Transient Traffic Interruption on Ports Due to Source MAC Address Attacks Troubleshooting. Table of Contents

Similar documents
Table of Contents 1 Ethernet Interface Configuration Commands 1-1

Ethernet Interface Configuration Commands

Ethernet Interface Configuration Commands

Ethernet interface commands

Ethernet interface configuration commands

HP A3100 v2 Switch Series

Ethernet interface configuration commands

HP MSR Router Series. Layer 2 LAN Switching Command Reference(V7)

HP 3600 v2 Switch Series

HP A5120 EI Switch Series Layer 2 - LAN Switching. Command Reference. Abstract

HP 5130 EI Switch Series

HPE FlexNetwork 5510 HI Switch Series

HP 5920 & 5900 Switch Series

Troubleshooting - Access

H3C S6800 Switch Series

H3C S6300 Switch Series

Application Guide. VLANs for improved Q-SYS performance

Configuring Link Aggregation on the ML-MR-10 card

H3C S7500E-XS Switch Series

HP 5120 SI Switch Series

Section 3 Understanding Ethernet and Switch Operations

The configuration of the router at the initial stage was fairly simple (quoting only significant commands, not the entire config):

HP A3100 v2 Switch Series

Lab - Troubleshooting Connectivity Issues

Configuring Interfaces on the ML-Series Card

Management IP Interface

Troubleshoot interface down issues in Cisco routers

CCNA Practice test. 2. Which protocol can cause high CPU usage? A. NTP B. WCCP C. Telnet D. SNMP Answer: D

Isolate-User-VLAN Technology White Paper

Configuring Interfaces

FSOS Ethernet Port Configuration

Ethernet over GRE Tunnels

HP 5500 EI & 5500 SI Switch Series Troubleshooting Guide

Contents. Introduction. Methodology. Check for Output Drops. Introduction Methodology

H3C S10500 Attack Protection Configuration Examples

Throughput Issues on ASR1000 Series Router

SecBlade Firewall Cards ARP Attack Protection Configuration Examples

Switch configuration. By the end of this session, you will be able to: Describe basic switch configuration methods. Configure a switch.

H3C S10500 IP Unnumbered Configuration Examples

Flow-Based Redirect. Finding Feature Information

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

HP 6125G & 6125G/XG Blade Switches

Configuring IRB. Integrated Routing and Bridging CHAPTER

Flow-Based Redirect. Finding Feature Information

Configuring Interfaces

Global Interface Commands on the Cisco ASR 9000 Series Router

Application Notes for the ADTRAN NetVanta 3205 Access Router and Avaya IP Office Using PPP - Issue 1.0

Operation Manual ARP H3C S5500-SI Series Ethernet Switches. Table of Contents

H3C S12500 VLAN Configuration examples

Global Interface Commands on the. Cisco ASR 9000 Series Router.

Port Mirroring Best Practice

Table of Contents. Chapter 1 Port Configuration Overview

FSOS. Ethernet Configuration Guide

1 of :22

Lab - Exploring Router Physical Characteristics

Application Notes for ADTRAN NetVanta 3205 Access Router and IP Office Using Frame Relay over T1 - Issue 1.0

HP 5800 & 5820X Switch Series Troubleshooting Guide

Quidway S5700 Series Ethernet Switches V100R006C01. Configuration Guide - Ethernet. Issue 02 Date HUAWEI TECHNOLOGIES CO., LTD.

Configuring Private Hosts

2. What is a characteristic of a contention-based access method?

Chapter 5: Ethernet. Introduction to Networks - R&S 6.0. Cisco Networking Academy. Mind Wide Open

Configuring IEEE 802.3ad Link Bundling and Load Balancing

H3C S3100V2 Switch Series

Chapter 4 Configuring Switching

H3C WX3000E Series Wireless Switches

HPE FlexNetwork 5130 EI Switch Series Troubleshooting Guide

FiberstoreOS IP Service Configuration Guide

Address Resolution Protocol

Configuring Interfaces

Configuring 4-Port Gigabit Ethernet WAN Optical Services Modules

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

Configuring Management Interfaces on Cisco IOS XR Software

H3C S5820X&S5800 Series Ethernet Switches

Contents. Configuring GRE 1

Global Interface Commands on Cisco IOS XR Software

Link Aggregation Configuration Commands

Configuring Interfaces

Configuring Gigabit Ethernet Interfaces

Chapter 5 Lab 5-1, Configure and Verify Path Control Using PBR. Topology. Objectives. Background. Required Resources. CCNPv7 ROUTE

Lab Viewing Network Device MAC Addresses

Configuring Interfaces

MA5616. Features. Series DSLAM. Overview. Product Features

H3C SR6600/SR6600-X Routers

GRE Tunnel with VRF Configuration Example

Chapter 1 Frame Relay Configuration and Management

MSTP Technology White Paper

HP Routing Switch Series

Computer Networks Principles LAN - Ethernet

Management Software AT-S67 AT-S68. User s Guide FOR USE WITH AT-FS7016 AND AT-FS7024 SMART SWITCHES VERSION PN Rev A

HP A6600 Routers Interface. Configuration Guide. Abstract

H3C S5500-HI Switch Series

Peter, Please approve us apply a new ISP connection to separate with CCA for ccahalmar. The bandwidth is 100M.

Switching & ARP Week 3

H3C S12500 sflow Configuration Examples

HP 6600/HSR6600 Routers

PPPoE Technology White Paper

Configuring the Cisco ASR 1000 Series Modular Ethernet Line Card

Starting Interface Configuration (ASA 5505)

HP 5820X & 5800 Switch Series Layer 2 - LAN Switching. Configuration Guide. Abstract

Lab 15d. PPPoE Troubleshooting

Transcription:

Table of Contents Chapter 1 Transient Traffic Interruption on Ports Due to Source MAC Address Attacks Troubleshooting... 1-1 1.1 Symptom... 1-1 1.2 Related Information... 1-1 1.3 Diagnosis... 1-2 1.4 Troubleshooting... 1-4 1.5 Suggestion and Conclusion... 1-4 i

Chapter 1 Transient Traffic Interruption on Ports Due to Source MAC Address Attacks Troubleshooting 1.1 Symptom As Figure 1-1 shows, the switch is attached to a DSLAM (Digital Subscriber Line Access Multiplexer) downstream and a BAS (Broadband Access Server) upstream. The BAS terminates user s dial-up PPPoE (Point-to-Point Protocol over Ethernet) packets. Enable selective QinQ function on the switch, with VLAN 824 as the user side VLAN and VLAN 1003 as the network side VLAN. The gateway MAC address of the BAS is 0090-1AA0-D47A. BAS Switch GE2/0/1 Eth3/0/4 DSLAM Host A Host B Host C Figure 1-1 Transient traffic interruption on ports due to source MAC address attacks Fault description: The majority of the hosts attached to the DSLAM are disconnected intermittently. When the fault occurs, the traffic on port Ethernet 3/0/4 drops rapidly, all the incoming unicast packets are discarded on the port. Approximately five minutes later, the traffic on port Ethernet 3/0/4 goes back up slowly, indicating that the fault has gone, the hosts attached to the DSLAM becomes online again, and the network restores gradually. 1.2 Related Information <Switch> display interface ethernet 3/0/4 1-1

1.3 Diagnosis Transient Traffic Interruption on Ports Due to Ethernet3/0/4 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e200-8048 Description: Ethernet3/0/4 Interface Loopback is not set Media type is twisted pair, port hardware type is 100_BASE_TX Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9022 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 100 Mdi type: auto Port link-type: trunk VLAN Passing : 824 VLAN Permitted: 824 Trunk port encapsulation: IEEE 802.1q Port priority: 0 Last 300 seconds input: 1 packets/sec 147 bytes/sec Last 300 seconds output: 1 packets/sec 179 bytes/sec Input (total): 271 packets, 12250 bytes //Only multicast and broadcast packet counts are available when a port failure occurs. 150 broadcasts, 121 multicasts Input (normal): 271 packets, 12250 bytes 150 broadcasts, 121 multicasts Input: 0 input errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 frame, - overruns, 0 aborts - ignored, - parity errors Output (total): 1522 packets, 183608303 bytes 13 broadcasts, 860 multicasts, 0 pauses Output (normal): 1522 packets, - bytes 13 broadcasts, 860 multicasts, 0 pauses Output: 0 output errors, - underruns, 1 buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier The above output information shows that only multicast packets and broadcast packets were received on port Ethernet 3/0/4 of the switch when the fault occurs. So it can be found that the incoming unicast packets are discarded on port Ethernet 3/0/4 of the 1-2

switch. Since the traffic of the hosts attached to the DSLAM is mainly composed of unicast packets, unicast packet loss disconnects the hosts and causes them to log on again. Thus, the traffic on the port drops tremendously. Therefore it can be assumed that this fault occurs due to packet loss. Such packet loss is similar to the loss of packets returned from the source port. That is, the port receives the packets whose destination MAC addresses are the same as those learned by the port. Normally, the MAC address of a BAS device (the destination MAC address of the PPPoE unicast packets reaching port Ethernet 3/0/4 of the switch) can only be learnt by GigabitEthernet 2/0/1 of the switch in VLAN 1003 (the external VLAN), instead of the port on the user side, unless there are loops in the network. Below is the MAC address table of the switch in normal cases: <Switch> display mac-address MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0090-1aa0-d47a 1003 Learned GigabitEthernet2/0/1 AGING 0090-1aa0-d47a 1101 Learned GigabitEthernet2/0/1 AGING 0090-1aa0-d47a 1201 Learned GigabitEthernet2/0/1 AGING 0090-1aa0-d47a 4093 Learned GigabitEthernet2/0/1 AGING Below is the MAC address learnt by port Ethernet 3/0/4 of the switch when a fault occurs: 0090-1aa0-d47a 824 Learned Ethernet3/0/4 AGING The MAC address entry displayed is the MAC address of the BAS. Note that it was learnt by port Ethernet 3/0/4 of the switch (a user side port) in VLAN 824. As the MAC addresses of the PPPoE service packets reaching port Ethernet 3/0/4 are just the MAC address of the BAS, all such PPPoE packets are considered as packets returned from the source port and are thus discarded. By reviewing the fault location information before and after the fault occurs, you can find such a rule: when the majority of the hosts attached to the DSLAM are disconnected (that is, a large amount of packets get discarded on the port), the MAC address of the BAS is learnt by port Ethernet 3/0/4 of the switch. During the course in which the traffic recovers to normal gradually, the MAC address ages out. As the DSLAM and the switch are directly connected, no loop exists between them and the network topology is always stable. Therefore you can draw the conclusion: Through gateway MAC address spoofing, a host attached to the DSLAM launches attacks against the switch, and this causes majority of the hosts attached to the DSLAM to be disconnected. The intention of the attacker is to get greater bandwidth by disconnecting other users through attacks, so as to cause the network to initialize one more time. After that, the attacker can get a faster network speed. 1-3

1.4 Troubleshooting On port GigabitEthernet 2/0/1 of the switch (the uplink port), configure a static gateway MAC address for VLAN 824 on the user side. In this way, the gateway MAC address will never be learnt by port Ethernet 3/0/4 of the switch, and attacks through MAC address spoofing will fail. Below is the configuration. # Add port GigabitEthernet 2/0/1 to VLAN 824. <Switch> system-view [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk permit vlan 824 # Configure a static gateway MAC address on port GigabitEthernet2/0/1 for VLAN 824. [Switch-GigabitEthernet2/0/1] quit [Switch] mac-address static 0090-1aa0-d47a interface gigabitethernet 2/0/1 vlan 824 After the static MAC address is configured, the hosts attached to DSLAM run normally and never get disconnected again. Note: You can configure the static MAC address on any uplink port to solve the problem if there are multiple uplink ports. 1.5 Suggestion and Conclusion When the selective QinQ function is enabled, to prevent source MAC address attacks, you are recommended to configure a static gateway MAC address on an uplink port of a device. Copyright 2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. 1-4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback