Header Only - DO NOT REMOVE - Extreme Networks

DOS protect log message


Userlevel 1
Hi, i have a problem... I see this messages in the log



I read in extreme documents but its not clear to my. in the ExtremeXOS 16.1 EMS Message Catalog i read what this messages is only informative and in the DOS protect log message article say what "Once the threshold is exceeded, it will stop the packets from reaching the CPU".
So my quetion is:

is there a locking action in the SW? or definitely is only information....

4 replies

Userlevel 4
Hello Daniel,

Dos-protect is a simulated process that will send packets to the CPU for examination based on the amount specified in the configuration (show configuration dosprotect). Once the configured amount is exceeded it will inform with log messages. Dos-protect checks a specified amount of packets for patterns. If none are found it will also notify of this in the log.

What type of locking action are you referring to? It will help if you can provided output to "show config dosprotoect".
Userlevel 1
Hernandez, Joshua wrote:

Hello Daniel,

Dos-protect is a simulated process that will send packets to the CPU for examination based on the amount specified in the configuration (show configuration dosprotect). Once the configured amount is exceeded it will inform with log messages. Dos-protect checks a specified amount of packets for patterns. If none are found it will also notify of this in the log.

What type of locking action are you referring to? It will help if you can provided output to "show config dosprotoect".

thanks for you commets... i'm referiring to blocking complete the LAN services for about 5 seg.

Userlevel 6
An important key to understanding how the DDOS to cpu works is knowing what packets are sent to the cpu versus switched in hardware. You can run this in active mode which will create the acl on the fly and block packets it is targeting in the acl from the cpu or you can run in simulated mode (we do this) where you get same traps but no acl is created. If you are lucky you get mac address or ip address in the info. This does not stop a flood on your interfaces it only protects the cpu from being overrun...
Userlevel 6
Maybe this will help... here is a snip of log messages from a core IPTV switch that had an EAPS ring event and there was a flood of mcast joins when ring fails over which is processed by the cpu. You see the port affected and the ip address that was generating the traffic. In our case this did not affect network traffic as this was only mcast joins.... If this were a flood or broadcast storm where the links would be over run then it would still create and acl but it would not stop the traffic on the interface it only protects the traffic from over whelming the cpu...

02/17/2016 14:36:41.77 [i] MSM-A: Removed ACL from port 2:2, srcIP 172.16.150.60 to destIP 0.0.0.0, protocol udp02/17/2016 14:36:37.12 [i]
MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
02/17/2016 14:36:36.15 [i] MSM-A: Added an ACL to port 2:2, srcIP 172.16.150.60 to destIP 0.0.0.0, protocol udp
02/17/2016 14:36:36.05 [i] MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
02/17/2016 14:36:35.06 [i] MSM-A: No traffic pattern found
02/17/2016 14:36:34.97 [i] MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached

If this were a bcast storm the destination address would be the bcast address for subnet and not 0.0.0.0 ...

Reply