No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Large Number of Error Traps Caused by the ARP Attack Appear on the Layer 2 VLAN

Publication Date:  2012-07-27 Views:  49 Downloads:  0
Issue Description
The log buffer of the V5.30 (NE40E&80E V300R001C01B05D) on the spot contains a large number of VLAN 499.Check the configuration of the VLAN 499 and find that the VLAN 499 is bound to the VPLS and that the VPN operates normally.
interface Vlanif499
l2 binding vsi a499
vsi a499 static
description KAP_TEL_AMTS
pwsignal ldp
vsi-id 499
peer 10.244.9.2
peer 10.244.9.3 
 
Alarm Information
%Apr 3 05:17:04 2008 AMTC_NE40E ADA/5/TS_LOG:Slot=6;
Receiving: source_port = 10, source_blade = 15, vlanId = 499, excp_id = 6, ERR
%Apr 3 05:17:04 2008 AMTC_NE40E ADA/5/TS_LOG:Slot=6;
Receiving: source_port = 10, source_blade = 15, vlanId = 499, excp_id = 6, ERR
%Apr 3 05:17:04 2008 AMTC_NE40E ADA/5/TS_LOG:Slot=7;
Receiving: source_port = 10, source_blade = 15, vlanId = 499, excp_id = 6, ERR
%Apr 3 05:17:04 2008 AMTC_NE40E ADA/5/IMS_LOG:Slot=6;
IMS_INTF_GetIfIndex() get info from g_astVIDNode Error! 
 
Handling Process
Check whether users suffer from ARP attacks caused by the ARP virus. After the host that launches the ARP attack is shielded, preceding traps are not generated frequently. 
Root Cause
Display this message, which means that error packets or ARP attacks exist on the NE40E. Run the following commands to check the number of ARP packets.
[AMTC_NE40E-diag-ne5000]efu ts counter 8 rx
query the ts debug counter receive result :
[counter name] [ value ] [counter name] [ value ] [counter name] [ value ]
R_ETH_HGMP 0000000000 R_ETH_LACP 0000000000 R_ETH_VRRP 0000000000
R_ETUNNEL_FRAG 0000000000 R_IPV4_ARP 0000643057 V4_FWD_MISS 0000000000
V4_ICMP_RDIRCT 0000000000 V4_MC_FWD_MISS 0000000000 V4_MC_FWD_R_MS 0000000000
V4_MC_REGISTER 0000000000 V4_MC_SFT_FWD 0000000000 V4_MTU_EXCEED 0000000000
The number of ARP packets is large; therefore, the fault possibly is resulted from ARP attacks.
VLANIF 499 is not configured with an IP address, so it cannot learn the ARP. The ARP packet is a Layer 3 packet and VLAN499 is a Layer 2 service. In normal condition, If the packets are sent to the CPU for processing, you can conclude that a fault occurs.  
Suggestions
V3R1 is weak in defending against the ARP virus, but the V3R2 is designed to have the ARP attack suppression function. The ARP virus is common on the internet, from a long-term view, it is recommended to upgrade the version. 

END