ARP攻擊導緻AR2240下面用戶斷網
核心和(hé)樓層交換機都是傻瓜型的,不能配置。
網關在AR路由器(qì)上(shàng),用戶均通(tōng)過傻瓜路由器(qì)接入,傻瓜路由器(qì)均為tp-link類型的,傻瓜路由器(qì)的IP分為兩個(gè)網段,分别為190.131.1.0/16和(hé)190.131.3.0/16,傻瓜路由器(qì)下面的用戶通(tōng)過DHCP獲得(de)IP,并通(tōng)過傻瓜路由器(qì)自帶的NAT功能轉換IP後接入網絡。
問題:
AR2240 下面的內(nèi)網段有(yǒu)時(shí)不能正常訪問外網
查看cpu-defend,發現有(yǒu)丢包
display cpu-defend statistic
-----------------------------------------------------------------------
Packet Type Pass Packets Drop Packets
-----------------------------------------------------------------------
8021X 0 0
arp-miss 5744 0
arp-reply 3903 0
arp-request 448252 1390
bfd 0 0
查看trapbuffer,發現有(yǒu)ARP沖突
#Dec 9 2014 10:09:34+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.131, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
#Dec 9 2014 10:01:44+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.130, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dbb, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
#Dec 9 2014 09:49:28+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.131, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
#Dec 9 2014 09:34:04+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.133, Local interface=GigabitEthernet0/0/1, Local MAC=7427-eae4-275b, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=0017-59de-b688, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
查看ARP表
<253_HW_AR2240>
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
190.131.1.107 0014-5e7a-75b4 20 D-0 GE0/0/1
190.131.3.121 0017-59de-b688 2 D-0 GE0/0/1
190.131.1.112 cc34-2999-9bbf 17 D-0 GE0/0/1
190.131.3.120 7427-eae4-275b 20 D-0 GE0/0/1
190.131.1.109 0014-5e19-a483 13 D-0 GE0/0/1
190.131.1.199 d815-0d38-3d3d 3 D-0 GE0/0/1
190.131.1.101 0014-5e7a-7574 19 D-0 GE0/0/1
190.131.1.206 0022-3fa5-b237 4 D-0 GE0/0/1
190.131.3.6 0017-59de-b688 18 D-0 GE0/0/1
190.131.1.6 90fb-a61e-13e5 16 D-0 GE0/0/1 //這個(gè)是正常的傻瓜路由器(qì)的MAC
190.131.1.233 7427-ea3d-e4ef 20 D-0 GE0/0/1
190.131.1.130 0060-6e9a-0d23 2 D-0 GE0/0/1 //這個(gè)應該是正常的傻瓜路由器(qì)的MAC
190.131.1.50 4437-e676-91aa 2 D-0 GE0/0/1
190.131.3.130 0017-59de-b688 17 D-0 GE0/0/1
190.131.3.132 0021-272e-eb43 14 D-0 GE0/0/1
190.131.3.131 0017-59de-b688 5 D-0 GE0/0/1
190.131.3.133 0017-59de-b688 10 D-0 GE0/0/1
2.追蹤0017-59de-b688:核心和(hé)樓層交換機均為不可(kě)管理(lǐ)的傻瓜交換機,無法查到0017-59de-b688的位置
3.在AR路由器(qì)上(shàng)配置二層ARP流量過濾,問題解決
[Huawei]acl number 4444
[Huawei-acl-L2-4444]rule 5 deny l2-protocol arp source-mac 0017-59de-b688
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 4444
- 上(shàng)一篇:環路導緻AR2200的CPU使用率過高(gāo) 2015/3/3
- 下一篇:OSPF卡在各個(gè)狀态的原因是什麽? 2015/3/3