Version: NE40E&80E V300R002C06B325
Users on an NE40E had low E-Line service access speed. The delay of pinging the gateway from NE40E was large.The CPU usage of the service board in slot 1 on NE40E reached 93%. The top two tasks that had high CPU usage were VPR and COCK.
Ran the efu qos cp-car cnt_show 1 clear command in diagnosis mode to query the packets discarded by the CP CAR.
Excp ID : Green : Yellow : Red A large number of packets with Excp_ID being 9 were discarded. According to the Excp_ID mapping table, packets with Excp_ID being 9 were IPV4_TCP packets. Therefore, it was concluded that TCP attacks caused the high CPU usage of the service board.
9 P : 0x00000899c 0x00053e 0x000052a6
B: 0x0001d08c8 0x011b4c 0x00116f90
Configure a policy for the CP-CAR to deny IPV4_TCP packets and permit FTP packets.
acl number 3200--------Permit FTP packets and deny IPV4_TCP packetsAfter the policy was applied, the CPU usage of the service board decreased to 15% and services became normal.
rule 5 permit tcp source-port eq ftp-data
rule 10 permit tcp destination-port eq ftp-data
rule 15 deny tcp
traffic classifier acl3200 operator or
if-match acl 3200
traffic behavior acl3200
traffic policy acl3200
classifier acl3200 behavior acl3200
cpcar slot 1 ipv4-tcp----Apply the policy
High CPU usage on a service board is often caused by attacks. It is recommended to change CP-CAR to protect the CPU.Run the efu qos cp-car cnt_show 1 clear command to identify the attack.