No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AntiDDoS 8080 cannot clean the traffic due to learning MAC address failed

Publication Date:  2016-01-26 Views:  53 Downloads:  0
Issue Description

1.The topology is shown as below,upstream traffic go through Internet directly, while downstream traffic go through AntiDDoS8080 to detect and clean attack traffic.In this deployment, AntiDDoS system protect Internal network. 

2.After deployment,customer found the downstream traffic couldn't be monitored on ATIC server by fits.

Alarm Information
None
Handling Process

1.Check the configuration is OK, And all the downstream traffic was sent to AntiDDoS device by policy-based route.Here we can see the traffic statistics on interfaces:

[AntiDDoS]dis int bri
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
Aux0/0/1                    down  down         0%     0%          0          0
Eth-Trunk1                  up    up        10.49%     0%          0          0
  GigabitEthernet1/0/0(10G) up    up        10.49%     0%          0          0
Eth-Trunk2                  up    up           0%  10.49%          0          0
  GigabitEthernet1/0/2(10G) up    up           0%  10.49%          0          0

2.When downstream traffic monitored, check MAC address table on AntiDDoS:

<AntiDDoS>dis mac-address
MAC address table of slot 1:
-------------------------------------------------------------------------------
MAC Address    VLAN ID     Left Time(s)    Port            Type       

-------------------------------------------------------------------------------
xxxx-xxxx-xxxx 668         270             Eth-Trunk1      dynamic      
yyyy-yyyy-yyyy 668         300             Eth-Trunk2      dynamic    
-------------------------------------------------------------------------------
Total matching items on slot 1 displayed = 2

3.When downstream traffic disappeared, check MAC address table on AntiDDoS, there is no MAC address of Eth-Trunk2 which connect to downstream device.

<AntiDDoS>dis mac-address
MAC address table of slot 1:
-------------------------------------------------------------------------------
MAC Address    VLAN ID     Left Time(s)    Port            Type       

-------------------------------------------------------------------------------
xxxx-xxxx-xxxx 668         280             Eth-Trunk1      dynamic         
-------------------------------------------------------------------------------
Total matching items on slot 1 displayed = 1

Root Cause
In asymmetric deployment, AntiDDoS device cannot learn MAC address of down-stream router if there is no traffic sent from down-stream to AntiDDoS device. After discussing with R&D, we confirm that LPU card will not forward traffic to SPU to process cleaning procedure if there is no MAC address entry for outgoing interface.That's why the traffic cannot be monitored on ATIC server.
Solution

Bind MAC address of downstream device to the interface and vlan which connected.For example below:

[AntiDDoS]mac-address static yyyy-yyyy-yyyy  Eth-Trunk2 vlan 668

Suggestions

1.This deployment is not normal scenario, project delivery should be after full test in LAB.

2.R&D should adequately consider usage scenario and make better design.

END