No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Traffic Is Interrupted by a Large Number of Bogus ARP Packets

User Traffic Is Interrupted by a Large Number of Bogus ARP Packets

Common Causes

This fault is commonly caused by the following:

  • An attacker sends a large number of bogus ARP packets , thus increasing the load of the destination network segment. These ARP packets are sent to the CPU, causing a high CPU usage. DoS attacks may also be initiated in this case.

Troubleshooting Flowchart

The AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 uses the CPCAR mechanism to limit the rate of ARP packets sent to the CPU. If an attacker sends a large number of bogus ARP packets, valid ARP packets are also discarded when the bandwidth limit is exceeded. Consequently, user traffic is interrupted.

Figure 22-10 shows the troubleshooting flowchart.

Figure 22-10  Troubleshooting flowchart for traffic interruption caused by bogus ARP packets

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

ARP attack packets include ARP request packets and ARP reply packets. In the following procedure, the ARP attack packets are ARP request packetes. If the ARP attack packets on your network are ARP reply packets, change the arp-request parameter to arp-reply.

Procedure

  1. Run the display arp command on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to view ARP entries of authorized users.

    • If ARP entries of authorized users are displayed, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 has learned the ARP entries, and traffic interruption is caused by a short link disconnection. In this case, rectify link faults.
    • If no ARP entry is displayed, go to step 2.

  2. Run the display cpu-defend statistics packet-type arp-request command to view the statistics about ARP requests.

    • If the count of dropped ARP requests is 0, go to step 8.
    • If the count of dropped ARP requests is not 0, the rate of ARP requests exceeds the CPCAR rate limit and excess ARP requests are discarded. Go to step 3.

  3. Run the display cpu-usage command to check the CPU usage of the main control board.

    • If the CPU usage is in the normal range but ARP requests are discarded, the rate limit is too small. Go to step 4.
    • If the CPU usage is high, the CPU may be attacked by ARP packets. Go to step 5.

  4. Run the packet-type command in the attack defense policy view to increase the rate limit for ARP requests and apply the attack defense policy.
  5. Capture packets on the user-side interface, and find the attacker according to the source addresses of ARP requests.

    If a large number of ARP requests are sent from a source address, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 considers the source address to be an attack source. Add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP requests sent by the attacker.

  6. Run the arp speed-limit source-ip command in the system view to set the rate limit for ARP packets from the attack source.

    By default, ARP packet suppression based on source IP addresses is enabled, and the maximum rate of ARP requests is limited to 5 pps. After the rate of ARP requests reaches this limit, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 discards subsequent ARP requests.

  7. If the fault persists, collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 456588

Downloads: 4321

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next