5.1 Checking Whether the Problem Is Caused by a Hardware Failure

If you determine that the problem is caused by a hardware failure according to 4.3 Determining Fault Causes According to the CPU Usage (the DEV, HOTT, FMCK, or SRMI task has a high CPU usage), contact Huawei switch distributors for help.

If services are affected, reset the board causing the high CPU usage (powering off the board is recommended) to recover services temporarily.

5.2 Checking Whether the Problem Is Caused by a Network Attack

In some situations, network attacks may cause high CPU usage. Network attacks are initiated by hosts or network devices by sending a large number of forged packets to switches, affecting security and services on the target switches. When a network attack occurs, the switch is busy with the requests from the attack source. Therefore, some tasks occupy much CPU resource, causing a high CPU usage on the switch.

Common Network Attacks

Common network attacks, such as ARP, ARP Miss, and DHCP attacks, can cause a high CPU usage on a switch. These attacks are all initiated by sending a large number of protocol packets; therefore, packet statistics on the switch show a large number of packets sent to the CPU.

l   ARP and ARP-Miss attack

           ARP and ARP Miss flood

           ARP spoofing

l   DHCP protocol packet attack

l   Other attack

           ICMP attack

           DDoS

           Broadcast attack

           TTL-expired attack

           Initiating IP packets with the switch's IP address as the destination address

           SSH/FTP/Telnet attacks

Network Attack Locating

                               Step 1     Run the display version and display device commands to check the switch version and component types. Record the information for follow-up operations.

                               Step 2     Run the display cpu-defend statistics command to view statistics about the packets sent to the CPU, determining whether too many protocol packets are discarded due to timeout.

1.         Run the reset cpu-defend statistics command to clear statistics about the packets sent to the CPU.

2.         After several seconds, run the display cpu-defend statistics command to view statistics about the packets sent to the CPU.

If there are too many packets of a protocol, determine whether it is normal depending on the networking. If not, there is a high probability that the switch is undergoing a protocol packet attack.

reset cpu-defend statistics
display cpu-defend statistics all
Statistics on slot 2:
-----------------------------------------------------------------------------------------------------------
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)
-----------------------------------------------------------------------------------------------------------
arp-miss            0           0            0             0
arp-request          40800       35768        600           52600
bgp                0           0            0             0
……
-----------------------------------------------------------------------------------------------------------

The preceding information shows that the switch has discarded many ARP request packets. If these packets are abnormal, the switch undergoes an ARP attack.

                               Step 3     Configure the attack source tracing function to find out the attack source.

If a CPU is busy with many valid or attack packets, services may be interrupted. The switch provides the local attack defense function to protect the CPU. Local attack defense policies include attack source tracing, port attack defense, CPCAR, and blacklist. For details about local attack defense, see 8.2 Local Attack Defense Policy.

1.         Create the local attack defense policy based on attack source tracing.

a.         Create an ACL and add the gateway IP address to the whitelist of attack source tracing.

system-view
[HUAWEI] acl number 2000 
[HUAWEI-acl-basic-2000] rule 5 permit source 10.1.1.1 0  //10.1.1.1 is the gateway IP address.
[HUAWEI-acl-basic-2000] quit

b.         Create the local attack defense policy based on attack source tracing.

[HUAWEI] cpu-defend policy policy1
[HUAWEI-cpu-defend-policy-policy1] auto-defend enable  //Enable attack source tracing. By default, this function is disabled.
[HUAWEI-cpu-defend-policy-policy1] undo auto-defend trace-type source-portvlan  //Set the attack tracing mode to MAC + IP based. By default, attack source tracing is based on source MAC address, source IP address, source interface, and VLAN ID. To delete unneeded mode, run the undo auto-defend trace-type command.
[HUAWEI-cpu-defend-policy-policy1] undo auto-defend protocol 8021x dhcp icmp igmp tcp telnet ttl-expired udp  //Delete a packet type from attack source tracing. By default, the packet types for attack source tracing are 802.1x, ARP, DHCP, ICMP, IGMP, TCP, Telnet, TTL-expired, and UDP.
[HUAWEI-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2000  //Add the gateway IP address to whitelist.
[HUAWEI-cpu-defend-policy-policy1] quit

2.         Apply the local attack defense policy.

           Modular switches

Both MPUs and LPUs have their own CPUs. Local attack defense policies are configured differentially for MPUs and LPUs.

Before creating and applying attack defense policies, check attack information on the MPUs and LPUs. If the attack information on the MPUs and LPUs is consistent, apply the same attack defense policy to the MPUs and LPUs; otherwise, apply different policies to them.

i.          Apply an attack defense policy to MPU.

system-view
[HUAWEI] cpu-defend-policy policy1 
[HUAWEI] quit

ii.        Apply an attack defense policy to an LPU.

If an attack defense policy has been applied to all LPUs, it cannot be applied to the specified LPU. In a similar manner, if an attack defense policy has been applied to a specified LPU, it cannot be applied to all LPUs.

□   If all LPUs process similar services, apply an attack defense policy to all LPUs.

system-view
[HUAWEI] cpu-defend-policy policy2 global

□   If LPUs process different services, apply an attack defense policy to the specified LPU.

system-view
[HUAWEI] slot 1
[HUAWEI-slot-1] cpu-defend-policy policy2

           Fixed switches

n   Apply an attack defense policy to a stand-alone switch.

system-view
[HUAWEI] cpu-defend-policy policy1 global

n   In a stack:

□   Apply an attack defense policy to the master switch.

system-view
[HUAWEI] cpu-defend-policy policy1

□   Apply an attack defense policy to all stacked switches.

system-view
[HUAWEI] cpu-defend-policy policy1 global

3.         View attack source information.

After configuring local attack defense based on attack source tracing, run the display auto-defend attack-source and display auto-defend attack-source slot slot-id commands to view attack source information.

The MAC address of gateway should be excluded from the suspicious attack sources.

----End

Handling Suggestion

Select an appropriate method based on the attack source information and networking.

l   Configure ARP security to prevent ARP attacks.

The switch provides ARP security to prevent ARP and ARP Miss packet attacks.

For details about ARP security, see ARP Security Solutions in the Configuration Guide > Security > ARP Security Configuration.

l   Configure an attack source tracing action: discard attack packets within the specified period.

# Discard attack packets within 300s.

system-view
[HUAWEI] cpu-defend policy policy1
[HUAWEI-cpu-defend-policy-policy1] auto-defend enable  //Enable attack source tracing. By default, this function is disabled.
[HUAWEI-cpu-defend-policy-policy1] auto-defend action deny timer 300  //By default, attack source tracing action is not enabled.

l   Configure a blacklist for local attack defense. The packets from the users in the blacklist are discarded.

If an attack source is considered as attacker (for example, attack source address is 1.1.1.0/24), add the users with the specified characteristics to a blacklist.

# Configure ACL 2001 to match the packets with source address 1.1.1.0/24 and discard the packets matching the ACL.

[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] cpu-defend policy policy1
[HUAWEI-cpu-defend-policy-policy1] blacklist 1 acl 2001

l   Configure attack source tracing action: shut down the interface receiving attack packets.

If attack packets are sent from a specified interface, and shutdown of this interface does not affect services, use this method.

# Configure attack source tracing action: shut down the interface receiving attack packets.

system-view
[HUAWEI] cpu-defend policy policy1
[HUAWEI-cpu-defend-policy-policy1] auto-defend enable  //Enable attack source tracing. By default, this function is disabled.
[HUAWEI-cpu-defend-policy-policy1] auto-defend action error-down

5.3 Checking Whether the Problem Is Caused by Network Flapping

When network flapping occurs, the network topology frequently changes. The switch is busy with network switching events, causing a high CPU usage. Network flapping includes STP flapping and OSPF route flapping.

STP Flapping

When STP flapping occurs, the switch frequently calculates STP topology, updates MAC address table, and ARP table, causing a high CPU usage.

1.         Fault Location

           If you consider that STP flapping may occur, run the display stp topology-change command multiple times at an interval of several seconds to view STP topology information. Alternatively, you can check the trap and log information on the switch to determine whether STP topology has changed.

# Run the command multiple times. Check whether the value of Number of topology changes increases.

display stp topology-change 
 CIST topology change information
   Number of topology changes             :35
   Time since last topology change        :0 days 1h:7m:30s
   Topology change initiator(notified)    :GigabitEthernet2/0/6
   Topology change last received from     :101b-5498-d3e0
   Number of generated topologychange traps :   38
   Number of suppressed topologychange traps:   8
 
 MSTI 1 topology change information
   Number of topology changes             :0

           When you confirm that network topology is frequently changed, run the display stp tc-bpdu statistics command after several seconds again. Check whether interfaces on the switch have received Topology Change (TC) BPDUs. If so, find out the source of the TC BPDUs, that is, the device causing the topology change.

n   If only the TC(Send) value increases, the topology change is caused by the local switch.

□   If only the TC(Send) value of a single interface increases, the topology change is caused by this interface.

□   If the TC(Send) values of multiple interfaces increase, check the events and logs on the NMS to analyze the STP topology change reason. Find out the interface causing the flapping.

n   If multiple values in the TC(Send/Receive) column increase, check the event and log information on the NMS to determine whether the local switch causes the topology change, and check whether STP flapping occurs on the device connected to the problematic interface.

# View statistics about TC/TCN packets on an interface.

display stp tc-bpdu statistics  
-------------------------- STP TC/TCN information --------------------------
 MSTID Port                    TC(Send/Receive)      TCN(Send/Receive)
 0     GigabitEthernet2/0/6        21/4                  0/1 
 0     GigabitEthernet2/0/7        93/0                  0/1 
 0     GigabitEthernet2/0/8        115/0                 0/0 
 0     GigabitEthernet2/0/9        110/0                 0/0 
 0     GigabitEthernet3/0/23       29/5                  0/0

2.         Suggestion

a.         Enable TC protection trap to help you understand how the switch processes TC BPDUs.

Run the snmp-agent trap enable feature-name mstp and stp tc-protection commands in the system view to enable TC protection trap.

By default, a switch is enabled to prevent topology change attacks. That is, within the stp tc-protection interval, the switch processes a maximum number of stp tc-protection threshold TC BPDUs.

After the trap is enabled, the switch reports the MSTP_1.3.6.1.4.1.2011.5.25.42.4.2.15 hwMstpiTcGuarded and MSTP_1.3.6.1.4.1.2011.5.25.42.4.2.16 hwMstpProTcGuarded traps.

For details about the traps, see 8.1.2 Alarm Information.

b.         Perform operations according to topology changes.

n   STP topology changes when the access interface alternates between Up and Down.

Run the stp edged-port enable command in the interface view to set the access interface as an edge port, and run the stp bpdu-protection command in the system or STP process view to enable BPDU protection.

n   The root bridge is changed unexpectedly.

Run the display stp command. Check whether CIST Root/ERPC is the expected interface MAC address. If not, the root bridge has changed unexpectedly.

Run the stp root-protection command in the interface view to enable root protection, ensuring the correct topology.

display stp
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge:4096 .707b-e8c8-00e9
Config Times:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC:4096 .707b-e8c8-00e9 / 0 (This bridge is the root)
CIST RegRoot/IRPC:4096 .707b-e8c8-00e9 / 0 (This bridge is the root)
CIST RootPortId:0.0
BPDU-Protection:Disabled
CIST Root Type:Secondary root
TC or TCN received:1
TC count per hello:0
STP Converge Mode:Normal 
Share region-configuration :Enabled
Time since last TC:1 days 14h:25m:38s
Number of TC:2
Last TC occurred:GigabitEthernet0/0/1
----[Port18(GigabitEthernet0/0/1)][LEARNING]----
Port Protocol:Enabled
Port Role:Designated Port
Port Priority:128
Port Cost(Dot1T ):Config=auto / Active=20000
Designated Bridge/Port:4096.707b-e8c8-00e9 / 128.18
Port Edged:Config=default / Active=disabled
Point-to-point:Config=auto / Active=true
Transit Limit:6 packets/s
Protection Type:None
Port STP Mode:STP  
Port Protocol Type:Config=auto / Active=dot1s
BPDU Encapsulation:Config=stp / Active=stp
PortTimes:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send:0
TC or TCN received:0
BPDU Sent:11
TCN: 0, Config: 12, RST: 0, MST: 1
BPDU Received:0
TCN: 0, Config: 1, RST: 0, MST: 0

c.         If the topology change reason is unknown or the fault persists, collect network information (including interface connections) and logs (the log.log file or the display logbuffer command output), and provide collected information to Huawei switch agents.

OSPF Routing Protocol

Routing protocol flapping causes route re-advertisement and recalculation, which increases the load of the CPU. Generally, OSPF is configured to manage dynamic routing information. Therefore, OSPF route flapping is described here.

1.         Fault Location

           Run the display ospf peer last-nbr-down command to check the reason why the OSPF neighbor relationship goes Down.

The reason is displayed in the Immediate Reason and Primary Reason fields.

           Check logs on the switch to determine why the OSPF neighbor becomes Down.

Run the display logbuffer command, and you can find the following log information:

OSPF/3/NBR_DOWN_REASON:Neighbor state leaves full or changed to Down. (ProcessId=[USHORT], NeighborRouterId=[IPADDR],NeighborAreaId=[ULONG], NeighborInterface=[STRING],NeighborDownImmediate reason=[STRING], NeighborDownPrimeReason=[STRING],NeighborChangeTime=[STRING])

The NeighborDownImmediate reason field indicates the cause for the OSPF neighbor Down event.

2.         Suggestion

Determine the reason depending on the key fields and take measures.

Possible causes of the fault are as follows:

           Neighbor Down Due to Inactivity

The Hello packet is not received within the deadtime (set by the ospf timer dead command in the interface view).

When an OSPF neighbor is Down, OSPF neighbor flapping occurs and OSPF neighbor relationship cannot be set up. Run the display ospf peer brief command to check whether OSPF neighbor flapping occurs or OSPF neighbor relationship cannot be set up.

n   OSPF neighbor relationship flaps.

OSPF neighbor flapping may caused by a small CPCAR value for OSPF, link flapping or congestion on interfaces, and LSA flooding.

1)         Run the display cpu-defend statistics packet-type ospf command to view statistics about the OSPF packets sent to the CPU. If too many OSPF packets are discarded, check whether the switch undergoes an OSPF attack or the CPCAR value for OSPF is too small.

2)         View the log to check whether interfaces alternate between Up and Down. If link flapping or congestion occurs, check the link on the interface.

3)         If the holdtime of the OSPF neighbor relationship is smaller than 20s, run the ospf timer dead interval command to change the holdtime to be larger than 20s.

4)         Run the sham-hello enable command in the OSPF view to enable the OSPF sham-hello function, so that the switch can maintain the neighbor relationship using non-Hello packets such as LSU. This allows the switch to detect OSPF neighbor relationships sensitively.

5)         If the fault persists after the preceding operations are performed, contact Huawei switch agents.

n   OSPF neighbor relationship cannot be set up.

Check whether the configurations in the OSPF view of devices on both ends are the same. If the configurations such as the OSPF area ID or area type (NSSA, stub area, or common area) are different, the two devices cannot establish an OSPF neighbor relationship.

Run the display ospf [ process-id ] interface command to check whether OSPF is successfully enabled on the interfaces.

display ospf 1 interface
 
          OSPF Process 1 with Router ID 2.2.2.2
                  Interfaces
 
 Area: 0.0.0.0          (MPLS TE not enabled)
Interface           IP Address      Type         State    Cost    Pri
Eth0/1/1            10.1.1.2        Broadcast    Waiting  1       1

□   If OSPF is not enabled on interfaces, run the ospf enable [ process-id ] area area-id command in the interface view to enable OSPF.

□   If the OSPF process has been enabled on the related interface, run the display ospf error command multiple times at an interval of several seconds to check whether OSPF authentication information on the two devices is the same according to the Bad authentication type and Bad authentication key fields.

display ospf 1 error
 
          OSPF Process 1 with Router ID 2.2.2.2
                  OSPF error statistics
 
General packet errors:
 0           : IP: received my own packet     3           : Bad packet
 0           : Bad version                  0           : Bad checksum
 0           : Bad area id                  0           : Drop on unnumbered interface
 0           : Bad virtual link             3        : Bad authentication type
 0           : Bad authentication key        0           : Packet too small
 0           : Packet size > ip length         0           : Transmit error
 0           : Interface down               0           : Unknown neighbor
 0           : Bad net segment           0           : Extern option mismatch

- If the value of the Bad authentication type or Bad authentication key value keeps increasing, OSPF authentication information on the two devices is different. To configure the same authentication information for the two devices, run the ospf authentication-mode command in the interface views or run the authentication-mode command in the OSPF process view.

- If the Bad authentication type or Bad authentication key value does not increase, the authentication information is the same. If the neighbor intermittently disappears when the display ospf peer command is executed, OSPF neighbor relationship flaps. To resolve this problem, see section 6.4.

           Neighbor Down Due to Kill Neighbor

If the interface is Down, BFD is Down, or the reset ospf process command is executed, the OSPF neighbor relationship goes Down.

View the NeighborDownPrimeReason field to determine the reason.

           Neighbor Down Due to 1-Wayhello Received or Neighbor Down Due to SequenceNum Mismatch

When the OSPF status of the peer device goes Down first, the peer device sends a 1-Way Hello packet to the local device, causing OSPF on the local device to go Down.

Determine why OSPF status of the peer device becomes Down.

For other reasons, see OSPF/3/NBR_DOWN_REASON in 8.1.3 Log Information.

5.4 Checking Whether the Problem Is Caused by Network Loop

A network loop will cause MAC flapping. A large number of protocol packets are sent to the CPU, overwhelming the CPU.

1.         Fault Location

A network loop may have the following symptoms:

           The CPU usage of a switch exceeds 80%.

           Indicators of interfaces in the VLAN where a loop has occurred blink faster than usual.

           MAC flapping frequently occurs.

           The administrator cannot remotely log in to the switch, and the switch responds to the operations on console port slowly.

           A lot of ICMP packets are lost in ping tests.

           The display interface command output shows a large number of broadcast packets received on an interface.

           Loop alarms are generated after loop detection is enabled.

           The PCs connected to switch receive a large number of broadcast or unknown unicast packets.

2.         Suggestion

a.         Observe interface indicators and collect traffic statistics on interfaces to locate the interfaces undergoing broadcast storms.

b.         Check the devices hop by hop according to the topology to locate the devices that cause the loop.

c.         Locate the interface that causes the loop and shut down the interface to remove the loop.

d.         if the fault persists after the preceding operations are performed, collect network information (including interface connections) and logs (the log.log file or the display logbuffer command output), and provide collected information to Huawei switch agents.

This chapter describes only the method of locating network loops and handling suggestions. For more information, see the network loop troubleshooting guide.

THANKS