Networking of a customer:
Juniper MX960—NE40E-A—NE40E-B—NE40E-C—Cisco ASR 9010
Both Cisco and Juniper engineers report that packet loss occurs when pinging Huawei NE40Es from their devices, as shown in the following figure.
1. Increase the CAR threshold for the CPU chip on the MPU of the NE40E to process ICMP packets.
cpu-defend policy 2
car icmp cir 1000000 cbs 9000000
All the ping tests with small packets succeed; the ping tests with large packets encounter packet loss or delay. Packet loss occurs when the -s 1000 and –m 5 parameters are specified when a ping is performed between NE40E-A and NE40E-C.
2. On NE40-B, ping NE40E-A and NE40E-C. The command output is as follows:
Note: The NE40E-B forwards all ICMP packets without discarding them.
3. Ping NE40E-A and NE40E-C through large packets from each other. It is found that the problem persists. The NE40E provides the anti-attack mechanism to protect CPU resources on the MPU. The mechanism limits the number of fragmented packets. The large packets used to ping the IP address of an NE40E need to be processed by the CPU of the MPU. Due to the anti-attack mechanism, packet loss occurs regularly. The NP chip on the service board directly forwards passerby ICMP packets without discarding them. In the current version, the anti-attack mechanism cannot be adjusted.
Packet loss occurs when large packets are used to ping the IP address of an NE40E. The possible cause is that the number of received ICMP packets exceeds the upper limit of the processing capability of the NE40E.
1. Increase the CAR threshold on the NE40E. If the ping test traffic rate does not exceed the CAR threshold of ICMP packets, the ping tests through small packets succeed.
2. Packet loss during the ping test through large packets does not indicate that the service forwarding on the device is abnormal. When ping packets need to be processed by the CPU of the MPU, packet loss occurs regularly. Passerby packets are forwarded by the NP chip on the service board directly, without being processed by the CPU of the MPU. Therefore, such packets are not affected.
3. It is recommended that the anti-attack mechanism in the new version can be adjusted.