Checking Whether the Number of Dropped ARP Packets in CPU Statistics Increases

Procedure

  1. Run the display cpu-defend statistics all command on the gateway to check whether the number of dropped ARP request, ARP reply, and ARP Miss packets increases.

    Port attack defense has been available since V200R003 and is enabled by default. If an attack source sends a large number of packets to the CPU through one port, bandwidth for protocol packets sending to the CPU from other ports is occupied. The port attack defense function addresses this problem.

    After attack source tracing is configured, run the display auto-port-defend attack-source command to view the attack source information: 
    [HUAWEI] display auto-port-defend attack-source  slot 3
Attack source table on slot 3:
Total : 1
--------------------------------------------------------------------------------
Interface     Vlan Protocol     Expire(s)   PacketRate(pps)  LastAttackTime      
--------------------------------------------------------------------------------
GE3/0/0       NA   arp-request  298         75               2009-10-08 10:30:42 
--------------------------------------------------------------------------------
    After an attack is detected, packets are placed in a low-priority queue and a CAR value which is the same as the CPCAR value of this protocol is delivered for these packets. If the packet rate exceeds the CAR value, the packets are discarded. Statistics about discarded packets cannot be displayed using the display cpu-defend statistics command, but can only be displayed using the display auto-port-defend statistics command in the diagnostic view. 
    [HUAWEI-diagnose] display auto-port-defend statistics slot 3
Statistics on slot 3: 
--------------------------------------------------------------------------------
Protocol     Vlan Queue Cir(Kbps)  Pass(Packet/Byte)  Drop(Packet/Byte) 
--------------------------------------------------------------------------------
arp-request  NA   2     64         2214362            136179370         
                                   221436200          13617937100       
--------------------------------------------------------------------------------
    When port attack defense is enabled and disabled, the following logs are recorded:
    • Port attack defense is enabled:

      SECE/4/PORT_ATTACK_OCCUR:Auto port-defend started.(SourceAttackInterface=[STRING], AttackProtocol=[STRING])

    • Port attack defense is disabled:

      SECE/6/PORT_ATTACK_END:Auto port-defend stop.(SourceAttackInterface=[STRING], AttackProtocol=[STRING])

    If the number of dropped packets is 0, no ARP packet is discarded. If you suspect that your switch undergoes an ARP attack, see Checking Whether the CPU Usage Exceeds 70%.

    If the number of dropped ARP packets increases slightly and services are not affected, keep observing the packet statistics. If the number of dropped ARP packets increases sharply, see Checking ARP Entries on the Gateway.

    <HUAWEI> display cpu-defend statistics all
 Statistics on mainboard: 
------------------------------------------------------------------------------- 
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets) 
------------------------------------------------------------------------------- 
arp-miss            82563573127   2701145997      1041389471        37006174 
arp-reply                     0            0               0               0 
arp-request         24861995399         9984       268423659             156

Revelations | Checking Whether the CPU Usage Exceeds 70% | Checking ARP Entries on the Gateway