This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- More alert on dos-protect notifies
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
More alert on dos-protect notifies
More alert on dos-protect notifies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 20 2013 1:08PM
Is there a way to enable more logging for things that trigger the notify-threshold for dos-protect? If something hits the alarm threshold, the ACL that gets created is logged, showing what the switch is being bombarded with; is there a way to log what is triggering the notify? (from Ansley_Barnes)
Is there a way to enable more logging for things that trigger the notify-threshold for dos-protect? If something hits the alarm threshold, the ACL that gets created is logged, showing what the switch is being bombarded with; is there a way to log what is triggering the notify? (from Ansley_Barnes)
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 24 2013 4:18PM
I've seen those processes take up good chunks of CPU too, even without those ip-security functions engaged. The no-port entries are a good data point though, I wonder if this is a bug. (from Ansley_Barnes)
I've seen those processes take up good chunks of CPU too, even without those ip-security functions engaged. The no-port entries are a good data point though, I wonder if this is a bug. (from Ansley_Barnes)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 24 2013 6:41AM
I also use those functions and sometimes I see something like describe bellow.
sw config
enable ip-security dhcp-snooping on vlan
enable ip-security arp learning learn-from-dhcp
disable ip-security arp learning learn-from-arp
enable ip-security arp validation
Most of time all is working well, but for example when a 5 entries from ip-security dhcp-snooping
are expired, and iparp table shows:
VR Destination Mac Age Static VLAN VID Port
VR-Default 192.168.55.6 00:04:23??bd:b3 416 yes lan1 798 <- no port
VR-Default 192.168.55.7 00:04:23??bd:b4 313 yes lan1 798 5
I see that processes tbcm_msm_tx, bcmCNTR, bcmLINK utilizing CPU.
Then I delete the one of the 5 entries with "no port", and the problem is gone.
It seems that one of those causes problems for the CPU.
There is no impact on traffic that goes through the switch.
--
Jarek
(from Jaroslaw_Kasjaniuk)
I also use those functions and sometimes I see something like describe bellow.
sw config
enable ip-security dhcp-snooping on vlan
enable ip-security arp learning learn-from-dhcp
disable ip-security arp learning learn-from-arp
enable ip-security arp validation
Most of time all is working well, but for example when a 5 entries from ip-security dhcp-snooping
are expired, and iparp table shows:
VR Destination Mac Age Static VLAN VID Port
VR-Default 192.168.55.6 00:04:23??bd:b3 416 yes lan1 798 <- no port
VR-Default 192.168.55.7 00:04:23??bd:b4 313 yes lan1 798 5
I see that processes tbcm_msm_tx, bcmCNTR, bcmLINK utilizing CPU.
Then I delete the one of the 5 entries with "no port", and the problem is gone.
It seems that one of those causes problems for the CPU.
There is no impact on traffic that goes through the switch.
--
Jarek
(from Jaroslaw_Kasjaniuk)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 23 2013 10:01PM
These things are exactly what I do  We do have some publicly routeable segments where traffic is pretty much unfiltered; I do what I can but sometimes we just get alarms and it's difficult to determine what's happening, especially if I'm not there at the moment with a packet sniffer. I recognize that if a lot of traffic is hitting the CPU, that can be cause for concern, and anywhere I can I take steps to prevent it, to improve scalability and performance. Thanks for the tips! (from Ansley_Barnes)
These things are exactly what I do  We do have some publicly routeable segments where traffic is pretty much unfiltered; I do what I can but sometimes we just get alarms and it's difficult to determine what's happening, especially if I'm not there at the moment with a packet sniffer. I recognize that if a lot of traffic is hitting the CPU, that can be cause for concern, and anywhere I can I take steps to prevent it, to improve scalability and performance. Thanks for the tips! (from Ansley_Barnes)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 23 2013 8:50PM
Hmm... usually CPU is processing:
- arp packets and traffic that is coming to switch IP interface
- broadcast traffic
- when you disable learning for example on one vlan, broadcast traffic going through this vlan is hitting the CPU
- switch management traffic
- routing and control protocols ICMP, BGP, OSPF, STP, EAPS, ESRP
- packets directed to the switch that must be discarded by the CPU
I don't know how your network looks like (config,etc..), what traffic is allowed and what not,
but maybe you can try to use IP Security functions like Flood Rate Limitation,
Gratuitous ARP Protection, Protocol Anomaly Protection, dhcpsnooping. arp validation etc.
ACL on switch IP interface or when you use disable learning vlan function use acl with action deny-cpu
And finally you can mirror traffic to one port and check what is going on in the network...
--
Jarek (from Jaroslaw_Kasjaniuk)
Hmm... usually CPU is processing:
- arp packets and traffic that is coming to switch IP interface
- broadcast traffic
- when you disable learning for example on one vlan, broadcast traffic going through this vlan is hitting the CPU
- switch management traffic
- routing and control protocols ICMP, BGP, OSPF, STP, EAPS, ESRP
- packets directed to the switch that must be discarded by the CPU
I don't know how your network looks like (config,etc..), what traffic is allowed and what not,
but maybe you can try to use IP Security functions like Flood Rate Limitation,
Gratuitous ARP Protection, Protocol Anomaly Protection, dhcpsnooping. arp validation etc.
ACL on switch IP interface or when you use disable learning vlan function use acl with action deny-cpu
And finally you can mirror traffic to one port and check what is going on in the network...
--
Jarek (from Jaroslaw_Kasjaniuk)
