No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NEs Are Detached from the N2000 BMS After the Anti-ARP Attack Feature Is Enabled on the Uplink Switch

Publication Date:  2012-07-25 Views:  129 Downloads:  0

Issue Description

Networking: N2000 BMS server ? 2403 switch ? 8505 switch ? DSLAM device
Symptom: NEs are detached from the N2000 BMS. Ping the 8505 switch from the server and find that some packets are lost. 

Alarm Information


Handling Process

1. Ping PCs at the same network segment from the server and find that no packets are lost. Therefore, the network adapter is running properly.
2. Scan viruses on the server and find no exception.
3. Log in to and check the uplink 8505 switch, and find the following alarm messages:
3 04:07:44 2008 ZH_XXZ_S8505_A DIAGCLI/5/LOG_WARN:Slot=6;
Detect ARP attack from MAC 0011-43ba-c24f, VLAN: 993, GigabitEthernet6/2/4 !
Where, 0011-43ba-c24f is the MAC address of the N2000 BMS. It can be judged that the 8505 switch considers the N2000 BMS as an exceptional attack user by mistake (the N2000 BMS broadcasts a large number of ARP packets to obtain the MAC address of DSLAM device during the resynchronization with the 8505 switch). In this way, the 8505 switch does not forward the MAC address of the N2000 BMS, and places it into the black hole instead. As a result, all ARP packets are discarded by the 8505 switch. In this case, when you ping the 8505 switch from the N2000 BMS, the packets are lost and eventually the ping operation fails (however, you can ping through other PCs under the 2403 switch). Therefore, the N2000 BMS fails to control the device properly. Configure the anti-attach ARP exclude MAC address on the 8505 switch as follows: anti-attack arp exclude-mac mac-address (the MAC address of the N2000 BMS). Then the problem is solved. 

Root Cause

1. The network interface card of the BMS server has a hardware fault.
2. The BMS server is attacked or it is attacked by its own viruses.
3. The handling on the upstream switching device is abnormal. 


To solve the problem of the detachment of NEs from the BMS server, you should consider the problem from the network perspective and capture packets.