ARP攻击导致AR2240下面用户断网
核心和楼层交换机都是傻瓜型的,不能配置。
网关在AR路由器上,用户均通过傻瓜路由器接入,傻瓜路由器均为tp-link类型的,傻瓜路由器的IP分为两个网段,分别为190.131.1.0/16和190.131.3.0/16,傻瓜路由器下面的用户通过DHCP获得IP,并通过傻瓜路由器自带的NAT功能转换IP后接入网络。
问题:
AR2240 下面的内网段有时不能正常访问外网
查看cpu-defend,发现有丢包
display cpu-defend statistic
-----------------------------------------------------------------------
Packet Type Pass Packets Drop Packets
-----------------------------------------------------------------------
8021X 0 0
arp-miss 5744 0
arp-reply 3903 0
arp-request 448252 1390
bfd 0 0
查看trapbuffer,发现有ARP冲突
#Dec 9 2014 10:09:34+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.131, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
#Dec 9 2014 10:01:44+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.130, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dbb, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
#Dec 9 2014 09:49:28+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.131, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
#Dec 9 2014 09:34:04+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.133, Local interface=GigabitEthernet0/0/1, Local MAC=7427-eae4-275b, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=0017-59de-b688, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
查看ARP表
<253_HW_AR2240>
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
190.131.1.107 0014-5e7a-75b4 20 D-0 GE0/0/1
190.131.3.121 0017-59de-b688 2 D-0 GE0/0/1
190.131.1.112 cc34-2999-9bbf 17 D-0 GE0/0/1
190.131.3.120 7427-eae4-275b 20 D-0 GE0/0/1
190.131.1.109 0014-5e19-a483 13 D-0 GE0/0/1
190.131.1.199 d815-0d38-3d3d 3 D-0 GE0/0/1
190.131.1.101 0014-5e7a-7574 19 D-0 GE0/0/1
190.131.1.206 0022-3fa5-b237 4 D-0 GE0/0/1
190.131.3.6 0017-59de-b688 18 D-0 GE0/0/1
190.131.1.6 90fb-a61e-13e5 16 D-0 GE0/0/1 //这个是正常的傻瓜路由器的MAC
190.131.1.233 7427-ea3d-e4ef 20 D-0 GE0/0/1
190.131.1.130 0060-6e9a-0d23 2 D-0 GE0/0/1 //这个应该是正常的傻瓜路由器的MAC
190.131.1.50 4437-e676-91aa 2 D-0 GE0/0/1
190.131.3.130 0017-59de-b688 17 D-0 GE0/0/1
190.131.3.132 0021-272e-eb43 14 D-0 GE0/0/1
190.131.3.131 0017-59de-b688 5 D-0 GE0/0/1
190.131.3.133 0017-59de-b688 10 D-0 GE0/0/1
2.追踪0017-59de-b688:核心和楼层交换机均为不可管理的傻瓜交换机,无法查到0017-59de-b688的位置
3.在AR路由器上配置二层ARP流量过滤,问题解决
[Huawei]acl number 4444
[Huawei-acl-L2-4444]rule 5 deny l2-protocol arp source-mac 0017-59de-b688
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 4444
- 上一篇:环路导致AR2200的CPU使用率过高 2015/3/3
- 下一篇:OSPF卡在各个状态的原因是什么? 2015/3/3