Hello there, Community!
This post is regarding the S Switch high CPU usage troubleshooting - how to relieve the CPU load. Please read further down for details.
7 How to Relieve CPU Load
1. Plan the network configurations, configure loop prevent protocol, and enable loop detection to prevent loops.
Run the loopback-detect untagged mac-address ffff-ffff-ffff command in the system view to broadcast BPDUs for loop detection and prevent them from being terminated by unexpected devices.
Run the loopback-detect enable command in the interface view to enable loop detection.
2. Configure ARP security to protect the device against ARP or ARP Miss attacks.
For details about ARP security, see ARP Security Solutions in section ARP Security Configuration in the Configuration Guide - Security.
3. On the network prone to DHCP and ARP attacks, such as campus networks, configure local attack defense policies for DHCP and ARP protocol packets.
This section provides suggestions on local attack defense policies in general situations. The requirements on different protocol packets sent to the CPU may vary according to the model and version. In practice, configure CPU attack defense based on service requirements; otherwise, the configuration may fail or services may be affected.
− Control board on modular switch
#
cpu-defend policy main-board
auto-defend enable
undo auto-defend trace-type source-portvlan
undo auto-defend protocol tcp igmp telnet ttl-expired
auto-defend action deny
auto-defend whitelist 1 interface GigabitEthernet x/x/x //Add interconnected interfaces to the whitelist.
auto-defend whitelist 2 interface GigabitEthernet x/x/x //Add uplink interfaces to the whitelist.
#
cpu-defend-policy main-board
#
− Interface card on modular switch
#
cpu-defend policy io-board
auto-defend enable
undo auto-defend trace-type source-portvlan
undo auto-defend protocol tcp igmp telnet ttl-expired
auto-defend action deny
auto-defend whitelist 1 interface GigabitEthernet x/x/x //Add interconnected interfaces to the whitelist.
auto-defend whitelist 2 interface GigabitEthernet x/x/x //Add uplink interfaces to the whitelist.
#
cpu-defend-policy io-board global
#
− Fixed switches
#
cpu-defend policy main
auto-defend enable
undo auto-defend trace-type source-portvlan
undo auto-defend protocol tcp igmp telnet ttl-expired
auto-defend action deny
auto-defend whitelist 1 interface GigabitEthernet x/x/x //Add interconnected interfaces to the whitelist.
auto-defend whitelist 2 interface GigabitEthernet x/x/x //Add uplink interfaces to the whitelist.
#
cpu-defend-policy main global
#
4. Log in to the switch as an administrator through SSH, Telnet, and SNMP. Configure an ACL to allow only the administrator to log in.
# In VTY 0-14, configure the ACL to allow only the user with source IP address 10.1.1.1/32 to log in to the switch.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-adv-2001] rule 5 permit source 10.1.1.1 0
[HUAWEI-acl-adv-2001] quit
[HUAWEI] user-interface vty 0 14
[HUAWEI-ui-vty0-14] acl 2001 outbound
5. When a port group has more than 40 member ports and you add these member ports to 4K VLANs at the same time, the CPU usage may jump to over 80% in a short period. Therefore, you are advised to add the member ports to no more than 500 VLANs at a time.
6. Changing the type of more than 20 ports together may cause a CPU usage of over 80% in a short period. Therefore, you are advised to change the type of ports one by one.
7. Frequent MAC address flapping may result in a high CPU usage. If MAC address flapping may occur frequently on an interface, run the mac-address flapping action error-down command on the interface to enable the system to set the interface to error-down state after detecting a MAC address flapping.
8. When the total number of VLANs on the interfaces with loopback detection enabled exceeds 1024 VLANs, run the loopback-detect action shutdown command on these interfaces to set the action for a detected loopback to shutdown. (The VLAN counter increases by 1 every time an interface is added to a VLAN, even when multiple interfaces are added to the same VLAN.)
9. Load and activate the patch files of the corresponding software version.
Visit http://support.huawei.com/enterprise/ to obtain the corresponding patch file and documents (patch release notes and installation guide).
10. Scan virus on the PCs or servers connected to the switch periodically.
11. The switch provides CPCAR values for each protocol. Generally, the default CPCAR values can meet requirements. If service traffic volume is too high, contact Huawei switch agents to adjust the CPCAR values.
8 A Appendix
8.1 Commands/Alarms/Logs/OIDs Related to High CPU Usage
8.1.1 Commands
Table 8-1 Command information
Command | Description |
display interface [ interface-type ] counters { inbound | outbound } | Displays number of packets sent and received on each interface. |
display cpu-usage [ slave | slot slot-id ] | Displays CPU usage statistics. |
display cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ] | Displays statistics on protocol packets sent to the CPU. |
display arp packet statistics | Displays ARP packet statistics. |
display dhcp statistics | Displays DHCP packet statistics. |
display cpu-defend rate [ packet-type packet-type ] [ slot slot-id | all ] | Displays the rates at which protocol packets are sent to the CPU. |
display cpu-defend policy [ policy-name ] | Displays information about the attack defense policy. |
display auto-defend configuration [ cpu-defend policy policy-name | slot slot-id | mcu ] | Displays information about attack source tracing. |
display cpu-defend configuration | Displays CAR values, including the rate at which packets are sent to the CPU and CPU queues to which protocol packets are sent. |
display logbuffer [ size value | slot slot-id | module module-name | security | level { severity | level } ] * | Displays log information on the switch. |
display trapbuffer [ size value ] | Displays trap information on the switch. |
display stp [ process process-id ] [ instance instance-id ] topology-change | Displays information about STP topology changes. |
display stp [ process process-id ] [ instance instance-id ] [ interface interface-type interface-number | slot slot-id ] tc-bpdu statistics | Displays STP TC BPDU statistics. |
reset cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ] | Clears statistics on packets sent to the CPU. |
cpu-defend policy policy-name | Configures an attack defense policy. |
blacklist blacklist-id acl acl-number | Configures an ACL-based blacklist. |
whitelist whitelist-id acl acl-number | Configures an ACL-based whitelist. |
queue packet-type packet-type queue-value | Specifies the queue number of the CPU to which protocol packets are sent. |
auto-defend enable | Enables the attack source tracing function. |
undo auto-defend trace-type { source-mac | source-ip | source-portvlan } * | Deletes the source tracing mode. |
undo auto-defend protocol { 8021x | arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired | udp } * | Deletes the packet type in attack source tracing. |
auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number } | Configures a whitelist for attack source tracing. The users in whitelist are excluded from attack source tracing. |
auto-defend alarm enable | Enables event report in attack source tracing. |
auto-defend action { deny [ timer time-length ] | error-down } | Enables attack source tracing action and specifies the action. |
auto-port-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number } | Configures the whitelist for port attack defense. |
System view: cpu-defend-policy policy-name [ global ] Slot view: cpu-defend-policy policy-name | Applies the attack defense policy. (The command format depends on switch models and versions. In this example, the modular switch runs V200R007.) |
8.1.2 Alarm Information
1. ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.14.1 hwCPUUtilizationRising //The CPU usage of the switch exceeded the threshold.
ENTITYTRAP/4/ENTITYCPUALARM:OID [oid] CPU utilization exceeded the pre-alarm threshold.(Index=[INTEGER],
EntityPhysicalIndex=[INTEGER], PhysicalName=[OCTET], EntityThresholdType=[INTEGER], EntityThresholdValue=[INTEGER],
EntityThresholdCurrent=[INTEGER], EntityTrapFaultID=[INTEGER].)
2. BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.4.1 hwCPUUtilizationRisingAlarm //The CPU usage of the switch exceeded the threshold.
BASETRAP/2/CPUUSAGERISING: OID [oid] CPU utilization exceeded the pre-alarm threshold.(Index=[INTEGER],
BaseUsagePhyIndex=[INTEGER], UsageType=[INTEGER], UsageIndex=[INTEGER], Severity=[INTEGER], ProbableCause=[INTEGER],
EventType=[INTEGER], PhysicalName="[OCTET]", RelativeResource="[OCTET]", UsageValue=[INTEGER], UsageUnit=[INTEGER],
UsageThreshold=[INTEGER])
3. MSTP_1.3.6.1.4.1.2011.5.25.42.4.2.15 hwMstpiTcGuarded //After the TC protection is enabled on an MSTP-enabled switch, extra TC BPDUs that are received after the number of TC BPDUs received in a specified period has exceeded the threshold are processed after the TC protection time expires.
MSTP/4/TCGUARD:OID [OID] The instance received TC message exceeded the threshold will be deferred to deal with at the end of TC protection time. (InstanceID=[INTEGER])
4. MSTP_1.3.6.1.4.1.2011.5.25.42.4.2.16 hwMstpProTcGuarded //After the TC protection is enabled for an MSTP process, extra TC BPDUs that are received after the number of TC BPDUs received in a specified period has exceeded the threshold are processed after the TC protection time expires.
MSTP/1/PROTCGUARD:OID [OID] MSTP process's instance received TC message exceeded the threshold will be deferred to deal with at the end of TC protection time. (ProcessID=[INTEGER], InstanceID=[INTEGER])
8.1.3 Log Information
1. DEFD/6/CPCAR_DROP_MPU //The rate of packets sent to the CPU exceeded the CPCAR value on the control board.
DEFD/6/CPCAR_DROP_MPU:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG], ExceededPacketCount=[STRING])
Parameter | Description |
Protocol | Protocol type. |
CIR/CBS | Committed information rate and committed burst size. |
ExceededPacketCount | Packet count exceeded. |
2. DEFD/6/CPCAR_DROP_LPU //The rate at which packets are sent to the CPU exceeded the CPCAR values on the LPU.
DEFD/6/CPCAR_DROP_LPU:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot [STRING]. (Protocol=[STRING], CIR/CBS=[ULONG]/[ULONG], ExceededPacketCount=[STRING])
Parameter | Description |
slot | Slot ID. |
Protocol | Protocol type. |
CIR/CBS | Committed information rate and committed burst size. |
ExceededPacketCount | Packet counter exceeded. |
3. SECE/4/PORT_ATTACK //A lot of attack packets from the corresponding VLAN were received on the interface.
SECE/4/PORT_ATTACK:Port attack occurred.(Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)
Parameter | Description |
Slot | Slot of an MPU or LPU. |
SourceAttackInterface | Interface that initiates the attack. |
OuterVlan | Outer VLAN ID or single VLAN ID of the attack source. |
InnerVlan | Inner VLAN ID of the attack source. |
AttackProtocol | Attack packet type. |
AttackPackets | Rate of attack packets, in pps. |
4. SECE/4/USER_ATTACK //User attack information was generated on an MPU or LPU.
SECE/4/USER_ATTACK:User attack occurred.(Slot=[STRING], SourceAttackInterface=[STRING], OuterVlan/InnerVlan=[ULONG]/[ULONG], UserMacAddress=[STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)
Parameter | Description |
Slot | Slot of an MPU or LPU. |
SourceAttackInterface | Interface that initiates the attack. |
OuterVlan | Outer VLAN ID or single VLAN ID of the attack source. |
InnerVlan | Inner VLAN ID of the attack source. |
UserMacAddress | MAC address of the attack source. |
AttackProtocol | Attack packet type. |
AttackPackets | Rate of attack packets, in pps. |
5. SECE/4/SPECIFY_SIP_ATTACK //The attack source information is displayed when a switch is attacked.
SECE/4/SPECIFY_SIP_ATTACK:The specified source IP address attack occurred.(Slot=[STRING], SourceAttackIP = [STRING], AttackProtocol=[STRING], AttackPackets=[ULONG] packets per second)
Parameter | Description |
Slot | Slot of an MPU or LPU. |
SourceAttackIP | IP address of the attack source. |
AttackProtocol | Attack packet type. |
AttackPackets | Rate of attack packets, in pps. |
6. SECE/4/PORT_ATTACK_OCCUR //When the switch detects attack packets on an interface, the switch starts attack defense on the interface.
SECE/4/PORT_ATTACK_OCCUR:Auto port-defend started.(SourceAttackInterface=[STRING], AttackProtocol=[STRING])
Parameter | Description |
SourceAttackInterface | Interface that initiates the attack. |
AttackProtocol | Attack packet type. |
7. SECE/6/PORT_ATTACK_END //After an attack source is excluded, the switch cancels attack defense on the interface.
SECE/6/PORT_ATTACK_END:Auto port-defend stop.(SourceAttackInterface=[STRING], AttackProtocol=[STRING])
Parameter | Description |
SourceAttackInterface | Interface that initiates the attack. |
AttackProtocol | Attack packet type. |
8. VOSCPU/4/CPU_USAGE_HIGH //The CPU was overloaded. The names of the top 3 tasks were displayed. If these tasks contained sub-tasks, names of the sub-tasks and their CPU usages were also displayed.
VOSCPU/4/CPU_USAGE_HIGH:The CPU is overloaded (CpuUsage=[ULONG]%, Threshold=[ULONG]%), and the tasks with top three CPU occupancy are: [CPU-resources-usage]
Parameter | Description |
[CPU-resources-usage] | Names of the top 3 tasks and their CPU usage. If these tasks contained sub-tasks, names of the sub-tasks and their CPU usages were also displayed. |
CpuUsage | Current CPU usage. |
Threshold | CPU usage threshold. |
9. OSPF/3/NBR_DOWN_REASON //The neighbor status goes Down.
OSPF/3/NBR_DOWN_REASON:Neighbor state leaves full or changed to Down. (ProcessId=[USHORT], NeighborRouterId=[IPADDR], NeighborAreaId=[ULONG], NeighborInterface=[STRING],NeighborDownImmediate reason=[STRING], NeighborDownPrimeReason=[STRING], NeighborChangeTime=[STRING])
Parameter | Description |
ProcessId | Process ID. |
NeighborRouterId | Neighbor router ID. |
NeighborAreaId | Neighbor area ID. |
NeighborInterface | Neighbor interface. |
NeighborDownImmediate reason | Possible reasons why OSPF neighbor goes Down: |
Neighbor Down Due to Inactivity: The switch does not receive any Hello packets from the OSPF neighbor within the Dead Time. | |
Neighbor Down Due to LL Down LLDown: The switch does not receive any LLD packet within the Dead Time. | |
Neighbor Down Due to Kill Neighbor: The interface connected to the OSPF neighbor is Down, the BFD session on the interface is Down, or the reset ospf process command has been executed. You can view the NeighborDownPrimeReason field to determine the specific cause. | |
Neighbor Down Due to 1-Wayhello Received or Neighbor Down Due to SequenceNum Mismatch: The OSPF status on the peer interface goes Down and the remote device sends a 1-Way Hello packet to the local device. As a result, the OSPF status of the local device also changes to Down. | |
Neighbor Down Due to AdjOK?: The AdjOK? event times out. | |
Neighbor Down Due to BadLSreq: The BadLSReq event occurs on the interface. | |
NeighborDownPrimeReason | Possible reasons why the neighbor goes Down: |
Hello Not Seen: No Hello packet is received. | |
Interface Parameter Mismatch: The interface settings on two ends of a link do not match. | |
Logical Interface State Change: The logic interface status changes. | |
Physical Interface State Change: The physical interface status changes. | |
OSPF Process Reset: The OSPF process restarts. | |
Area reset: The area is reset due to an area type change. | |
Area Option Mis-match: The options of the areas to which interfaces on both ends belong do not match. | |
Vlink Peer Not Reachable: The virtual link neighbor is unreachable. | |
Sham-Link Unreachable: The Sham-Link neighbor is unreachable. | |
Undo Network Command: The network command is undone. | |
Undo NBMA Peer: The neighbor configuration on the NBMA interface is cleared. | |
Passive Interface Down: The silent-interface command is executed on the local interface. | |
Opaque Capability Enabled: The opaque capability is enabled. | |
Opaque Capability Disabled: The opaque capability is disabled. | |
Virtual Interface State Change: The virtual link interface status changes. | |
BFD Session Down: The BFD session goes Down. | |
Down Retransmission Limit Exceed: The maximum number of retransmission times is reached. | |
1-Wayhello Received: A 1-way Hello packet is received. | |
Router State Change from DR or BDR to DROTHER: The local interface role is changed from DR or BDR to DROTHER. | |
Neighbor State Change from DR or BDR to DROTHER: The neighbor interface role is changed from DR or BDR to DROTHER. | |
NSSA Area Configure Change: The configuration of the NSSA area is modified. | |
Stub Area Configure Change: The configuration of the stub area is modified. | |
Received Invalid DD Packet: An invalid DD packet is received. | |
Not Received DD during RouterDeadInterval: No DD packet is received during Dead timer restart. | |
M,I,MS bit or SequenceNum Incorrect: The M, I, and MS bits in received DD packets are different from those defined in the protocol. | |
Unable Opaque Capability,Find 9,10,11 Type Lsa: The LSAs of types 9, 10, and 11 are received, but the Opaque capability is not enabled. | |
Not NSSA,Find 7 Type Lsa in Summary List: The local area does not belong to NSSA, but Tpye-7 LSA exists in Summary. | |
LSrequest Packet,Unknown Reason: An LSR packet is received due to an unknown reason. | |
NSSA or STUB Area,Find 5 ,11 Type Lsa: The local area belongs to NSSA or Stub, but Tpye-5 and Tpye-11 LSAs exist. | |
LSrequest Packet,Request Lsa is Not in the Lsdb: The neighbor requests an LSA through LSR from the local process or area, but the LSA does not exist in the LSDB of the local process. | |
LSrequest Packet, exist same lsa in the Lsdb: The process receives an LSA, which exists in the local LSDB and neighbor request list. | |
LSrequest Packet, exist newer lsa in the Lsdb: The process receives an updated LSA, which exists in the local LSDB and neighbor request list. | |
Neighbor state was not full when LSDB overflow: The LSDB overflows, but the neighbor status is not Full. | |
Filter LSA configuration change: The configuration of LSA filter is modified. | |
ACL changed for Filter LSA: The ACL configuration of LSA filter is modified. | |
Reset Ospf Peer: The OSPF neighbor is reset. | |
NeighborChangeTime | Time when the status changes. |
8.1.4 OID Information
8.2 Local Attack Defense Policy
8.2.1 Function Overview
As shown in Figure 8-1, local attack defense policies include attack source tracing, port attack defense, CPCAR, and blacklist. The port attack defense and CPCAR functions are enabled by default.
Improper CPCAR adjustment will affect network services. To modify the CPCAR settings, contact Huawei switch agents.
Figure 8-1 Security capability of the CPU
8.2.1.1 Attack Source Tracing
After attack source tracing is enabled, the switch analyzes and collects statistics on the packets sent to the CPU. The switch provides thresholds for packets, and considers the packets exceeding thresholds as attack packets. Then the switch locates the source interface and IP address of the attack source, reports logs to users, and takes measures on the attack source. The switch may also discard the attack packets or shut down the attacked interface.
1. Set the source tracing mode.
The switch supports the following attack source tracing modes:
− Source IP address-based tracing: defends against Layer 3 attack packets.
− Source MAC address-based tracing: defends against Layer 2 attack packets with the specified source MAC address.
− Interface+VLAN based tracing: defends against Layer 2 attack packets with different source MAC addresses.
If you are unknown of the packet attack type, configure all of the preceding modes.
2. Set the packet type in attack source tracing.
The switch can perform attack source tracing for each of 802.1x, ARP, DHCP, ICMP, IGMP, TCP, Telnet, TTL 1, and UDP packets, or all of them.
When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.
3. Set the attack defense action.
After identifying an attack source, the switch takes actions on the attack source to prevent it attacking the switch:
− Discards the attack packets within a period.
− Shuts down the interface receiving the attack packets.
4. Configure the whitelist.
If you want to exclude some users from attack source tracing, add the users to the whitelist. The switch does not take attack source tracing actions on the users in whitelist.
Generally, uplink interface needs to be added to the whitelist to prevent impact on services.
5. Set the attack source tracing threshold.
The switch supports the attack source tracing threshold, sampling rate, and event report threshold.
In Figure 8-2, the source tracing mode is based on source IP address, the threshold is 4 pps, and the attack source tracing action is discard packets. If the rate of packets sent to the CPU within one second exceeds the threshold, the system considers that an attack has occurred, generates a log in which the attack source address is 10.3.2.1, and discards packets from this address for a certain period of time.
Figure 8-2 Attack source tracing
8.2.1.2 Port Attack Defense
If too many packets sent from an interface to the CPU from occupying bandwidth, the packets from other interfaces cannot be sent to the CPU to cause a service interruption. Port attack defense controls the number of packets sent to the CPU.
After port attack defense is configured, a switch can trace the source and limit the rate of packets sent to the CPU based on ports, protecting the CPU against DoS attacks.
By default, the port attack defense function is enabled. The switch calculates rate of packets received on an interface. If the packet rate exceeds the threshold within the aging time, the switch considers that an attack occurs. Then the switch traces the source and limits the rate of attack packets on the port, and records a log.
The switch takes the following measures in rate limiting:
l When the packet rate does not exceed the limit (the value is the same as the CPCAR value in attack defense policy), the switch moves the packets to a low-priority queue and then sends them to the CPU.
The switch calculates the rate of protocol packets received by the interface, and performs attack source tracing and rate limiting on the attack packets. When the rate of protocol packets received by an interface exceeds the threshold, the switch considers that an attack has occurred and sends a log. The switch moves packets to the low-priority queue (queue 2, generally. For details about queues, see 8.2.1.3 CPCAR), and then sends the packets to the CPU.
l When the rate of packets exceeds the threshold, the switch discards the packets.
Port attack defense provides the following functions:
l Attack defense for the specified protocol packets
The switch can perform port attack defense for each of ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets, or for all of them.
l Whitelist
If you want to exclude some users from attack source tracing, add the users to the whitelist.
Generally, the uplink interface needs to be added to the whitelist to ensure prompt processing on network-side protocol packets and packets from authorized users to be sent to the CPU.
l Port attack defense thresholds
The switch supports the attack source tracing threshold, sampling rate, and aging time.
When an attack occurs, you cannot identify the type of attack packets. The auto-defend protocol command allows you to flexibly specify the types of traced packets.
In Figure 8-3, both port 1 and port 2 send ARP request and DHCP packets to the CPU. The rate of ARP request packets sent by port 1 and the rate of DHCP packets sent by port 2 exceed the threshold. The switch considers that an attack has occurred, and moves the packets to queue 2, which has a low priority.
Figure 8-3 Port attack defense
By default, port attack defense is enabled on a switch. The rate limiting actions taken by port attack defense have minor impact than the rate limiting actions taken by attack source tracing.
8.2.1.3 CPCAR
The Control Plane Committed Access Rate (CPCAR) limits the rate of packets sent to the CPU to protect the control plane. After packets are sent to the CPU, the switch performs the following types of rate limiting:
1. Rate limiting based on protocol
The switch specifies a threshold for each protocol. When the rate of protocol packets exceeds the threshold, the switch discards the packets so that each protocol can be processed promptly.
2. Scheduling and rate limiting based on queue
After protocol-based rate limiting is performed, the switch moves packets to queues depending on layer (management/control/forwarding) and importance. The queues have different priorities. The packets in queues are scheduled based on priorities. When conflict occurs, the packets in the high-priority queue are processed first. In addition, the switch can limit rate for each queue. It restricts the maximum rate of packets sent from each queue to CPU. This ensures stable switch running when the CPU has a high load.
The switch as eight queues: queues 0-7. The queue with a large ID has a high priority. To view the packet queues, run the display cpu-defend configuration all command.
3. Unified rate limiting
On a stable network, the number of packets sent to the CPU is within an acceptable range. If a large number of packets are sent to the CPU within a short period, the CPU is busy processing these packets, resulting in a high CPU usage. To restrict the total number of packets processed by the CPU, the switch performs rate limiting on all packets to ensure normal running of the CPU.
In Figure 8-4, a large number of protocol packets are sent to the CPU:
1. Performs rate limiting on protocol packets based on protocol type.
2. Moves packets to different queues depending on the queues of the protocols. The queue with a large ID has a high priority.
3. Limits the rate of all packets. If the packet rate exceeds the threshold, the switch discards the packets in low-priority queues.
Figure 8-4 Packet rate limiting by CPCAR
The CPCAR does not take effect on the management interface. If the network connected to a management interface undergoes a serious attack, users may fail to log in to the switch through the management interface. You are advised to scan virus on the PCs or replan the network.
The switch provides a default CPCAR setting for each protocol. Improper CPCAR settings will affect services on the network. To modify the CPCAR settings for some protocols, contact Huawei switch agents.
Generally, the default CPCAR settings can meet requirements.
8.2.1.4 Blacklist
A switch receives a large number of protocol packets, overwhelming the CPU. The switch may fail to process valid protocol packets or protocol flapping occurs. You can use the methods such as packet capturing and attack source tracing to determine the attack source characteristics (such as MAC or IP address), and then configure a blacklist to discard these packets.
You can create a blacklist on a device and add users with specified characteristics to the blacklist. The device then discards the packets from these users. In Figure 8-5, blacklist 1 matches the packets with source IP address 10.1.1.0/24 and blacklist 2 matches packets with source IP address 10.2.2.0/24. When these packets are sent to the CPU, the switch discards them.
Figure 8-5 Blacklist
8.2.2 Configuring a Local Attack Defense Policy
Step 1 Create a local attack defense policy.
1. Run the system-view command to enter the system view.
2. Run the cpu-defend policy policy-name command to create an attack defense policy and enter its view.
3. Configure attack source tracing.
a. Run the auto-defend enable command to enable attack source tracing.
b. Run the auto-defend trace-type { source-ip | source-mac | source-portvlan }* command to set the attack source tracing mode.
c. Run the auto-defend protocol { all | { 8021x | arp | dhcp | icmp | igmp | tcp | telnet | ttl-expired | udp } * } command to set the packet type for attack source tracing.
d. Run the auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number } command to configure a whitelist.
e. Run the auto-defend action { deny [ timer time-length ] | error-down } command to enable the attack source tracing action function and set the action.
4. Configure port attack defense.
a. Run the auto-port-defend enable command to enable port-based attack defense.
By default, the port attack defense function is enabled.
b. Run the auto-port-defend protocol { all | { arp-request | arp-reply | dhcp | icmp | igmp | ip-fragment } * } command to set the packet type in port attack defense.
By default, port attack defense is applicable to ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets.
5. Set the rate limit for protocol packets.
The rules of sending protocol packets to CPU include car and deny. When both the car and deny rules are configured for the same type of protocols, the rule configured later takes effect.
− To enable CPCAR limiting for the packets sent to the CPU and set the threshold, run the car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ] command.
− To set the action taken on the packets sent to the CPU to discard, run the deny { packet-type packet-type | user-defined-flow flow-id } command.
6. Run the blacklist blacklist-id acl acl-number command to create a blacklist.
A maximum of eight blacklists can be configured in an attack defense policy.
Packets matching the ACL applied to a blacklist are discarded, regardless of whether the ACL contains a permit or deny rule.
Step 2 Apply the local attack defense policy.
After a local attack defense policy is created, the policy must be applied.
l Modular switches
Both MPUs and LPUs have their own CPUs. Local attack defense policies are configured differentially for MPUs and LPUs.
Before creating and applying attack defense policies, check attack information on the MPUs and LPUs. If the attack information on the MPUs and LPUs is consistent, apply the same attack defense policy to the MPUs and LPUs; otherwise, apply different policies to them.
a. Apply an attack defense policy to MPU.
i. Run the system-view command to enter the system view.
ii. Run the cpu-defend-policy policy-name1 command to apply the attack defense policy.
b. Apply an attack defense policy to an LPU.
If an attack defense policy has been applied to all LPUs, it cannot be applied to the specified LPU. In a similar manner, if an attack defense policy has been applied to a specified LPU, it cannot be applied to all LPUs.
n If all LPUs process similar services, apply an attack defense policy to all LPUs.
Run the cpu-defend-policy policy-name2 global command to apply an attack defense policy.
n If LPUs process different services, apply an attack defense policy to the specified LPU.
1) Run the slot slot-id command to enter the slot view.
2) Run the cpu-defend-policy policy-name2 command to apply an attack defense policy.
An attack defense policy applied to a slot view takes effect only for the LPU in this slot.
l Fixed switches
− On a stand-alone switch:
i. Run the system-view command to enter the system view.
ii. Run the cpu-defend-policy policy-name global command to apply the attack defense policy globally.
− In a stack:
i. Run the system-view command to enter the system view.
ii. Apply the attack defense policy.
□ To apply the attack defense policy to all stacked devices, run the cpu-defend-policy policy-name global command.
□ To apply the attack defense policy to the master device, run the cpu-defend-policy policy-name command.
----End
Task Name | Description |
BUFM | Outputs debugging information. |
1731 | Implements the Y.1731 protocol stack, manages the protocol state machine, and maintains the protocol database. |
_EXC | Processes system exception events. |
_TIL | Monitors and processes deadloops caused by software exceptions. |
AAA | Interacts with modules such as the UCM and RADIUS to process user authentication messages, and maintains authentication and authorization entries. |
ACL | Controls access users. |
ADPG | Maintains dynamic VLAN-related chip entries (adaptation layer task). |
ADPT | Implements the EFM protocol stack, manages the protocol state machine, and maintains the protocol database. |
age_task | Ages out MAC address entries. |
AGNT | Implements the IPv4 SNMP protocol. |
AGT6 | Implements the IPv6 SNMP protocol. |
ALM | Adds, clears, and manages alarm information. |
ALS | Implements automatic laser shutdown. |
AM | Manages IP address pools and addresses for modules such as DHCP. |
AMCP | Synchronizes data from MPU to SPU (application layer protocol). |
APP | Schedules Layer 3 services in a unified manner. |
ARP | Implements the ARP protocol stack, manages the ARP state machine, and maintains the ARP database. |
au_msg_hnd | Processes AU messages, which are used for MAC entry learning and delivery. |
bcmC | Counts the number of packets on chip ports. |
bcmD | Implements asynchronous message processing in chip drive software. |
bcmR | Receives packets from the chip. |
bcmT | Transmits packets to the chip. |
bcmX | Transmits packets to the chip of specified type asynchronously. |
bcmL2MOD.0 | Learns MAC address entries. |
BEAT | Sends and receives heartbeat packets to monitor inter-board communication. |
BFD | Implements the BFD protocol stack, manages the protocol state machine, and maintains the protocol database. |
bmLI | Scans interface status and notifies the application modules of interface status changes. |
BOX | Outputs the data stored in the black box, including error and exception information generated during system operations. |
BULK_CLASS | Manages the USB flash drive (operating system task). |
BULK_CLASS_IRP | Manages USB I/O request packets (operating system task). |
BusM A | Manages USB bus (operating system task). |
CCTL | Collects and schedules performance data in batches. |
CDM | Manages configuration data. |
CFM | Recovers configurations. |
CHAL | Completes functions at the hardware adaptation layer. |
CKDV | Controls and manages the clock module. |
CMD_Switching | Listens on sockets. |
CMDA | Executes commands in batches. |
cmdExec | Executes commands. |
CSBR | Checks configuration consistency between the active and standby MPUs. |
CSPF | Implements the CSPF protocol stack and completes path computation. |
CssC | Handles cluster events. |
CSSM | Implements cluster protocol stack and manages cluster status. |
DEFD | Monitors traffic sent to the CPU and maintains CPU defense data. |
DELM | Deletes MAC address entries in STP. |
DEV | Manages hardware modules on the switch. |
DEVA | Handles subcard hot swapping. |
DFSU | Loads logic files. |
DHCP | Implements the DHCP protocol stack and provides the functions such as DHCP snooping and DHCP relay. |
DLDP | Implements the DLDP protocol stack, manages the protocol state machine, and maintains the protocol database. |
DSMS | Processes environment alarms generated by the environment monitoring system. |
EAP | Implements 802.1x authentication, MAC address authentication, and MAC address bypass authentication, manages the protocol state machine, and maintains the protocol database. |
Ecm | Manages low-level inter-board communication. |
EFMT | Sends 802.3ah test packets. |
EHCD_IH | Drives USB host controller (operating system task). |
ELAB | Manages electronic labels. |
EOAM | Implements the EOAM 802.1ag protocol, manages the protocol state machine, and maintains the protocol database. |
Eout | Outputs debugging information about the ECM task. |
FBUF | Sends packets. |
FCAT | Captures the packets sent or received by the CPU for fault location. |
FECD | Processes MOD synchronization messages. |
FIB | Generates IPv4 forwarding entries on the control plane and delivers the entries to the forwarding plane to guide data forwarding. |
FIB6 | Manages IPv6 FIB entries, maintains software entries, and requests the hardware adaptation layer to maintain chip entries. |
FM93 | Outputs fault information. |
FMAT | Manage faults. |
FMCK | Detects device faults. |
FMON | Monitors logic card failures. |
frag_add | Synchronizes MAC entries from the hardware table to the software table, traverses the hardware table, and adds the MAC address entries that do not exist in the software table to the software table. |
frag_del | Synchronizes MAC entries from the hardware table to the software table, traverses the software table, and deletes the MAC entries that do not exist in the hardware table from the software table. |
FTPS | Offers the FTP service. |
FTS | Receives packets. This task is created by FECD. After the driver receives packets that do not need to be processed by the super task, it sends the packets to the FTS task for processing. |
GREP | Manages GRE forwarding entries in chip (adaptation layer task). |
GTL | Manages common data such as memory and character strings. |
GVRP | Implements the GVRP protocol stack, manages the protocol state machine, and maintains the protocol database. |
HACK | Processes HA response messages. |
HOTT | Manages hot swapping of interface cards. |
HS2M | Synchronizes data between the active and standby MPUs to ensure high reliability. |
HVRP | Implements the HVRP protocol stack, manages the protocol state machine, and maintains the protocol database. |
IFNT | Processes interface status change events. |
IFPD | Manages interfaces, maintains interface database, and processes interface status change events. |
INFO | Receives and sends logs, traps, and debugging information generated by service modules. |
IP | Schedules IP protocol tasks in a unified manner. |
IPCQ | Retransmits IPC messages upon message transmission failures. |
IPCR | Sends, receives, and distributes IPC messages to related service modules. |
IPMC | Adapts to Layer 3 multicast protocols, responds to changes on the control plane, and issues forwarding entries. |
ISSU | Provides smooth upgrade for firmware. |
ITSK | Sends, receives, and distributes various protocol packets. |
L2 | Schedules Layer 2 services in a unified manner. |
L2MC | Listens on IGMP/MLD packets on interfaces and implements fast join/leave group member interfaces. |
L2V | Manages VPLS and VLL services, maintains control plane data, and requests the adaptation layer to maintain forwarding entries in chip. |
L3I4 | Delivers IPv4 unicast forwarding entries from LPUs. |
L3IO | Delivers entries of Layer 3 protocols, such as URPF and VRRP, to interface cards. |
L3M4 | Adapts to the ARP protocol on the MPU, delivers IPv4 unicast forwarding entries, and responds to the changes at the control plane. |
L3MB | Adapts to Layer 3 protocols, such as URPF and VRRP, on the MPU, and delivers forwarding entries. |
LACP | Implements the LACP protocol stack, manages the LACP state machine, and maintains the LACP database. |
LCS | Manages licenses. |
LCSP | Loads authorized features allowed by the license file. |
LDP | Implements the LDP protocol stack and maintains the LDP LSP database. |
LDRV | Synchronizes software versions between active and standby MPUs. |
LDT | Implements the LDT protocol stack, manages the protocol state machine, and maintains the protocol database. |
LHAL | Provides the hardware adaptation layer to shield hardware differences. |
LINK | Schedules link layer tasks in a unified manner. |
linkscan | Monitors the status of links. |
LLDP | Implements the LLDP protocol stack, manages the LLDP state machine, and maintains the LLDP database. |
LOAD | Loads the system image file and patch packages. |
LSPA | Maintains LSP forwarding entries and instructs the hardware adaptation layer to maintain chip entries. |
LSPM | Creates, updates, and deletes LSPs. |
MCSW | Adapts to Layer 3 multicast protocols, responds to changes on the control plane, and issues forwarding entries. |
MERX | Processes the packets received on the management interface. |
MFF | Implements the MAC forced forwarding (MFF) function. |
MFIB | Manages Layer 3 multicast forwarding entries. |
MIRR | Implements port mirroring. |
MOD | Manages, distributes, and reclaims module numbers. |
MPLS | Implements MPLS protocol stack, and distributes, manages, and reclaims labels. |
MSYN | Synchronizes MAC entries between cards. |
MTR | Collects memory usage data at scheduled time. |
mv_rxX | Handles packet receiving queues in CPU X (X is an integer ranging from 0 to 7). |
NDIO | Delivers IPv6 unicast forwarding entries from LPUs. |
NDMB | Adapts to the ND protocol on the MPU, issues IPv6 unicast forwarding entries, and responds to changes on the control plane. |
NQAC | Acts as the NQA client to respond to and process NQA packets. |
NQAS | Acts as the NQA server to respond to and process NQA events and packets. |
NSA | Manages chip entries at the VRP NetStream adaptation layer. |
NTPT | Implements the NTP protocol stack, manages the protocol state machine, and maintains the protocol database. |
OAM | Implements the MPLS OAM protocol stack, manages the protocol state machine, and maintains the protocol database. |
OAM1 | Adapts to the OAM 802.1ag protocol, responds to protocol-layer changes, and responds to changes on the forwarding plane. |
OAMI | Processes packets received from logic cards. |
OAMT | Responds to protocol changes and maintains chip entries (adaptation layer task). |
OS | Operating system task. |
Ping | Quickly responds to ping packets. |
PNGI | Provides fast ping reply on LPUs. |
PNGM | Provides fast ping reply on MPUs. |
Port | Processes chip debugging commands. |
port_statistics | Collects port statistics. |
PPI | Maintains interface status on chips (adaptation layer task). |
PTAL | Implements redirection authentication, authentication and authorization, manages the protocol state machine, and maintains the protocol database. |
QOSA | Manages QoS configurations and maintains chip entries. |
QOSB | Delivers QoS entries to LPUs and maintains QoS entries. |
RACL | Creates session table entries based on TCP/UDP/ICMP initial packet, monitors and ages out session table entries. |
RDS | Implements the RADIUS protocol stack, manages the protocol state machine, and maintains the protocol database. |
RMON | Monitors the system remotely. |
root | System root task. |
ROUT | Completes route learning for routing protocols, selects best routes, and delivers routes to the FIB. |
RPCQ | Provides the remote procedure call function. |
RRPP | Implements the RRPP protocol stack on interface cards, detects interface status quickly, and delivers hardware entries. |
RSA | Calculates the RSA key. |
RSVP | Implements the RSVP protocol stack and maintains the CR-LSP database. |
RTMR | Manages scheduled tasks. |
SAM | Delivers service entries to LPUs and maintains the entries. |
SAPP | Manages application layer protocol dictionary and whitelist, maintains software entries and instructs the adaptation layer to set chip status. |
SDKD | Detects the status of the interfaces connected to the backplane and collects the packet rate on the interfaces. |
SDKE | Displays LSW chip entries. |
SECB | Delivers security entries to LPUs and maintains the security entries. |
SECE | Implements security functions such as ARP security, IP security, and CPU security, manages the protocol state machine, and maintains protocol databases. |
SERVER | TCP/IP server task. |
SFPM | Queries manufacturer information and digital diagnosis information of optical modules. |
SLAG | Implements the E-Trunk function. |
SMAG | Smart link agent that can quickly detect and process interface status change vents. |
SMLK | Implements the Smart Link protocol stack, manages the protocol state machine, and maintains the protocol database. |
smsL | Loads the environment monitoring module. |
smsR | Sends environment monitoring requests. |
smsT | Enables the environment monitoring system to send packets. |
SNPG | Listens on and processes IGMP and MLD protocol packets. |
SOCK | Schedules and processes IP packets. |
SRMI | Processes external interrupts. |
SRMT | Device management timer task. |
SRVC | Processes DHCP packets related to IP sessions, and interacts with the user management module and AAA module to complete authorization and accounting. |
STFW | Super forwarding task that maintains forwarding entries in the trunk memory. |
STND | Assists the operating system in task and event scheduling. |
STP | Implements the STP protocol stack, manages the STP state machine, and maintains the STP database. |
STRA | Monitors traffic, identifies attacking traffic, and punishes attack sources. |
STRB | Monitors LPUs and identifies attack traffic. |
SUPP | Processes interrupt messages and timer messages in the device management module. |
t1 | Temporary task (operating system task). |
TACH | Implements the HWTACACS protocol stack, manages the protocol state machine, and maintains the protocol database. |
TAD | Transmits traps. |
TARP | Processes trap messages. |
tBulkClnt | Manages the USB driver (operating system task). |
TCPKEEPALIVE | Maintains TCP connections. |
TCTL | Controls the upload of batch collected performance data. |
tDcacheUpd | Updates the disk cache (operating system task). |
tExcTask | Handles exceptions (operating system task). |
TICK | Processes the system clock. |
tLogTask | Processes logs (operating system task). |
TM | Maintains chip entries for the access service. |
tNetTask | Processes network-related events (operating system task). |
TNLM | Manages tunnels. |
TNQA | Schedules NQA client tasks in a unified manner. |
TRAF | Collects statistics on VLL, VPLS, and L3VPN. |
TRAP | Processes trap messages. |
tRlogind | Enables remote login to virtual terminals (operating system task). |
tTelnetd | Telnet server task (operating system task). |
TTNQ | Schedules NQA server tasks in a unified manner. |
tUsbPgs | Device management task that manages USB plug-in and plug-out (operating system task). |
tWdbTask | Debugging proxy task (operating system task). |
U 34 | Processes user's commands. |
UCM | Interacts with the AAA module to process user status and maintain user entries. |
UDPH | UDP Helper |
USB | USB-based upgrade task. |
usbPegasusLib | USB host LIB (operating system task). |
usbPegasusLib_IRP | USB host I/O LIB (operating system task). |
UTSK | User framework task that optimizes protocol processing to ensure preferential processing of protocol packets. |
VCON | Serial port redirection task. |
VFS | Manages the virtual file system. |
VIDL | Collects statistics on CPU usage of idle tasks. |
VMON | Monitors system task running. |
***M | Offers NQA VPLS MAC diagnosis. |
VP | Receives and sends VP packets between boards. |
VPR | Receives VP packets between boards. |
VPRE | Processes VP messages. |
VPS | Sends VP packets between boards. |
VRPT | Timer test task. |
VRRP | Implements the VRRP protocol stack, manages the VRRP state machine, and maintains the VRRP database. |
VT | Virtual terminal task. |
VT0 | Authenticates the first login user and processes the user's commands. |
VTRU | Processes the Up/Down events of V Trunk. |
VTYD | Processes login requests of all users. |
WEB | Implements Web authentication. |
WEBS | Allows users to log in to the device through Web. |
XMON | Traces system task running. |
XQOS | Service quality task. |
