the rates at which protocol packets are sent to the CPU.

display cpu-defend policy [ policy-name ]

Displays information about the attack defense policy.

display auto-defend configuration [ cpu-defend policy policy-name | slot slot-id | mcu ]

Displays information about attack source tracing.

display cpu-defend configuration

Displays CAR values, including the rate at which packets are sent to the CPU and CPU queues to which protocol packets are sent.

display logbuffer [ size value | slot slot-id | module module-name | security | level { severity | level } ] *

Displays log information on the switch.

display trapbuffer [ size value ]

Displays trap information on the switch.

display stp [ process process-id ] [ instance instance-id ] topology-change

Displays information about STP topology changes.

display stp [ process process-id ] [ instance instance-id ] [ interface interface-type interface-number | slot slot-id ] tc-bpdu statistics

Displays STP TC BPDU statistics.

reset cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ]

Clears statistics on packets sent to the CPU.

cpu-defend policy policy-name

Configures an attack defense policy.

blacklist blacklist-id acl acl-number

Configures an ACL-based blacklist.

whitelist whitelist-id acl acl-number

Configures an ACL-based whitelist.

queue packet-type packet-type queue-value

Specifies the queue number of the CPU to which protocol packets are sent.

auto-defend enable

Enables the attack source tracing function.

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Deletes the source tracing mode.

undo auto-defend protocol { 8021x | arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired | udp } *

Deletes the packet type in attack source tracing.

auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

Configures a whitelist for attack source tracing. The users in whitelist are excluded from attack source tracing.

auto-defend alarm enable

Enables event report in attack source tracing.

auto-defend action { deny [ timer time-length ] | error-down }

Enables attack source tracing action and specifies the action.

auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

Configures the whitelist for port attack defense.

System view: cpu-defend-policy policy-name [ global ]

Slot view: cpu-defend-policy policy-name

Applies the attack defense policy. (The command format depends on switch models and versions. In this example, the modular switch runs V200R007.)

 

8.1.2 Alarm Information

1.         ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.14.1 hwCPUUtilizationRising  //The CPU usage of the switch exceeded the threshold.

ENTITYTRAP/4/ENTITYCPUALARM:OID [oid] CPU utilization exceeded the pre-alarm threshold.(Index=[INTEGER],  
 EntityPhysicalIndex=[INTEGER], PhysicalName=[OCTET], EntityThresholdType=[INTEGER], EntityThresholdValue=[INTEGER],  
 EntityThresholdCurrent=[INTEGER], EntityTrapFaultID=[INTEGER].)

2.         BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.4.1 hwCPUUtilizationRisingAlarm  //The CPU usage of the switch exceeded the threshold.

BASETRAP/2/CPUUSAGERISING: OID [oid] CPU utilization exceeded the pre-alarm threshold.(Index=[INTEGER], 
BaseUsagePhyIndex=[INTEGER], UsageType=[INTEGER], UsageIndex=[INTEGER], Severity=[INTEGER], ProbableCause=[INTEGER],  
 EventType=[INTEGER], PhysicalName="[OCTET]", RelativeResource="[OCTET]", UsageValue=[INTEGER], UsageUnit=[INTEGER],  
UsageThreshold=[INTEGER])

3.         MSTP_1.3.6.1.4.1.2011.5.25.42.4.2.15 hwMstpiTcGuarded  //After the TC protection is enabled on an MSTP-enabled switch, extra TC BPDUs that are received after the number of TC BPDUs received in a specified period has exceeded the threshold are processed after the TC protection time expires.

MSTP/4/TCGUARD:OID [OID] The instance received TC message exceeded the threshold will be deferred to deal with at the end of TC protection time. (InstanceID=[INTEGER])

4.         MSTP_1.3.6.1.4.1.2011.5.25.42.4.2.16 hwMstpProTcGuarded  //After the TC protection is enabled for an MSTP process, extra TC BPDUs that are received after the number of TC BPDUs received in a specified period has exceeded the threshold are processed after the TC protection time expires.

MSTP/1/PROTCGUARD:OID [OID] MSTP process's instance received TC message exceeded the threshold will be deferred to deal with at the end of TC protection time. (ProcessID=[INTEGER], InstanceID=[INTEGER])

8.1.3 Log Information

1.         DEFD/6/CPCAR_DROP_MPU  //The rate of packets sent to the CPU exceeded the CPCAR value on the control board.

DEFD/6/CPCAR_DROP_MPU:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG], ExceededPacketCount=[STRING])

Parameter

Description

Protocol

Protocol type.

CIR/CBS

Committed information rate and committed burst size.

ExceededPacketCount

Packet count exceeded.

 

2.         DEFD/6/CPCAR_DROP_LPU  //The rate at which packets are sent to the CPU exceeded the CPCAR values on the LPU.

DEFD/6/CPCAR_DROP_LPU:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot [STRING]. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG], ExceededPacketCount=[STRING])

Parameter

Description

slot

Slot ID.

Protocol

Protocol type.

CIR/CBS

Committed information rate and committed burst size.

ExceededPacketCount

Packet counter exceeded.

 

3.         SECE/4/PORT_ATTACK  //A lot of attack packets from the corresponding VLAN were received on the interface.

SECE/4/PORT_ATTACK:Port attack occurred.(Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Parameter

Description

Slot

Slot of an MPU or LPU.

SourceAttackInterface

Interface that initiates the attack.

OuterVlan

Outer VLAN ID or single VLAN ID of the attack source.

InnerVlan

Inner VLAN ID of the attack source.

AttackProtocol

Attack packet type.

AttackPackets

Rate of attack packets, in pps.

 

4.         SECE/4/USER_ATTACK  //User attack information was generated on an MPU or LPU.

SECE/4/USER_ATTACK:User attack occurred.(Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], UserMacAddress=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Parameter

Description

Slot

Slot of an MPU or LPU.

SourceAttackInterface

Interface that initiates the attack.

OuterVlan

Outer VLAN ID or single VLAN ID of the attack source.

InnerVlan

Inner VLAN ID of the attack source.

UserMacAddress

MAC address of the attack source.

AttackProtocol

Attack packet type.

AttackPackets

Rate of attack packets, in pps.

 

5.         SECE/4/SPECIFY_SIP_ATTACK  //The attack source information is displayed when a switch is attacked.

SECE/4/SPECIFY_SIP_ATTACK:The specified source IP address attack occurred.(Slot=[STRING], SourceAttackIP = [STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)

Parameter

Description

Slot

Slot of an MPU or LPU.

SourceAttackIP

IP address of the attack source.

AttackProtocol

Attack packet type.

AttackPackets

Rate of attack packets, in pps.

 

6.         SECE/4/PORT_ATTACK_OCCUR  //When the switch detects attack packets on an interface, the switch starts attack defense on the interface.

SECE/4/PORT_ATTACK_OCCUR:Auto port-defend started.(SourceAttackInterface=[STRING], AttackProtocol=[STRING])

Parameter

Description

SourceAttackInterface

Interface that initiates the attack.

AttackProtocol

Attack packet type.

 

7.         SECE/6/PORT_ATTACK_END  //After an attack source is excluded, the switch cancels attack defense on the interface.

SECE/6/PORT_ATTACK_END:Auto port-defend stop.(SourceAttackInterface=[STRING], AttackProtocol=[STRING])

Parameter

Description

SourceAttackInterface

Interface that initiates the attack.

AttackProtocol

Attack packet type.

 

8.         VOSCPU/4/CPU_USAGE_HIGH //The CPU was overloaded. The names of the top 3 tasks were displayed. If these tasks contained sub-tasks, names of the sub-tasks and their CPU usages were also displayed.

VOSCPU/4/CPU_USAGE_HIGH:The CPU is overloaded (CpuUsage=[ULONG]%, Threshold=[ULONG]%), and the tasks with top three CPU occupancy are: [CPU-resources-usage]

Parameter

Description

[CPU-resources-usage]

Names of the top 3 tasks and their CPU usage. If these tasks contained sub-tasks, names of the sub-tasks and their CPU usages were also displayed.

CpuUsage

Current CPU usage.

Threshold

CPU usage threshold.

 

9.         OSPF/3/NBR_DOWN_REASON  //The neighbor status goes Down.

OSPF/3/NBR_DOWN_REASON:Neighbor state leaves full or changed to Down. (ProcessId=[USHORT], NeighborRouterId=[IPADDR], NeighborAreaId=[ULONG], NeighborInterface=[STRING],NeighborDownImmediate reason=[STRING], NeighborDownPrimeReason=[STRING], NeighborChangeTime=[STRING])

Parameter

Description

ProcessId

Process ID.

NeighborRouterId

Neighbor router ID.

NeighborAreaId

Neighbor area ID.

NeighborInterface

Neighbor interface.

NeighborDownImmediate reason

Possible reasons why OSPF neighbor goes Down:

Neighbor Down Due to Inactivity: The switch does not receive any Hello packets from the OSPF neighbor within the Dead Time.

Neighbor Down Due to LL Down LLDown: The switch does not receive any LLD packet within the Dead Time.

Neighbor Down Due to Kill Neighbor: The interface connected to the OSPF neighbor is Down, the BFD session on the interface is Down, or the reset ospf process command has been executed. You can view the NeighborDownPrimeReason field to determine the specific cause.

Neighbor Down Due to 1-Wayhello Received or Neighbor Down Due to SequenceNum Mismatch: The OSPF status on the peer interface goes Down and the remote device sends a 1-Way Hello packet to the local device. As a result, the OSPF status of the local device also changes to Down.

Neighbor Down Due to AdjOK?: The AdjOK? event times out.

Neighbor Down Due to BadLSreq: The BadLSReq event occurs on the interface.

NeighborDownPrimeReason

Possible reasons why the neighbor goes Down:

Hello Not Seen: No Hello packet is received.

Interface Parameter Mismatch: The interface settings on two ends of a link do not match.

Logical Interface State Change: The logic interface status changes.

Physical Interface State Change: The physical interface status changes.

OSPF Process Reset: The OSPF process restarts.

Area reset: The area is reset due to an area type change.

Area Option Mis-match: The options of the areas to which interfaces on both ends belong do not match.

Vlink Peer Not Reachable: The virtual link neighbor is unreachable.

Sham-Link Unreachable: The Sham-Link neighbor is unreachable.

Undo Network Command: The network command is undone.

Undo NBMA Peer: The neighbor configuration on the NBMA interface is cleared.

Passive Interface Down: The silent-interface command is executed on the local interface.

Opaque Capability Enabled: The opaque capability is enabled.

Opaque Capability Disabled: The opaque capability is disabled.

Virtual Interface State Change: The virtual link interface status changes.

BFD Session Down: The BFD session goes Down.

Down Retransmission Limit Exceed: The maximum number of retransmission times is reached.

1-Wayhello Received: A 1-way Hello packet is received.

Router State Change from DR or BDR to DROTHER: The local interface role is changed from DR or BDR to DROTHER.

Neighbor State Change from DR or BDR to DROTHER: The neighbor interface role is changed from DR or BDR to DROTHER.

NSSA Area Configure Change: The configuration of the NSSA area is modified.

Stub Area Configure Change: The configuration of the stub area is modified.

Received Invalid DD Packet: An invalid DD packet is received.

Not Received DD during RouterDeadInterval: No DD packet is received during Dead timer restart.

M,I,MS bit or SequenceNum Incorrect: The M, I, and MS bits in received DD packets are different from those defined in the protocol.

Unable Opaque Capability,Find 9,10,11 Type Lsa: The LSAs of types 9, 10, and 11 are received, but the Opaque capability is not enabled.

Not NSSA,Find 7 Type Lsa in Summary List: The local area does not belong to NSSA, but Tpye-7 LSA exists in Summary.

LSrequest Packet,Unknown Reason: An LSR packet is received due to an unknown reason.

NSSA or STUB Area,Find 5 ,11 Type Lsa: The local area belongs to NSSA or Stub, but Tpye-5 and Tpye-11 LSAs exist.

LSrequest Packet,Request Lsa is Not in the Lsdb: The neighbor requests an LSA through LSR from the local process or area, but the LSA does not exist in the LSDB of the local process.

LSrequest Packet, exist same lsa in the Lsdb: The process receives an LSA, which exists in the local LSDB and neighbor request list.

LSrequest Packet, exist newer lsa in the Lsdb: The process receives an updated LSA, which exists in the local LSDB and neighbor request list.

Neighbor state was not full when LSDB overflow: The LSDB overflows, but the neighbor status is not Full.

Filter LSA configuration change: The configuration of LSA filter is modified.

ACL changed for Filter LSA: The ACL configuration of LSA filter is modified.

Reset Ospf Peer: The OSPF neighbor is reset.

NeighborChangeTime

Time when the status changes.

 

8.1.4 OID Information

 

20160902161914716001.png

 

8.2 Local Attack Defense Policy

 

The switch provides a local attack defense policy to protect its CPU. When the CPU receives a large number of valid packets or malicious attack packets, this function protects the CPU to prevent service interruption.
 

8.2.1 Function Overview

As shown in Figure 8-1, local attack defense policies include attack source tracing, port attack defense, CPCAR, and blacklist. The port attack defense and CPCAR functions are enabled by default.

 

20160902160018936001.png

Improper CPCAR adjustment will affect network services. To modify the CPCAR settings, contact Huawei switch agents.

Figure 8-1 Security capability of the CPU

20160902160019448002.png

 

8.2.1.1 Attack Source Tracing

After attack source tracing is enabled, the switch analyzes and collects statistics on the packets sent to the CPU. The switch provides thresholds for packets, and considers the packets exceeding thresholds as attack packets. Then the switch locates the source interface and IP address of the attack source, reports logs to users, and takes measures on the attack source. The switch may also discard the attack packets or shut down the attacked interface.

1.         Set the source tracing mode.

The switch supports the following attack source tracing modes:

           Source IP address-based tracing: defends against Layer 3 attack packets.

           Source MAC address-based tracing: defends against Layer 2 attack packets with the specified source MAC address.

           Interface+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.

If you are unknown of the packet attack type, configure all of the preceding modes.

2.         Set the packet type in attack source tracing.

The switch can perform attack source tracing for each of 802.1x, ARP, DHCP, ICMP, IGMP, TCP, Telnet, TTL 1, and UDP packets, or all of them.

When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.

3.         Set the attack defense action.

After identifying an attack source, the switch takes actions on the attack source to prevent it attacking the switch:

           Discards the attack packets within a period.

           Shuts down the interface receiving the attack packets.

4.         Configure the whitelist.

If you want to exclude some users from attack source tracing, add the users to the whitelist. The switch does not take attack source tracing actions on the users in whitelist.

Generally, uplink interface needs to be added to the whitelist to prevent impact on services.

5.         Set the attack source tracing threshold.

The switch supports the attack source tracing threshold, sampling rate, and event report threshold.

In Figure 8-2, the source tracing mode is based on source IP address, the threshold is 4 pps, and the attack source tracing action is discard packets. If the rate of packets sent to the CPU within one second exceeds the threshold, the system considers that an attack has occurred, generates a log in which the attack source address is 10.3.2.1, and discards packets from this address for a certain period of time.

Figure 8-2 Attack source tracing

20160902160020558003.png

 

8.2.1.2 Port Attack Defense

If too many packets sent from an interface to the CPU from occupying bandwidth, the packets from other interfaces cannot be sent to the CPU to cause a service interruption. Port attack defense controls the number of packets sent to the CPU.

After port attack defense is configured, a switch can trace the source and limit the rate of packets sent to the CPU based on ports, protecting the CPU against DoS attacks.

By default, the port attack defense function is enabled. The switch calculates rate of packets received on an interface. If the packet rate exceeds the threshold within the aging time, the switch considers that an attack occurs. Then the switch traces the source and limits the rate of attack packets on the port, and records a log.

The switch takes the following measures in rate limiting:

l   When the packet rate does not exceed the limit (the value is the same as the CPCAR value in attack defense policy), the switch moves the packets to a low-priority queue and then sends them to the CPU.

The switch calculates the rate of protocol packets received by the interface, and performs attack source tracing and rate limiting on the attack packets. When the rate of protocol packets received by an interface exceeds the threshold, the switch considers that an attack has occurred and sends a log. The switch moves packets to the low-priority queue (queue 2, generally. For details about queues, see 8.2.1.3 CPCAR), and then sends the packets to the CPU.

l   When the rate of packets exceeds the threshold, the switch discards the packets.

Port attack defense provides the following functions:

l   Attack defense for the specified protocol packets

The switch can perform port attack defense for each of ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets, or for all of them.

l   Whitelist

If you want to exclude some users from attack source tracing, add the users to the whitelist.

Generally, the uplink interface needs to be added to the whitelist to ensure prompt processing on network-side protocol packets and packets from authorized users to be sent to the CPU.

l   Port attack defense thresholds

The switch supports the attack source tracing threshold, sampling rate, and aging time.

When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.

In Figure 8-3, both port 1 and port 2 send ARP request and DHCP packets to the CPU. The rate of ARP request packets sent by port 1 and the rate of DHCP packets sent by port 2 exceed the threshold. The switch considers that an attack has occurred, and moves the packets to queue 2, which has a low priority.

Figure 8-3 Port attack defense

20160902160021573004.png

 

By default, port attack defense is enabled on a switch. The rate limiting actions taken by port attack defense have minor impact than the rate limiting actions taken by attack source tracing.

8.2.1.3 CPCAR

The Control Plane Committed Access Rate (CPCAR) limits the rate of packets sent to the CPU to protect the control plane. After packets are sent to the CPU, the switch performs the following types of rate limiting:

1.         Rate limiting based on protocol

The switch specifies a threshold for each protocol. When the rate of protocol packets exceeds the threshold, the switch discards the packets so that each protocol can be processed promptly.

2.         Scheduling and rate limiting based on queue

After protocol-based rate limiting is performed, the switch moves packets to queues depending on layer (management/control/forwarding) and importance. The queues have different priorities. The packets in queues are scheduled based on priorities. When conflict occurs, the packets in the high-priority queue are processed first. In addition, the switch can limit rate for each queue. It restricts the maximum rate of packets sent from each queue to CPU. This ensures stable switch running when the CPU has a high load.

The switch as eight queues: queues 0-7. The queue with a large ID has a high priority. To view the packet queues, run the display cpu-defend configuration all command.

3.         Unified rate limiting

On a stable network, the number of packets sent to the CPU is within an acceptable range. If a large number of packets are sent to the CPU within a short period, the CPU is busy processing these packets, resulting in a high CPU usage. To restrict the total number of packets processed by the CPU, the switch performs rate limiting on all packets to ensure normal running of the CPU.

In Figure 8-4, a large number of protocol packets are sent to the CPU:

1.         Performs rate limiting on protocol packets based on protocol type.

2.         Moves packets to different queues depending on the queues of the protocols. The queue with a large ID has a high priority.

3.         Limits the rate of all packets. If the packet rate exceeds the threshold, the switch discards the packets in low-priority queues.

Figure 8-4 Packet rate limiting by CPCAR

20160902160021805005.png

 

20160902160018936001.png

The CPCAR does not take effect on the management interface. If the network connected to a management interface undergoes a serious attack, users may fail to log in to the switch through the management interface. You are advised to scan virus on the PCs or replan the network.

The switch provides a default CPCAR setting for each protocol. Improper CPCAR settings will affect services on the network. To modify the CPCAR settings for some protocols, contact Huawei switch agents.

Generally, the default CPCAR settings can meet requirements.

8.2.1.4 Blacklist

A switch receives a large number of protocol packets, overwhelming the CPU. The switch may fail to process valid protocol packets or protocol flapping occurs. You can use the methods such as packet capturing and attack source tracing to determine the attack source characteristics (such as MAC or IP address), and then configure a blacklist to discard these packets.

You can create a blacklist on a device and add users with specified characteristics to the blacklist. The device then discards the packets from these users. In Figure 8-5, blacklist 1 matches the packets with source IP address 10.1.1.0/24 and blacklist 2 matches packets with source IP address 10.2.2.0/24. When these packets are sent to the CPU, the switch discards them.

Figure 8-5 Blacklist

20160902160022216006.png

 

8.2.2 Configuring a Local Attack Defense Policy

                               Step 1     Create a local attack defense policy.

1.         Run the system-view command to enter the system view.

2.         Run the cpu-defend policy policy-name command to create an attack defense policy and enter its view.

3.         Configure attack source tracing.

a.         Run the auto-defend enable command to enable attack source tracing.

b.         Run the auto-defend trace-type { source-ip | source-mac | source-portvlan }* command to set the attack source tracing mode.

c.         Run the auto-defend protocol { all | { 8021x | arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired | udp } * } command to set the packet type for attack source tracing.

d.         Run the auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number } command to configure a whitelist.

e.         Run the auto-defend action { deny [ timer time-length ] | error-down } command to enable the attack source tracing action function and set the action.

4.         Configure port attack defense.

a.         Run the auto-port-defend enable command to enable port-based attack defense.

By default, the port attack defense function is enabled.

b.         Run the auto-port-defend protocol { all | { arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } * } command to set the packet type in port attack defense.

By default, port attack defense is applicable to ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets.

5.         Set the rate limit for protocol packets.

The rules of sending protocol packets to CPU include car and deny. When both the car and deny rules are configured for the same type of protocols, the rule configured later takes effect.

           To enable CPCAR limiting for the packets sent to the CPU and set the threshold, run the car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ] command.

           To set the action taken on the packets sent to the CPU to discard, run the deny { packet-type packet-type | user-defined-flow flow-id } command.

6.         Run the blacklist blacklist-id acl acl-number command to create a blacklist.

A maximum of eight blacklists can be configured in an attack defense policy.

20160902160023971007.jpg

Packets matching the ACL applied to a blacklist are discarded, regardless of whether the ACL contains a permit or deny rule.

                               Step 2     Apply the local attack defense policy.

After a local attack defense policy is created, the policy must be applied.

l   Modular switches

Both MPUs and LPUs have their own CPUs. Local attack defense policies are configured differentially for MPUs and LPUs.

Before creating and applying attack defense policies, check attack information on the MPUs and LPUs. If the attack information on the MPUs and LPUs is consistent, apply the same attack defense policy to the MPUs and LPUs; otherwise, apply different policies to them.

a.         Apply an attack defense policy to MPU.

i.          Run the system-view command to enter the system view.

ii.        Run the cpu-defend-policy policy-name1 command to apply the attack defense policy.

b.         Apply an attack defense policy to an LPU.

20160902160023971007.jpg

If an attack defense policy has been applied to all LPUs, it cannot be applied to the specified LPU. In a similar manner, if an attack defense policy has been applied to a specified LPU, it cannot be applied to all LPUs.

n   If all LPUs process similar services, apply an attack defense policy to all LPUs.

Run the cpu-defend-policy policy-name2 global command to apply an attack defense policy.

n   If LPUs process different services, apply an attack defense policy to the specified LPU.

1)         Run the slot slot-id command to enter the slot view.

2)         Run the cpu-defend-policy policy-name2 command to apply an attack defense policy.

An attack defense policy applied to a slot view takes effect only for the LPU in this slot.

l   Fixed switches

           On a stand-alone switch:

i.          Run the system-view command to enter the system view.

ii.        Run the cpu-defend-policy policy-name global command to apply the attack defense policy globally.

           In a stack:

i.          Run the system-view command to enter the system view.

ii.        Apply the attack defense policy.

   To apply the attack defense policy to all stacked devices, run the cpu-defend-policy policy-name global command.

   To apply the attack defense policy to the master device, run the cpu-defend-policy policy-name command.

----End

 8.3 Tasks Occupying CPU Resource
 
 

Task Name

Description

BUFM

Outputs debugging information.

1731

Implements the Y.1731 protocol stack, manages the protocol state machine, and maintains the protocol database.

_EXC

Processes system exception events.

_TIL

Monitors and processes deadloops caused by software exceptions.

AAA

Interacts with modules such as the UCM and RADIUS to process user authentication messages, and maintains authentication and authorization entries.

ACL

Controls access users.

ADPG

Maintains dynamic VLAN-related chip entries (adaptation layer task).

ADPT

Implements the EFM protocol stack, manages the protocol state machine, and maintains the protocol database.

age_task

Ages out MAC address entries.

AGNT

Implements the IPv4 SNMP protocol.

AGT6

Implements the IPv6 SNMP protocol.

ALM

Adds, clears, and manages alarm information.

ALS

Implements automatic laser shutdown.

AM

Manages IP address pools and addresses for modules such as DHCP.

AMCP

Synchronizes data from MPU to SPU (application layer protocol).

APP

Schedules Layer 3 services in a unified manner.

ARP

Implements the ARP protocol stack, manages the ARP state machine, and maintains the ARP database.

au_msg_hnd

Processes AU messages, which are used for MAC entry learning and delivery.

bcmC

Counts the number of packets on chip ports.

bcmD

Implements asynchronous message processing in chip drive software.

bcmR

Receives packets from the chip.

bcmT

Transmits packets to the chip.

bcmX

Transmits packets to the chip of specified type asynchronously.

bcmL2MOD.0

Learns MAC address entries.

BEAT

Sends and receives heartbeat packets to monitor inter-board communication.

BFD

Implements the BFD protocol stack, manages the protocol state machine, and maintains the protocol database.

bmLI

Scans interface status and notifies the application modules of interface status changes.

BOX

Outputs the data stored in the black box, including error and exception information generated during system operations.

BULK_CLASS

Manages the USB flash drive (operating system task).

BULK_CLASS_IRP

Manages USB I/O request packets (operating system task).

BusM A

Manages USB bus (operating system task).

CCTL

Collects and schedules performance data in batches.

CDM

Manages configuration data.

CFM

Recovers configurations.

CHAL

Completes functions at the hardware adaptation layer.

CKDV

Controls and manages the clock module.

CMD_Switching

Listens on sockets.

CMDA

Executes commands in batches.

cmdExec

Executes commands.

CSBR

Checks configuration consistency between the active and standby MPUs.

CSPF

Implements the CSPF protocol stack and completes path computation.

CssC

Handles cluster events.

CSSM

Implements cluster protocol stack and manages cluster status.

DEFD

Monitors traffic sent to the CPU and maintains CPU defense data.

DELM

Deletes MAC address entries in STP.

DEV

Manages hardware modules on the switch.

DEVA

Handles subcard hot swapping.

DFSU

Loads logic files.

DHCP

Implements the DHCP protocol stack and provides the functions such as DHCP snooping and DHCP relay.

DLDP

Implements the DLDP protocol stack, manages the protocol state machine, and maintains the protocol database.

DSMS

Processes environment alarms generated by the environment monitoring system.

EAP

Implements 802.1x authentication, MAC address authentication, and MAC address bypass authentication, manages the protocol state machine, and maintains the protocol database.

Ecm

Manages low-level inter-board communication.

EFMT

Sends 802.3ah test packets.

EHCD_IH

Drives USB host controller (operating system task).

ELAB

Manages electronic labels.

EOAM

Implements the EOAM 802.1ag protocol, manages the protocol state machine, and maintains the protocol database.

Eout

Outputs debugging information about the ECM task.

FBUF

Sends packets.

FCAT

Captures the packets sent or received by the CPU for fault location.

FECD

Processes MOD synchronization messages.

FIB

Generates IPv4 forwarding entries on the control plane and delivers the entries to the forwarding plane to guide data forwarding.

FIB6

Manages IPv6 FIB entries, maintains software entries, and requests the hardware adaptation layer to maintain chip entries.

FM93

Outputs fault information.

FMAT

Manage faults.

FMCK

Detects device faults.

FMON

Monitors logic card failures.

frag_add

Synchronizes MAC entries from the hardware table to the software table, traverses the hardware table, and adds the MAC address entries that do not exist in the software table to the software table.

frag_del

Synchronizes MAC entries from the hardware table to the software table, traverses the software table, and deletes the MAC entries that do not exist in the hardware table from the software table.

FTPS

Offers the FTP service.

FTS

Receives packets. This task is created by FECD. After the driver receives packets that do not need to be processed by the super task, it sends the packets to the FTS task for processing.

GREP

Manages GRE forwarding entries in chip (adaptation layer task).

GTL

Manages common data such as memory and character strings.

GVRP

Implements the GVRP protocol stack, manages the protocol state machine, and maintains the protocol database.

HACK

Processes HA response messages.

HOTT

Manages hot swapping of interface cards.

HS2M

Synchronizes data between the active and standby MPUs to ensure high reliability.

HVRP

Implements the HVRP protocol stack, manages the protocol state machine, and maintains the protocol database.

IFNT

Processes interface status change events.

IFPD

Manages interfaces, maintains interface database, and processes interface status change events.

INFO

Receives and sends logs, traps, and debugging information generated by service modules.

IP

Schedules IP protocol tasks in a unified manner.

IPCQ

Retransmits IPC messages upon message transmission failures.

IPCR

Sends, receives, and distributes IPC messages to related service modules.

IPMC

Adapts to Layer 3 multicast protocols, responds to changes on the control plane, and issues forwarding entries.

ISSU

Provides smooth upgrade for firmware.

ITSK

Sends, receives, and distributes various protocol packets.

L2

Schedules Layer 2 services in a unified manner.

L2MC

Listens on IGMP/MLD packets on interfaces and implements fast join/leave group member interfaces.

L2V

Manages VPLS and VLL services, maintains control plane data, and requests the adaptation layer to maintain forwarding entries in chip.

L3I4

Delivers IPv4 unicast forwarding entries from LPUs.

L3IO

Delivers entries of Layer 3 protocols, such as URPF and VRRP, to interface cards.

L3M4

Adapts to the ARP protocol on the MPU, delivers IPv4 unicast forwarding entries, and responds to the changes at the control plane.

L3MB

Adapts to Layer 3 protocols, such as URPF and VRRP, on the MPU, and delivers forwarding entries.

LACP

Implements the LACP protocol stack, manages the LACP state machine, and maintains the LACP database.

LCS

Manages licenses.

LCSP

Loads authorized features allowed by the license file.

LDP

Implements the LDP protocol stack and maintains the LDP LSP database.

LDRV

Synchronizes software versions between active and standby MPUs.

LDT

Implements the LDT protocol stack, manages the protocol state machine, and maintains the protocol database.

LHAL

Provides the hardware adaptation layer to shield hardware differences.

LINK

Schedules link layer tasks in a unified manner.

linkscan

Monitors the status of links.

LLDP

Implements the LLDP protocol stack, manages the LLDP state machine, and maintains the LLDP database.

LOAD

Loads the system image file and patch packages.

LSPA

Maintains LSP forwarding entries and instructs the hardware adaptation layer to maintain chip entries.

LSPM

Creates, updates, and deletes LSPs.

MCSW

Adapts to Layer 3 multicast protocols, responds to changes on the control plane, and issues forwarding entries.

MERX

Processes the packets received on the management interface.

MFF

Implements the MAC forced forwarding (MFF) function.

MFIB

Manages Layer 3 multicast forwarding entries.

MIRR

Implements port mirroring.

MOD

Manages, distributes, and reclaims module numbers.

MPLS

Implements MPLS protocol stack, and distributes, manages, and reclaims labels.

MSYN

Synchronizes MAC entries between cards.

MTR

Collects memory usage data at scheduled time.

mv_rxX

Handles packet receiving queues in CPU X (X is an integer ranging from 0 to 7).

NDIO

Delivers IPv6 unicast forwarding entries from LPUs.

NDMB

Adapts to the ND protocol on the MPU, issues IPv6 unicast forwarding entries, and responds to changes on the control plane.

NQAC

Acts as the NQA client to respond to and process NQA packets.

NQAS

Acts as the NQA server to respond to and process NQA events and packets.

NSA

Manages chip entries at the VRP NetStream adaptation layer.

NTPT

Implements the NTP protocol stack, manages the protocol state machine, and maintains the protocol database.

OAM

Implements the MPLS OAM protocol stack, manages the protocol state machine, and maintains the protocol database.

OAM1

Adapts to the OAM 802.1ag protocol, responds to protocol-layer changes, and responds to changes on the forwarding plane.

OAMI

Processes packets received from logic cards.

OAMT

Responds to protocol changes and maintains chip entries (adaptation layer task).

OS

Operating system task.

Ping

Quickly responds to ping packets.

PNGI

Provides fast ping reply on LPUs.

PNGM

Provides fast ping reply on MPUs.

Port

Processes chip debugging commands.

port_statistics

Collects port statistics.

PPI

Maintains interface status on chips (adaptation layer task).

PTAL

Implements redirection authentication, authentication and authorization, manages the protocol state machine, and maintains the protocol database.

QOSA

Manages QoS configurations and maintains chip entries.

QOSB

Delivers QoS entries to LPUs and maintains QoS entries.

RACL

Creates session table entries based on TCP/UDP/ICMP initial packet, monitors and ages out session table entries.

RDS

Implements the RADIUS protocol stack, manages the protocol state machine, and maintains the protocol database.

RMON

Monitors the system remotely.

root

System root task.

ROUT

Completes route learning for routing protocols, selects best routes, and delivers routes to the FIB.

RPCQ

Provides the remote procedure call function.

RRPP

Implements the RRPP protocol stack on interface cards, detects interface status quickly, and delivers hardware entries.

RSA

Calculates the RSA key.

RSVP

Implements the RSVP protocol stack and maintains the CR-LSP database.

RTMR

Manages scheduled tasks.

SAM

Delivers service entries to LPUs and maintains the entries.

SAPP

Manages application layer protocol dictionary and whitelist, maintains software entries and instructs the adaptation layer to set chip status.

SDKD

Detects the status of the interfaces connected to the backplane and collects the packet rate on the interfaces.

SDKE

Displays LSW chip entries.

SECB

Delivers security entries to LPUs and maintains the security entries.

SECE

Implements security functions such as ARP security, IP security, and CPU security, manages the protocol state machine, and maintains protocol databases.

SERVER

TCP/IP server task.

SFPM

Queries manufacturer information and digital diagnosis information of optical modules.

SLAG

Implements the E-Trunk function.

SMAG

Smart link agent that can quickly detect and process interface status change vents.

SMLK

Implements the Smart Link protocol stack, manages the protocol state machine, and maintains the protocol database.

smsL

Loads the environment monitoring module.

smsR

Sends environment monitoring requests.

smsT

Enables the environment monitoring system to send packets.

SNPG

Listens on and processes IGMP and MLD protocol packets.

SOCK

Schedules and processes IP packets.

SRMI

Processes external interrupts.

SRMT

Device management timer task.

SRVC

Processes DHCP packets related to IP sessions, and interacts with the user management module and AAA module to complete authorization and accounting.

STFW

Super forwarding task that maintains forwarding entries in the trunk memory.

STND

Assists the operating system in task and event scheduling.

STP

Implements the STP protocol stack, manages the STP state machine, and maintains the STP database.

STRA

Monitors traffic, identifies attacking traffic, and punishes attack sources.

STRB

Monitors LPUs and identifies attack traffic.

SUPP

Processes interrupt messages and timer messages in the device management module.

t1

Temporary task (operating system task).

TACH

Implements the HWTACACS protocol stack, manages the protocol state machine, and maintains the protocol database.

TAD

Transmits traps.

TARP

Processes trap messages.

tBulkClnt

Manages the USB driver (operating system task).

TCPKEEPALIVE

Maintains TCP connections.

TCTL

Controls the upload of batch collected performance data.

tDcacheUpd

Updates the disk cache (operating system task).

tExcTask

Handles exceptions (operating system task).

TICK

Processes the system clock.

tLogTask

Processes logs (operating system task).

TM

Maintains chip entries for the access service.

tNetTask

Processes network-related events (operating system task).

TNLM

Manages tunnels.

TNQA

Schedules NQA client tasks in a unified manner.

TRAF

Collects statistics on VLL, VPLS, and L3VPN.

TRAP

Processes trap messages.

tRlogind

Enables remote login to virtual terminals (operating system task).

tTelnetd

Telnet server task (operating system task).

TTNQ

Schedules NQA server tasks in a unified manner.

tUsbPgs

Device management task that manages USB plug-in and plug-out (operating system task).

tWdbTask

Debugging proxy task (operating system task).

U 34

Processes user's commands.

UCM

Interacts with the AAA module to process user status and maintain user entries.

UDPH

UDP Helper

USB

USB-based upgrade task.

usbPegasusLib

USB host LIB (operating system task).

usbPegasusLib_IRP

USB host I/O LIB (operating system task).

UTSK

User framework task that optimizes protocol processing to ensure preferential processing of protocol packets.

VCON

Serial port redirection task.

VFS

Manages the virtual file system.

VIDL

Collects statistics on CPU usage of idle tasks.

VMON

Monitors system task running.

***M

Offers NQA VPLS MAC diagnosis.

VP

Receives and sends VP packets between boards.

VPR

Receives VP packets between boards.

VPRE

Processes VP messages.

VPS

Sends VP packets between boards.

VRPT

Timer test task.

VRRP

Implements the VRRP protocol stack, manages the VRRP state machine, and maintains the VRRP database.

VT

Virtual terminal task.

VT0

Authenticates the first login user and processes the user's commands.

VTRU

Processes the Up/Down events of V Trunk.

VTYD

Processes login requests of all users.

WEB

Implements Web authentication.

WEBS

Allows users to log in to the device through Web.

XMON

Traces system task running.

XQOS

Service quality task.

 

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

Nana00
Created Sep 5, 2016 03:43:18 Helpful(0) Helpful(0)

Thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login