No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can I Handle an ARP Learning Failure Caused by ARP Miss Messages?

How Can I Handle an ARP Learning Failure Caused by ARP Miss Messages?

Such an ARP learning failure is caused by one of the following:
  • Because of a small rate limit for ARP Miss messages, the device discards normal ARP Miss messages and cannot send ARP Request packets to destination networks according to the ARP Miss messages.

  • Because of a small CPCAR value for ARP Miss packets, the device discards normal ARP Miss packets and cannot send ARP Request packets to destination networks.

  • As the attacker sends lots of network segment scanning packets to the device, the device triggers a large number of ARP Miss messages, consuming considerable CPU resources. As a result, the device cannot process normal ARP Miss messages.

Perform the following steps to rectify the fault. Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, record your actions and provide the record to technical support personnel.

  1. Run the display arp all command in the user view to check ARP entries.

    If the MAC address field in an ARP entry displays Incomplete, the device has failed to learn this ARP entry. You can obtain IP address and interface information from the entry.

  2. Obtain packet headers on the interface connecting the device to the user, and analyze the source IP addresses of packets.

  3. Run the display cpu-defend statistics packet-type arp-miss all command in the user view to check whether the Drop value of ARP Miss packets increases.
    • If the count of dropped ARP Miss packets is 0, the device has failed to learn ARP entries because of a small rate limit for ARP Miss messages.

      Go to step 5 to increase the rate limit for ARP Miss messages based on site requirements.

    • If the count of dropped ARP Miss packets is not 0, the rate of ARP Miss packets exceeds the CPCAR rate limit and excess ARP Miss packets are discarded. Check whether the CPCAR value for ARP Miss packets is set properly.

      • If no, go to step 4 to increase the CPCAR value of ARP Miss packets.

      • If yes, this problem occurs because the attacker is sending lots of network segment scanning packets to the device. The device then triggers a large number of ARP Miss messages, consuming considerable CPU resources and affecting normal message processing.

        Locate the attacker based on the source address. Check whether the user hosts are infected by viruses and remove the viruses, or add the source address of attack packets to the blacklist or configure a blackhole MAC address entry to discard the packets sent by the attacker.

  4. Run the car command in the attack defense policy view to increase the CPCAR value for ARP Miss packets.

    Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.

    The attack defense policy can take effect only after it is applied.

    If the fault persists or the fault is rectified but CPU usage is still high, go to step 5 to decrease the rate limit of ARP Miss messages.

  5. Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command in the user view to check configuration of ARP Miss rate suppression.

    • Run the arp-miss speed-limit source-ip [ ip-address ] maximum maximum command in the system view to configure the maximum rate of ARP Miss messages sent from a specified source IP address.
    • Run the arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ] command in the system view, VLAN view, or interface view to configure the rate limiting duration and rate limit value for ARP Miss messages.

      In versions earlier than V200R003C00, the packet and interval parameters are not supported on the device and do not need to be configured.

  6. If the fault persists, collect the following information and contact technical support personnel:

    • Result of the preceding procedure
    • Configuration file, logs, and alarms of the device
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 135911

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next