No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


FAQ - What does it mean the large amount of Dropped-Packets Application Apperceive?

Publication Date:  2013-10-31 Views:  30 Downloads:  0
Issue Description

Customer saw number of dropped application-apperceive packets in his cpu-defend-statistics output of NE40E. NE40E has V600R001SPC039 software version.

Handling Process
From <NE40>dis cpu-defend all statistics we can see the quantity of Application-Apperceive packets:
<NE40-IPBB-KNG-01>dis cpu-defend all statistics
Slot/Intf Attack-Type                    Total-Packets    Passed-Packets  Dropped-Packets

2         Application-Apperceive        292855948      102447752      190408196
              OSPF                                33640276       26234350        7405926
               VRRP                             213246561       30244291        183002270
From configuration of NE40 we found, that VRRP protocol is not used, so discarded packets are related to this - device is dropped such packets, when they received from network.
OSPF protocol type is P2P, so DR election packets are discarded, for example, and are showed in cpu-defend statistics.
Root Cause
We can see, that If the bandwidth for packet sending is configured, run the display cpu-defend application-apperceive statistics [ slot slot-id ] command to check whether all the packets are sent to the CPU. If the command output contains the number of discarded packets, it indicates that the bandwidth is restricted to protect the CX device. As a result, some packets are discarded. If the bandwidth for packet sending is not configured, protocol packets are sent to the CPU according to the bandwidth configured on the CX device
Solution: Application layer association improves device security by directly discarding packets of disabled protocols or setting a low CAR for these packets to be sent to the CPU. This can effectively prevent flooding attacks. So, it is not recommended to disable it.
If there is large dropped packet in the cpu-defend statistics,such as:arp,vrrp,ldp,ospf, it means some flooding attacks.In this situation, the normal protocol packet will be also dropped. The protocol maybe interrupt.
So we need find the flood source,and stop the attack.If we can not find the attack source,we can use display attack-source-trace to capture the flood packet then use acl to stop the flood packet.