S12700(V200R008C00版本)旁挂AC6005,无线用户上线后ping网关大量丢包

发布时间:  2016-05-05 浏览次数:  709 下载次数:  0
问题描述

项目拓扑如下:

S12700---AC6005

|

S5700

|

AP

S12700作为核心设备,AC6005旁挂在S12700上,无线用户的网关在S12700上,

无线用户上线后,ping网关延时较大,且存在大量丢包。

告警信息

Apr 25 2016 20:11:11 XXXXXXXX-Core-S12708 %%01SECE/4/PORT_ATTACK_OCCUR(l)[27]:Auto port-defend started.(SourceAttackInterface=GigabitEthernet1/8/0/11, AttackProtocol=ARP-REQUEST)
Apr 25 2016 20:09:38 XXXXXXXX-Core-S12708 %%01SECE/4/PORT_ATTACK_OCCUR(l)[28]:Auto port-defend started.(SourceAttackInterface=GigabitEthernet2/8/0/7, AttackProtocol=ARP-REQUEST)
Apr 25 2016 20:09:02 XXXXXXXX-Core-S12708 %%01SECE/4/PORT_ATTACK_OCCUR(l)[36]:Auto port-defend started.(SourceAttackInterface=GigabitEthernet1/8/0/16, AttackProtocol=ARP-REQUEST)

Apr 25 2016 20:38:49 XXXXXXXX-Core-S12708 %%01SECE/4/SPECIFY_SIP_ATTACK(l)[4]:The specified source IP address attack occurred.(Slot=LPU20, SourceAttackIP=x.x.x.22, AttackProtocol=ARP, AttackPackets=128 packets per second)
Apr 25 2016 20:38:49 XXXXXXXX-Core-S12708 %%01SECE/4/PORT_ATTACK(l)[5]:Port attack occurred.(Slot=LPU20, SourceAttackInterface=GigabitEthernet2/8/0/6, OuterVlan/InnerVlan=1001/0, AttackProtocol=ARP, AttackPackets=128 packets per second)
Apr 25 2016 20:38:49 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[6]:User attack occurred.(Slot=LPU20, SourceAttackInterface=GigabitEthernet2/8/0/6, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-c166, AttackProtocol=ARP AttackPackets=128 packets per second)

处理过程

1、为了排除无线信号的影响,将测试PC置于信号较好的位置,ping依然丢包严重;

2、关闭测试PC wifi,使用有线直接接入POE交换机测试,ping仍然丢包;

3、查看设备系统日志,发现有大量端口攻击告警日志,攻击类型为ARP_request;

4、由于交换机为了保护CPU,对于协议报文都设置了一定的Car值,限制协议报文上送CPU的速率,

而大量的ARP_request攻击报文挤占了ARP上送CPU的带宽,导致正常的ARP报文无法上送CPU,显示为Ping大量丢包;

5、针对ARP报文配置攻击溯源,识别发送攻击报文的用户,并对攻击的用户设置惩罚时间(默认为5min),

在惩罚时间内,交换机将丢弃所有从该用户发送的ARP报文,达到保护其他用户的目的;

配置攻击溯源:

cpu-defend policy defend_arp_slot 
auto-defend trace-type source-mac
auto-defend protocol arp

全局应用攻击溯源:

cpu-defend-policy defend_arp_slot global

配置攻击溯源功能后,log中可以看到攻击溯源生效的日志,但使用PC测试ping功能,不存在丢包。

Apr 28 2016 10:02:22 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[429]:Some packets are dropped because an attack is detected.(Interface=GigabitEthernet2/8/0/11, sourceMAC=xxxx-xxxx-3e30, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 10:02:22 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[430]:User attack occurred.(Slot=LPU20, SourceAttackInterface=GigabitEthernet2/8/0/11, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-3e30, AttackProtocol=ARP AttackPackets=185 packets per second)
Apr 28 2016 10:01:59 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[432]:Some packets are dropped because an attack is detected.(Interface=GigabitEthernet2/8/0/13, sourceMAC=xxxx-xxxx-a808, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 10:01:59 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[433]:User attack occurred.(Slot=LPU20, SourceAttackInterface=GigabitEthernet2/8/0/13, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-a808, AttackProtocol=ARP AttackPackets=285 packets per second)
Apr 28 2016 10:01:11 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[435]:Some packets are dropped because an attack is detected.(Interface=GigabitEthernet2/8/0/10, sourceMAC=xxxx-xxxx-920a, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 10:01:11 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[436]:User attack occurred.(Slot=LPU20, SourceAttackInterface=GigabitEthernet2/8/0/10, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-920a, AttackProtocol=ARP AttackPackets=190 packets per second) 

6、当攻击溯源惩罚时间超时后,如果用户不存在攻击,可正常上网。

根因
由于交换机为了保护CPU,对于协议报文都设置了一定的Car值,限制协议报文上送CPU的速率,

而大量的ARP_request攻击报文挤占了ARP上送CPU的带宽,导致正常的ARP报文无法上送CPU,显示为Ping大量丢包。
解决方案
配置攻击溯源:

cpu-defend policy defend_arp_slot 
auto-defend trace-type source-mac
auto-defend protocol arp

全局应用攻击溯源:

cpu-defend-policy defend_arp_slot global

END