Header Only - DO NOT REMOVE - Extreme Networks
Question

More alert on dos-protect notifies


Userlevel 4
Create Date: May 20 2013 1:08PM

Is there a way to enable more logging for things that trigger the notify-threshold for dos-protect? If something hits the alarm threshold, the ACL that gets created is logged, showing what the switch is being bombarded with; is there a way to log what is triggering the notify? (from Ansley_Barnes)

9 replies

Userlevel 4
Create Date: May 21 2013 10:50AM

Hi,

you can log:
configure log filter "DefaultFilter" add events DOSProt?

"DOSProt.AddACLOK"
"DOSProt.CreateACLFail"
"DOSProt.DebugData"
"DOSProt.DebugSummary"
"DOSProt.DebugVerbose"
"DOSProt.DelACLOK"
"DOSProt.DuplACLDtect"
"DOSProt.Init"
"DOSProt.InitIPMLFail"
"DOSProt.PktCntExcd"
"DOSProt.PtrnNotFnd"
"DOSProt.ReadBktSizeInv"
"DOSProt.RecvNotifyInv"
"DOSProt.SetDOSDevFail"
"DOSProt.StartLibFail"
"DOSProt.UnExpDevErr"

--
Jarek
(from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: May 21 2013 4:49PM

Awesome, I'll try this - thanks! (from Ansley_Barnes)
Userlevel 4
Create Date: May 22 2013 3:48PM

I added those, but it doesn't seem to increase the amount of info logged when the notify trigger is reached. Anyone else have tips? (from Ansley_Barnes)
Userlevel 4
Create Date: May 23 2013 6:57AM

I see something like that (dos-protect simulated):

May 23 08:51:13 sw-2 DOSProt: Removed ACL from port 26, srcIP 192.168.44.5 to destIP 192.168.44.58, protocol tcp
May 23 08:51:13 sw-2 ACL from port 26, srcIP 192.168.44.5 to destIP 192.168.44.58, protocol tcp
May 23 08:48:07 sw-2 DOSProt: Added an ACL to port 5, srcIP 192.168.44.5 to destIP 192.168.44.4, protocol icmp
May 23 08:48:07 sw-2 an ACL to port 5, srcIP 192.168.44.5 to destIP 192.168.44.4, protocol icmp
May 23 08:48:19 sw-2 DOSProt: Notify-threshold for L3 Protect packet count of 20 reached

--
Jarek (from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: May 23 2013 6:40PM

The problem I have is that those messages only get descriptive when the ACL is generated - the "alert" level. The "notify" level just says "hey, i see a lot of traffic here" but doesn't say what. It would be really helpful to show what was happening before the ACL is generated. There's a section of my network with a lot of dynamic factors so just taking its temperature with dos-protect simulated doesn't give me a good idea of where to set my limits. Besides that, if there's a section that's generating alarms, but with legitimate traffic, I'd like to be able to see that and take appropriate restructuring action so that the legitimate traffic isn't hitting the switches' CPUs. (from Ansley_Barnes)
Userlevel 4
Create Date: May 23 2013 8:50PM

Hmm... usually CPU is processing:
- arp packets and traffic that is coming to switch IP interface
- broadcast traffic
- when you disable learning for example on one vlan, broadcast traffic going through this vlan is hitting the CPU
- switch management traffic
- routing and control protocols ICMP, BGP, OSPF, STP, EAPS, ESRP
- packets directed to the switch that must be discarded by the CPU

I don't know how your network looks like (config,etc..), what traffic is allowed and what not,
but maybe you can try to use IP Security functions like Flood Rate Limitation,
Gratuitous ARP Protection, Protocol Anomaly Protection, dhcpsnooping. arp validation etc.
ACL on switch IP interface or when you use disable learning vlan function use acl with action deny-cpu

And finally you can mirror traffic to one port and check what is going on in the network...

--
Jarek (from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: May 23 2013 10:01PM

These things are exactly what I do 🙂 We do have some publicly routeable segments where traffic is pretty much unfiltered; I do what I can but sometimes we just get alarms and it's difficult to determine what's happening, especially if I'm not there at the moment with a packet sniffer. I recognize that if a lot of traffic is hitting the CPU, that can be cause for concern, and anywhere I can I take steps to prevent it, to improve scalability and performance. Thanks for the tips! (from Ansley_Barnes)
Userlevel 4
Create Date: May 24 2013 6:41AM

I also use those functions and sometimes I see something like describe bellow.

sw config

enable ip-security dhcp-snooping on vlan
enable ip-security arp learning learn-from-dhcp
disable ip-security arp learning learn-from-arp
enable ip-security arp validation

Most of time all is working well, but for example when a 5 entries from ip-security dhcp-snooping
are expired, and iparp table shows:

VR Destination Mac Age Static VLAN VID Port
VR-Default 192.168.55.6 00:04:23🇧🇪bd:b3 416 yes lan1 798 <- no port
VR-Default 192.168.55.7 00:04:23🇧🇪bd:b4 313 yes lan1 798 5

I see that processes tbcm_msm_tx, bcmCNTR, bcmLINK utilizing CPU.
Then I delete the one of the 5 entries with "no port", and the problem is gone.
It seems that one of those causes problems for the CPU.
There is no impact on traffic that goes through the switch.

--
Jarek
(from Jaroslaw_Kasjaniuk)
Userlevel 4
Create Date: May 24 2013 4:18PM

I've seen those processes take up good chunks of CPU too, even without those ip-security functions engaged. The no-port entries are a good data point though, I wonder if this is a bug. (from Ansley_Barnes)

Reply