AR1200做为外网路由器,经常出现部分用户网络中断。
告警信息
1、查询设备运行日志,发现有大量ARP协议报文因CPU阀值丢弃。<Huawei>display logbufferSep 9 2014 16:01:55+00:00 Huawei %%01SECE/4/PORT_ATTACK(l)[0]:Port attack occurred.(Slot=MPU, SourceAttackInterface=GigabitEthernet0/0/0, OuterVlan/InnerVlan=0/0, AttackPackets=64 packets per second)Sep 9 2014 16:01:54+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1]:Some packets are dropped by cpcar on the MPU. (Packet-type=arp-miss, Drop-Count=770)Sep 9 2014 16:01:54+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[2]:Some packets are dropped by cpcar on the MPU. (Packet-type=arp-request, Drop-Count=3458)
处理过程
1、怀疑设备内网、存在ARP攻击,配置跟踪溯源功能。配置命令如下:cpu-defend policy 1auto-defend enableauto-defend threshold 40 //可适当调整建议不要太小auto-defend protocol allauto-defend trace-type source-ip source-mac source-portvlanauto-defend alarm enable#cpu-defend-policy 1 global //在全局应用 cpu-defend-policy 1 2、使用命令display auto-defend attack-source在网络出现异常时查询设备是否存在攻击。<Huawei>display auto-defend attack-source Attack Source User Table: ————————————————————————- MacAddress InterfaceName Vlan:Outer/Inner TOTAL ————————————————————————- 0cda-xxxx-cf00 GigabitEthernet0/0/1 0 368 1414-xxxx-7696 GigabitEthernet0/0/0 0 7152 ————————————————————————- Total: 2 Attack Source Port Table: —————————————————– InterfaceName Vlan:Outer/Inner TOTAL —————————————————– GigabitEthernet0/0/1 0 368 GigabitEthernet0/0/0 0 23472 —————————————————– Total: 2 Attack Source IP Table: ————————————- IPAddress TOTAL Packets ————————————- 219.x.x.3 368 58.x.x.1 7152 ————————————- Total: 2<Huawei>3、发现内网某用户发送攻击报文(外网接口如增涨不大不做考虑),源地址为58.x.x.1,源MAC为1414-xxxx-7696,通过用户接入的端口逐层排查该用户接入的交换机端口,找到该接入用户,使用杀毒软件查杀病毒后问题解决。
生产中使用:VRP (R) software, Version 5.170 (AR6121 V300R022C00SPC100)
[Huawei] cpu-defend policy linshi
auto-defend enable
auto-defend threshold 200
auto-defend alarm enable
[Huawei] cpu-defend-policy linshi
[Huawei] dis auto-defend attack-source
