No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Alarm Handling

S9300, S9300E, and S9300X V200R013C00

This document provides the explanations, causes, and recommended actions of alarms on the product.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SECE

SECE

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.1.1 hwStrackUserInfo

Description

SECE/4/STRACKUSER: OID [oid] An attack occurred. (Interface=[OCTET], SourceMAC=[OCTET], InnerVlan=[INTEGER], OuterVlan=[INTEGER], EndTime=[OCTET], TotalPackets=[INTEGER])

The system detects an attack.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.1.1 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
Interface Indicates the access interface of the attacker.
SourceMAC Indicates the Source MAC address of packets sent from the attacker.

InnerVlan

Indicates the inner VLAN ID of packets sent from the attacker.

OuterVlan

Indicates the outer VLAN ID of packets sent from the attacker.
EndTime Indicates the end time of the attack.
TotalPackets Indicates the number of packets received from the attacker.

Impact on the System

The CPU is busy processing attack packets. As a result, normal service packets cannot be processed in time or even discarded.

Possible Causes

The rate of packets with the specified MAC address and VLAN ID sent to the CPU exceeds the alarm threshold specified by the auto-defend threshold command. By default, the alarm threshold is 60 pps.

Procedure

  1. Run the display auto-defend attack-source detail command to check the possible attack source and check whether the system is normal according to the protocol type and packet increase rate.
  2. If the user initiates the attack, you can add the user to the blacklist in the attack defense policy view to disable the user from sending packets to the CPU.
  3. If the fault cause is unknown, collect device configurations, alarms, and logs, and then contact technical support personnel.
  4. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.1.2 hwStrackIfVlanInfo

Description

SECE/4/STRACKPORT: OID [oid] An attack occurred. (Interface=[OCTET], InnerVlan=[INTEGER], OuterVlan=[INTEGER], EndTime=[OCTET], TotalPackets=[INTEGER])

The system detects an attack on an interface.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.1.2 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
Interface Indicates the access interface of the attacker.
InnerVlan Indicates the inner VLAN ID of the attacker.
OuterVlan Indicates the outer VLAN ID of packets sent from the attacker.
EndTime Indicates the end time of the attack.
TotalPackets Indicates the number of packets received from the attacker.

Impact on the System

The CPU is busy processing attack packets. As a result, normal service packets cannot be processed in time or even discarded.

Possible Causes

The rate of packets with the specified interface and VLAN ID sent to the CPU exceeds the alarm threshold specified by the auto-defend threshold command. By default, the alarm threshold is 60 pps.

Procedure

  1. Run the display auto-defend attack-source detail command to check the possible attack source on an interface and check whether the interface is normal according to the packet increase rate in entries.
  2. If an attack is initiated by a user and the user is the only one connected to the interface, you can shut down the interface and check whether the interface is normal.
  3. If the interface is connected to multiple users and some users initiate attacks, you can configure the blacklist.
  4. If only entries exist on the interface or entries cannot be determined, collect device configurations, alarms, and logs, and then contact technical support personnel.
  5. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.1.3 hwStrackDenyPacket

Description

SECE/4/STRACK_DENY: OID [oid] Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceMAC=[OCTET], SourceIP=[OCTET], InnerVlan=[INTEGER], OuterVlan=[INTEGER])

The system detected an attack source and dropped packets sent from the attack source.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.1.3 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
Interface Indicates the access interface of the attacker.
SourceMAC Indicates the Source MAC address of packets sent from the attacker.
SourceIP Indicates the Source IP address of packets sent from the attacker.

InnerVlan

Indicates the inner VLAN ID of packets sent from the attacker.

OuterVlan

Indicates the outer VLAN ID of packets sent from the attacker.

Impact on the System

The device detected an attack to the CPU and dropped packets sent from the attack source to the CPU.

Possible Causes

A user sent a large number of packets to the user, and the number of packets exceeded the threshold for identifying an attack.

Procedure

  1. Run the display auto-defend attack-source detail command to check the detected attack source and check whether it is an authorized user.
  2. If the detected attack source is an unauthorized user, you do not need to take any actions because the attack packets have been dropped by the device. Go to Step 6.
  3. If the detected attack source is an authorized user, add the user to the whitelist to exclude the user from attack source tracing.
  4. If multiple attack sources are detected and all of them are authorized users, the attack source tracing threshold is too low. (The default value is 128 pps). Run the auto-defend threshold threshold command to increase the threshold. Go to Step 6.
  5. If the alarm persists, collect the configuration, alarms, and logs of the device and contact technical support personnel.
  6. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.1.4 hwStrackErrorDown

Description

SECE/4/STRACK_ERROR_DOWN: OID [oid] Interface's status is changed to error-down because an attack is detected, Interface [OCTET].

The system detected an attack source and set the source interface of the attack packets to error-down state.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.1.4 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
Interface Indicates the access interface of the attacker.

Impact on the System

The interface in error-down state cannot work.

Possible Causes

The device received a large number of packets from the interface, and the rate of received packets exceeded the alarm threshold specified by the auto-defend threshold command to identify an attack. Therefore, the device identified the interface as an attack source. By default, the alarm threshold is 60 pps.

Procedure

  1. Run the display auto-defend attack-source detail command to check the detected attack source and check whether it is an authorized user.
  2. If the interface is attacked and it connects to only one user, you do not need to take any actions because the attack has been blocked. Go to Step 5.
  3. If the interface connects to multiple users and some users initiate attacks, you can configure the blacklist.
  4. If only entries exist on the interface or entries cannot be determined, collect device configurations, alarms, and logs, and then contact technical support personnel.
  5. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.1.5 hwStrackIPInfo

Description

SECE/4/STRACKIP: OID [oid] An attack occurred. (Interface=[OCTET], SourceIP=[OCTET], InnerVlan=[INTEGER], OuterVlan=[INTEGER], EndTime=[OCTET], TotalPackets=[INTEGER])

The system detects that a user has initiated an attack.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.1.5 Warning environmentalAlarm(6)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
Interface Indicates the interface connected to the attacker.
SourceIP Indicates the source IP address of the attacker.
InnerVlan Indicates the inner VLAN ID of packets sent from the attacker.
OuterVlan Indicates the outer VLAN ID of packets sent from the attacker.
EndTime Indicates the end time of the attack.
TotalPackets Indicates the number of packets received from the attacker.

Impact on the System

The device is attacked.

Possible Causes

The source IP address-based tracing is enabled on the device, and the device detects a possible attack source.

Procedure

  1. Run the display auto-defend attack-source detail command to check the possible attack source and check whether the system is normal according to the protocol type and packet increase rate.
  2. If you confirm that the user has initiated the attack, add the user to the blacklist in the cpu-defend policy template so that the device will not forward the packets sent by the user to the CPU.
  3. If you cannot confirm that the attack is initiated by this user, collect device configurations, alarms, and logs, and then contact technical support personnel.
  4. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.1 hwARPSGatewayConflict

Description

SECE/4/GATEWAY_CONFLICT: OID [oid] Gateway conflict. (SourceInterface=[OCTET], SourceIP=[OCTET], SourceMAC=[OCTET], OuterVlan=[INTEGER], InnerVlan=[INTEGER])

The system detects attack packets whose source IP addresses are the same as the gateway IP address.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.1 Warning equipmentAlarm(5)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
SourceInterface Indicates the source interface of packets.
SourceIP Indicates the source IP address of packets.
SourceMAC Indicates the source MAC address of packets.
OuterVlan Indicates the outer VLAN ID of packets.
InnerVlan Indicates the inner VLAN ID of packets.

Impact on the System

If this alarm is generated, the user gateway information may be modified by an attacker. As a result, the user is attacked and user services are interrupted.

Possible Causes

The device is attacked by packets whose source IP address is the same as the gateway IP address.

Procedure

  1. Find the interface where the gateway conflict occurs according to the value of SourceInterface.
  2. Lock the user who sends gateway conflict packets according to the values of SourceMAC and OuterVlan.
  3. Check whether the allocated address of the user conflicts with the gateway address. If the address conflicts, allocate an address to the user again. If the address does not conflict, the user may be the attacker. In this case, you can take such measures as disconnecting the user.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.2 hwARPSEntryCheck

Description

SECE/4/ARP_ENTRY_CHECK: OID [oid] Arp entry attack. (SourceInterface=[OCTET], SourceIP=[OCTET], SourceMAC=[OCTET], OuterVlan=[INTEGER], InnerVlan=[INTEGER])

The system detects attack packets used to modify ARP entries.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.2 Warning equipmentAlarm(5)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
SourceInterface Indicates the source interface of packets.
SourceIP Indicates the source IP address of packets.
SourceMAC Indicates the source MAC address of packets.

OuterVlan

Indicates the outer VLAN ID of packets.

InnerVlan

Indicates the inner VLAN ID of packets.

Impact on the System

If this alarm is generated, ARP entries on the device may be changed to ARP entries of attackers. As a result, user traffic is intercepted by attackers and user services are interrupted.

Possible Causes

The device is attacked by packets used to modify ARP entries.

Procedure

  1. Find the interface where attacks occur according to SourceInterface.
  2. Check whether users who are not in the DHCP snooping binding table range are connected to the interface.
  3. If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding table. Then find the interface where the gateway conflict occurs according to the value of SourceInterface.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.3 hwARPSPacketCheck

Description

SECE/4/ARP_PACKET_CHECK: OID [oid] Invalid packet. (SourceInterface=[OCTET], SourceIP=[OCTET], SourceMAC=[OCTET], OuterVlan=[INTEGER], InnerVlan=[INTEGER])

The system detects invalid ARP packets.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.3 Warning equipmentAlarm(5)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
SourceInterface Indicates the source interface of packets.
SourceIP Indicates the source IP address of packets.
SourceMAC Indicates the source MAC address of packets.

OuterVlan

Indicates the outer VLAN ID of packets.

InnerVlan

Indicates the inner VLAN ID of packets.

Impact on the System

If this alarm is generated, the device may be attacked. If the attack traffic volume is heavy, the device is busy processing attack packets. As a result, services of authorized users are interrupted.

Possible Causes

The device receives invalid ARP packets.

Procedure

  1. Find the interface where the gateway conflict occurs according to the value of SourceInterface.
  2. Lock the user who sends gateway conflict packets according to the values of SourceMAC and PVLAN.
  3. Check whether the allocated address of the user conflicts with the gateway address. If the address conflicts, allocate an address to the user again. If the address does not conflict, the user may be the attacker. In this case, you can take such measures as disconnecting the user.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.4 hwARPSDaiDropALarm

Description

SECE/4/DAI_DROP_ALARM: OID [oid] The packet number dropped by DAI reaches [INTEGER], exceed the alarm threshold [INTEGER], Interface [OCTET].

The number of packets discarded by Dynamic ARP Inspection (DAI) exceeds the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.4 Warning equipmentAlarm(5)

Parameters

Name Meaning

oid

Indicates the MIB object ID of the alarm.

INTEGER1

Indicates the number of discarded packets.

INTEGER2

Indicates the alarm threshold.

Interface

Indicates the VLAN, source MAC address, and source IP address of packets

Impact on the System

If this alarm is generated, the device may be attacked. If the attack traffic volume is heavy, the device is busy processing attack packets. As a result, services of authorized users are interrupted.

Possible Causes

The number of packets discarded by DAI exceeds the alarm threshold. By default, the alarm threshold for ARP packets discarded by DAI is 100 packets.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If user services are interrupted, perform the following operations:

    1. Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] or display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the static binding entries.

    2. Find out the interface and user host that initiate the attack. Check whether the host is attacked. If not, the host belongs to the attacker. Take measures to defend against the attack, for example, disconnect the attacker's host.
    3. Collect alarm and configuration information, and contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.5 hwARPGlobalSpeedLimitALarm

Description

SECE/4/ARP_GLOBAL_SPEEDLIMIT_ALARM: OID [oid] The global arp packet speed exceed the speed-limit value configed [INTEGER].

The rate of ARP packets exceeds the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.5 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER Indicates the alarm threshold.

Impact on the System

If the alarm is generated, it indicates that the user traffic volume exceeds the threshold. The excess traffic is discarded by the device. As a result, user traffic may be interrupted intermittently.

Possible Causes

The global ARP packet rate exceeds the alarm threshold.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the system view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.6 hwARPIfSpeedLimitALarm

Description

SECE/4/ARP_IF_SPEEDLIMIT_ALARM: OID [oid] The interface arp packet speed exceed the speed-limit value configed [INTEGER], interface [OCTET].

The rate of ARP packets on an interface exceeds the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.6 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER Indicates the alarm threshold.
Interface Indicates the source interface of packets.

Impact on the System

If the alarm is generated, it indicates that the user traffic volume exceeds the threshold. The excess traffic is discarded by the device. As a result, user traffic may be interrupted intermittently.

Possible Causes

The rate of ARP packets on an interface exceeds the alarm threshold.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the interface view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.7 hwARPVlanSpeedLimitALarm

Description

SECE/4/ARP_VLAN_SPEEDLIMIT_ALARM: OID [oid] The vlan arp packet speed exceed the speed-limit value configed [INTEGER1], Vlan [INTEGER2].

The rate of ARP packets in a VLAN exceeds the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.7 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER1 Indicates the alarm threshold.
INTEGER2 Indicates the outer VLAN ID of packets.

Impact on the System

If the alarm is generated, it indicates that the user traffic volume exceeds the threshold. The excess traffic is discarded by the device. As a result, user traffic may be interrupted intermittently.

Possible Causes

The rate of ARP packets in a VLAN exceeds the alarm threshold.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the VLAN view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.8 hwARPMissGlobalSpeedLimitALarm

Description

SECE/4/ARPMISS_GLOBAL_SPEEDLIMIT_ALARM: OID [oid] The global arp-miss packet speed exceed the speed-limit value configed [INTEGER].

The rate of ARP Miss messages for a device exceeds the upper limit, and the number of discarded ARP Miss messages exceeds the configured alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.8 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER Indicates the alarm threshold.

Impact on the System

If the alarm is generated, the rate of ARP Miss messages triggered by user traffic exceeds the upper limit. The device discards excess traffic. As a result, user traffic may be interrupted intermittently.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages for the device exceeds the upper limit and the number of discarded ARP Miss messages exceeds the alarm threshold, the device generates the alarm.

Procedure

  1. Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
  2. Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute.

    Check whether a large number of packets are discarded:

    • If so, go to step 3.

    • If not, verify that the network is secure and use either of the following methods to prevent generation of this alarm:

      • Run the undo arp-miss anti-attack rate-limit alarm enable command to globally disable the alarm function for the ARP Miss messages discarded when the rate of ARP Miss messages exceeds the upper limit.

        After the alarm function is disabled, the device will not report an alarm when the number of discarded ARP Miss messages exceeds the alarm threshold.

      • Run the info-center source SECE channel 4 log state off command to disable the device from sending SECE alarm information.

  3. Run the display arp all command to check ARP entries.

    If the MAC address field in an ARP entry displays Incomplete, the device fails to learn this ARP entry.

  4. Obtain packet headers on the interface connecting the device to the user, and locate the attack source according to the source addresses of ARP Request packets.

    Check whether the attacker is infected with viruses.

    • If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.

    • If not, go to step 5.

  5. Run the display arp anti-attack configuration arpmiss-rate-limit command to check global configuration of source-based ARP-Miss suppression.
  6. Run the arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ] command to modify the maximum rate and rate limit duration of ARP Miss messages globally based on the site requirements.
  7. If the alarm is frequently generated, collect alarm information and contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.9 hwARPMissIfSpeedLimitALarm

Description

SECE/4/ARPMISS_IF_SPEEDLIMIT_ALARM: OID [oid] The interface arp-miss packet speed exceed the speed-limit value configed [INTEGER], interface [OCTET].

The rate of ARP Miss messages for an interface exceeds the upper limit, and the number of discarded ARP Miss messages exceeds the configured alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.9 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER Indicates the alarm threshold.
Interface Indicates the source interface of packets.

Impact on the System

If the alarm is generated, the rate of ARP Miss messages triggered by user traffic exceeds the upper limit. The device discards excess traffic. As a result, user traffic may be interrupted intermittently.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages for an interface exceeds the upper limit and the number of discarded ARP Miss messages exceeds the alarm threshold, the device generates the alarm.

Procedure

  1. Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
  2. Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute.

    Check whether a large number of packets are discarded:

    • If so, go to step 3.

    • If not, verify that the network is secure and use either of the following methods to prevent generation of this alarm:

      • Run the undo arp-miss anti-attack rate-limit alarm enable command to disable the alarm function on the interface for the ARP Miss messages discarded when the rate of ARP Miss messages exceeds the upper limit.

        After the alarm function is disabled, the device will not report an alarm when the number of discarded ARP Miss messages exceeds the alarm threshold.

      • Run the info-center source SECE channel 4 log state off command to disable the device from sending SECE alarm information.

  3. Run the display arp all command to check ARP entries.

    If the MAC address field in an ARP entry displays Incomplete, the device fails to learn this ARP entry.

  4. Obtain packet headers on the interface connecting the device to the user, and locate the attack source according to the source addresses of ARP Request packets.

    Check whether the attacker is infected with viruses.

    • If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.

    • If not, go to step 5.

  5. Run the display arp anti-attack configuration arpmiss-rate-limit command to check configuration of source-based ARP-Miss suppression on the interface.
  6. Run the arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ] command to modify the rate limiting duration and rate limit value for ARP Miss messages on the interface based on the site requirements.
  7. If the alarm is frequently generated, collect alarm information and contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.10 hwARPMissVlanSpeedLimitALarm

Description

SECE/4/ARPMISS_VLAN_SPEEDLIMIT_ALARM: OID [oid] The vlan arp-miss packet speed exceed the speed-limit value configed [INTEGER], Vlan [INTEGER].

The rate of ARP Miss messages in a VLAN exceeds the upper limit, and the number of discarded ARP Miss messages exceeds the configured alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.10 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER Indicates the alarm threshold.
Vlan Indicates the outer VLAN ID of packets.

Impact on the System

If the alarm is generated, the rate of ARP Miss messages triggered by user traffic exceeds the upper limit. The device discards excess traffic. As a result, user traffic may be interrupted intermittently.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages in the VLAN exceeds the upper limit and the number of discarded ARP Miss messages exceeds the alarm threshold, the device generates the alarm.

Procedure

  1. Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
  2. Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute. Check whether a large number of packets are discarded:

    • If so, go to step 3.

    • If not, verify that the network is secure and use either of the following methods to prevent generation of this alarm:

      • Run the undo arp-miss anti-attack rate-limit alarm enable command to disable the alarm function in the VLAN for the ARP Miss messages discarded when the rate of ARP Miss messages exceeds the upper limit.

        After the alarm function is disabled, the device will not report an alarm when the number of discarded ARP Miss messages exceeds the alarm threshold.

      • Run the info-center source SECE channel 4 log state off command to disable the device from sending SECE alarm information.

  3. Run the display arp all command to check ARP entries.

    If the MAC address field in an ARP entry displays Incomplete, the device fails to learn this ARP entry.

  4. Obtain packet headers on the interface connecting the device to the user, and locate the attack source according to the source addresses of ARP Request packets.

    Check whether the attacker is infected with viruses.

    • If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.

    • If not, go to step 5.

  5. Run the display this include-default | include arp-miss command to check the configuration of ARP Miss rate limiting based on source IP address.
  6. Run the arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum block timer timer command to set the rate limit for ARP Miss messages based on source IP address and set the handling method for ARP Miss messages to block.
  7. If the alarm is frequently generated, collect alarm information and contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.11 hwArpSourceIpSpeedLimitALarm

Description

SECE/4/ARP_SIP_SPEEDLIMIT_ALARM: OID [oid] The arp packet speed with source ip [OCTET] exceed the speed-limit value configed [INTEGER].

The rate of ARP packets with the specified source IP address exceeds the threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.11 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
OCTET Indicates the source IP address of packets.
INTEGER Indicates the alarm threshold.

Impact on the System

If the alarm is generated, it indicates that the user traffic volume exceeds the threshold. The excess traffic is discarded by the switch. Therefore, user traffic is interrupted intermittently.

Possible Causes

The rate of ARP packets with the specified source IP address exceeds the threshold.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If user services are interrupted intermittently, run the arp speed-limit source-ip ip-address maximum maximum command to adjust the ARP rate limit for the user with a specified IP address. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.12 hwARPMissSIPSpeedLimitALarm

Description

SECE/4/ARPMISS_SIP_SPEEDLIMIT_ALARM: OID [oid] The arp-miss packet speed with source ip [OCTET] exceed the speed-limit value configed [INTEGER].

The rate of ARP Miss messages with the specified source IP address exceeds the configured alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.12 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
OCTET Indicates the source IP address of packets.
INTEGER Indicates the alarm threshold.

Impact on the System

If the alarm is generated, the user traffic volume exceeds the threshold. The device discards excess traffic. As a result, user traffic may be interrupted intermittently.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages with the specified source IP address exceeds the alarm threshold, the device generates the alarm.

Procedure

  1. Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
  2. Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute. Check whether a large number of packets are discarded:

    • If so, locate the attack source according to the IP address in the alarm information and check whether the attack source is attacked by viruses.

      • If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.

      • If not, go to step 3.

    • If not, verify that the network is secure and use either of the following methods to prevent generation of this alarm:

      • Run the arp-miss speed-limit source-ip [ ip-address ] maximum 0 command to disable the rate limit on ARP Miss messages based on source IP addresses.

        • If ip-address is not specified, ARP Miss message rate limiting is disabled for all source IP addresses. If a large number of ARP Miss messages are generated for a certain source IP address, the CPU usage may be excessively high.
        • If ip-address is specified, ARP Miss message rate limiting is disabled for this source IP address. If a large number of ARP Miss messages are generated for the source IP address, the CPU usage may be excessively high.
      • Run the info-center source SECE channel 4 log state off command to disable the device from sending SECE alarm information.

  3. Run the display arp anti-attack configuration arpmiss-speed-limit command to check the configuration of source-based ARP-Miss suppression.
  4. Run the arp-miss speed-limit source-ip [ ip-address ] maximum maximum command to modify the maximum rate of ARP Miss messages based on the site requirements.
  5. If the alarm is frequently generated, collect alarm information and contact technical support personnel.

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.13 hwArpIfRateLimitBlockALarm

Description

SECE/4/ARP_RATELIMIT_BLOCK_ALARM: OID [oid] All arp packets will be blocked on interface [OCTET], block time [INTEGER] seconds.

After rate limiting on ARP packets is configured, the rate of ARP packets exceeds the rate limit.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.13 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
[oid] Indicates the MIB object ID of the alarm.
OCTET Indicates the interface name.
INTEGER Indicates the time ARP packets are blocked.

Impact on the System

All the ARP packets received on the interface are discarded.

Possible Causes

The rate of ARP packets received on the interface exceeds the rate limit.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the arp anti-attack rate-limit packet packet-number command in the interface view to adjust the ARP rate limit. Adjusting the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.2.15 hwArpSourceMacSpeedLimitAlarm

Description

SECE/4/ARP_SMAC_SPEEDLIMIT_ALARM: OID [oid] The arp packet speed with source mac [OCTET] exceed the speed-limit value configed [INTEGER].

The rate of ARP packets with the specified source MAC address exceeds the threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.2.15 Warning QoS Alarm(2)

Parameters

Name Meaning

oid

Indicates the MIB object ID of the alarm.

OCTET

Indicates the source MAC address of packets.

INTEGER

Indicates the alarm threshold.

Impact on the System

If the alarm is generated, the user traffic volume exceeds the threshold, and excess traffic will be discarded. If the traffic belongs to a service, the service of the specified source MAC address may be intermediately interrupted. If the traffic is generated by an ARP attack attack, the packet rate limit helps prevent bandwidth exhaustion.

Possible Causes

  • Cause 1: The user sets a low alarm threshold for the rate of ARP packets with the specified source MAC address.
  • Cause 2: The user of that specified source MAC address sends ARP attack packets.

Procedure

  1. Cause 1: The user sets a low alarm threshold for the rate of ARP packets with the specified source MAC address.

    Run the arp speed-limit source-mac [ mac-address ] maximum maximum command to adjust the alarm threshold for the rate of ARP packets with the specified source MAC address.

  2. Cause 2: The user of that specified source MAC address sends ARP attack packets.

    Check the ARP attack source based on the MAC address and process the attack source.

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.3.1 hwIPSGDropALarm

Description

SECE/4/IPSG_DROP_ALARM: OID [oid] The packet number dropped by IPSG reaches [INTEGER1], exceed the alarm threshold [INTEGER2], interface [OCTET].

The number of packets discarded by IPSG exceeded the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.3.1 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER1 Indicates the number of discarded packets.
INTEGER2 Indicates the alarm threshold.
OCTET Indicates the source interface, VLAN, source MAC address, and source IP address of packets.

Impact on the System

If this alarm is generated, the device may be attacked. If the attack traffic volume is heavy, the device is busy processing attack packets. As a result, services of authorized users are interrupted.

Possible Causes

The number of packets discarded by IPSG exceeded the alarm threshold. This threshold can be configured using the ip source check user-bind alarm threshold command. The default alarm threshold is 100.

Procedure

  1. Find the interface where attacks occur according to Interface in the alarm message.
  2. Check whether users who are not in the DHCP snooping binding table range are connected.
  3. If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding table.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.4.1 hwIcmpGlobalDropALarm

Description

SECE/4/ICMP_GLOBAL_SPEEDLIMIT_ALARM: OID [oid]. Global icmp packet speed exceed the speed-limit value configed [INTEGER].

The rate of ICMP packets exceeds the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.4.1 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER Indicates the alarm threshold.

Impact on the System

If the alarm is generated, it indicates that the user traffic volume exceeds the threshold. The excess traffic is discarded by the device. As a result, user traffic may be interrupted intermittently.

Possible Causes

The global ICMP packet rate exceeds the alarm threshold.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the icmp rate-limit total threshold threshold-value command in the system view to adjust the global ICMP rate limit. Increasing the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.4.2 hwICMPIfDropALarm

Description

SECE/4/ICMP_IF_SPEEDLIMIT_ALARM: OID [oid] Interface icmp packet speed exceed the speed-limit value configed [INTEGER], Interface [OCTET].

The rate of ICMP packets on an interface exceeds the alarm threshold.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.4.2 Warning equipmentAlarm(5)

Parameters

Name Meaning
oid Indicates the MIB object ID of the alarm.
INTEGER1 Indicates the alarm threshold.
Interface Indicates the source interface of packets.

Impact on the System

If the alarm is generated, it indicates that the user traffic volume exceeds the threshold. The excess traffic is discarded by the device. As a result, user traffic may be interrupted intermittently.

Possible Causes

The rate of ICMP packets on an interface exceeds the alarm threshold.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If the user services are intermittently disconnected, run the icmp rate-limit interface interface-type interface-number [ to interface-number ] threshold threshold-value command in the system view to adjust the ICMP rate limit on an interface. Increasing the rate limit may affect CPU usage. You are advised to contact technical support personnel.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.7.1 hwCpcarDropPacketAlarm

Description

SECE/4/DEFEND_CPCAR_DROP_PACKET: OID [oid] Rate of packets to CPU exceeded the CPCAR limit in slot [OCTET]. (Protocol=[OCTET], CIR/CBS=[INTEGER]/[INTEGER], ExceededPacketCount=[OCTET])

Packets of a protocol are dropped because the packet rate exceeds the CPCAR values set for the protocol.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.7.1 Warning qualityOfServiceAlarm(3)

Parameters

Name Meaning
[oid] Indicates the MIB object ID of the alarm.
slot [OCTET] Indicates a slot ID.
Protocol =[OCTET] Indicates a protocol type.
CIR/CBS=[INTEGER]/[INTEGER] Indicates the committed information rate and committed burst size.
ExceededPacketCount=[OCTET] Indicates the number of dropped packets.

Impact on the System

The protocol may not work normally.

Possible Causes

Packets of the protocol are dropped because the packet rate exceeds the CPCAR values set for the protocol.

Procedure

  1. Run the car packet-type packet-type cir cir-value [ cbs cbs-value ] command to increase the CIR and CBS values for the protocol. Check whether the alarm is cleared.
    • If so, go to step 3.
    • If not, go to step 2.

    Improper CPCAR settings will affect services on your network. It is recommended that you contact technical support personnel before adjusting the CPCAR settings.

  2. Collect trap, log, and configuration information, and contact technical support personnel.
  3. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.165.2.2.9.1 hwStrackPortAtk

Description

SECE/4/STRACKPORT: OID [oid] An port attack occurred. (Interface=[OCTET], Protocol=[OCTET])

Port attack defense is started.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.165.2.2.9.1 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
Interface Indicates the attack source interface.
Protocol Indicates the protocol type of attack packets.

Impact on the System

Service performance degrades and CPU usage may raise.

Possible Causes

When the device detects attack packets on an interface, the device starts attack defense on the interface.

Procedure

  1. Check whether the attack actually occurs on the interface.
  2. If an attack actually occurs, locate the attack source. If no attack occurs, reconfigure the port attack defense function to ensure that valid protocol packets can be sent to the CPU.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.32.4.1.14.1 hwXQoSStormControlTrap

Description

SECE/4/TRAP:STORMCONTROL: OID [oid],StormControlAlarm. (IfIndex=[INTEGER], BroadcastMinRate=[INTEGER], BroadcastMaxRate=[INTEGER], MulticastMinRate=[INTEGER], MulticastMaxRate=[INTEGER], Action=[INTEGER], Interval=[INTEGER], Status=[INTEGER], UnicastMinRate=[INTEGER], UnicastMaxRate=[INTEGER], BroadcastMode=[INTEGER], MulticastMode=[INTEGER], UnicastMode=[INTEGER])

The interface status changes.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.32.4.1.14.1 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
IfIndex Indicates the interface index.
BroadcastMinRate Indicates the minimum rate of broadcast packets.
BroadcastMaxRate Indicates the maximum rate of broadcast packets.
MulticastMinRate Indicates the minimum rate of multicast packets.
MulticastMaxRate Indicates the maximum rate of multicast packets.
Action Indicates the storm control action.
Interval Indicates the interval for detecting storms.
Status Indicates the interface status, including:
  • blocked: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is block, the status of the interface is block.
  • normal: Packets are normally forwarded.
  • error-down: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is error-down, the status of the interface is error-down.
UnicastMinRate Indicates the minimum rate of unknown unicast packets.
UnicastMaxRate Indicates the maximum rate of unknown unicast packets.
BroascastMode Indicates the storm control mode of broadcast packets.
MulticastMode Indicates the storm control mode of multicast packets.
UnicastMode Indicates the storm control mode of unknown unicast packets.

Impact on the System

Storms may occur if the threshold is exceeded. Services are not affected.

Possible Causes

The interface traffic volume is greater than the upper threshold or smaller than the lower threshold.

Procedure

  1. Run the display storm-control interface command to check the storm control configuration on the interface.
  2. If the interface status is error-down, check whether the interface can be enabled according to the application scenario.

    • If yes, run the shutdown and undo shutdown command manually. Then go to step 4.

    • If not, go to step 3.

  3. Collect the device configurations, alarms, and logs, and then contact technical support personnel.
  4. End.

Related Information

None

SECE_1.3.6.1.4.1.2011.5.25.32.4.1.14.2 hwXQoSStormControlTrapExt

Description

SECE/4/TRAP:STORMCONTROL: OID [oid] StormControlAlarm. (IfIndex=[INTEGER], IfName=[OCTET], BroadcastMinRate=[INTEGER], BroadcastMaxRate=[INTEGER], MulticastMinRate=[INTEGER], MulticastMaxRate=[INTEGER], Action=[INTEGER], Interval=[INTEGER], Status=[INTEGER], UnicastMinRate=[INTEGER], UnicastMaxRate=[INTEGER], BroadcastMode=[INTEGER], MulticastMode=[INTEGER], UnicastMode=[INTEGER], BroadcastRate=[INTEGER], MulticastRate=[INTEGER], UnicastRate=[INTEGER])

The interface status changes.

Attribute

Alarm ID Alarm Severity Alarm Type
1.3.6.1.4.1.2011.5.25.32.4.1.14.2 Warning securityServiceOrMechanismViolation(10)

Parameters

Name Meaning
OID Indicates the MIB object ID of the alarm.
IfIndex Indicates the interface index.
IfName Indicates the interface name.
BroadcastMinRate Indicates the minimum rate of broadcast packets.
BroadcastMaxRate Indicates the maximum rate of broadcast packets.
MulticastMinRate Indicates the minimum rate of multicast packets.
MulticastMaxRate Indicates the maximum rate of multicast packets.
Action Indicates the storm control action.
Interval Indicates the interval for detecting storms.
Status Indicates the interface status, including:
  • block: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is block, the interface status is block.
  • normal: The interface normally forwards packets.
  • shutdown: When the rate of receiving packets is greater than the value of MaxRate and the storm control action is shutdown, the interface status is shutdown.
UnicastMinRate Indicates the minimum rate of unknown unicast packets.
UnicastMaxRate Indicates the maximum rate of unknown unicast packets.
BroadcastMode Indicates the broadcast storm control mode.
MulticastMode Indicates the multicast storm control mode.
UnicastMode Indicates the unknown unicast storm control mode.
BroadcastRate Indicates the average rate of broadcast packets on the current interface within the storm detection interval.
MulticastRate Indicates the average rate of multicast packets on the current interface within the storm detection interval.
UnicastRate Indicates the average rate of unknown unicast packets on the current interface within the storm detection interval.

Impact on the System

Storms may occur if any of the preceding thresholds is exceeded. Services are affected.

Possible Causes

The packet rate (pps) on the interface exceeds the upper threshold or falls below the lower threshold for storm control.

Procedure

  1. Run the display storm-control [ interface interface-type interface-number ] command to check the information about storm control on the interface.
  2. If the interface status is shutdown, check whether the interface can be enabled according to the application scenario.

    (1) If the interface can be enabled, run the undo shutdown command and go to step 4.

    (2) If the interface cannot be enabled, go to step 3.

  3. Collect device configurations, alarms, and logs, and contact technical support personnel.
  4. End.
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065855

Views: 5086

Downloads: 6

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next