S9300下挂用户无法正常获取（DHCP）IP地址解决方案

小乔 · 发表于 2016-8-18 09:47:17

问题描述
S9300下挂用户无法正常获取（DHCP）IP地址
处理过程
1、查看设备log，提示大量CP-CAR DHCP丢包。

2、查看CPU利用率，DHCP进程利用率较大

<BiShan-9306-127.201>display cpu-usage
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage          : 48% Max: 99%
CPU Usage Stat. Time : 2016-07-28  20:07:48
CPU utilization for five seconds: 48%: one minute: 48%: five minutes: 47%.

TaskName       CPU  Runtime(CPU Tick High/Tick Low)  Task Explanation
BOX             0%       0/  deb165    BOX Output
_TIL          0%       0/    0    Infinite loop event task
_EXC          0%       0/    0    Exception Agent Task
VIDL          52%       5/1fd304a8    DOPRA IDLE
TICK          0%       0/ d49c503

.......
DHCP          21%       2/2071dfc6    DHCP Dynamic Host Config Protocol
AAA             0%       0/  179627    AAA  Authen Account Authorize

......
OS             11%       1/135f9afe    Operation System

3、查看CPU-DEFEND计数，发现某一个（2号）槽位的dhcp-server报文计数很大，dhcp-client 报文正常

<BiShan-9306-127.201>
<BiShan-9306-127.201>display cpu-defend statistics packet-type dhcp-client all
Statistics on mainboard:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-client                0          0             0             0
-------------------------------------------------------------------------------
Statistics on slot 1:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-client             658604          0          1761             0
-------------------------------------------------------------------------------
Statistics on slot 2:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-client             377854          0          1019             0
-------------------------------------------------------------------------------
<BiShan-9306-127.201>display cpu-defend statistics packet-type dhcp-client all
Statistics on mainboard:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-client                0          0             0             0
-------------------------------------------------------------------------------
Statistics on slot 1:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-client             658604          0          1761             0
-------------------------------------------------------------------------------
Statistics on slot 2:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-client             377854          0          1019             0
-------------------------------------------------------------------------------
<BiShan-9306-127.201>
<BiShan-9306-127.201>
<BiShan-9306-127.201>display cpu-defend statistics packet-type dhcp-server all
Statistics on mainboard:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-server                0          0             0             0
-------------------------------------------------------------------------------
Statistics on slot 1:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-server          315304452    3085262       868244          8915
-------------------------------------------------------------------------------
Statistics on slot 2:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-server       7908354303  1765798682k       15569471    4911923678
-------------------------------------------------------------------------------
<BiShan-9306-127.201>display cpu-defend statistics packet-type dhcp-server all
Statistics on mainboard:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-server                0          0             0             0
-------------------------------------------------------------------------------
Statistics on slot 1:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-server          315304452    3085262       868244          8915
-------------------------------------------------------------------------------
Statistics on slot 2:
-------------------------------------------------------------------------------
Packet Type       Pass(Bytes)  Drop(Bytes) Pass(Packets) Drop(Packets)
-------------------------------------------------------------------------------
dhcp-server       7912039365  1766934991k       15579791    4915109150
-------------------------------------------------------------------------------
<BiShan-9306-127.201>

4、配置攻击朔源，定位具体端口（2/0/13）收到dhcp-server过多。

#
cpu-defend policy arp-policy
auto-defend enable
auto-defend trace-type source-mac source-ip source-portvlan
auto-defend protocol all

#
cpu-defend-policy arp-policy global
#
[BiShan-9306-127.201]display auto-defend attack-source slot 2
  Attack Source User Table (LPU2):
  -------------------------------------------------------------------------
   MacAddress    InterfaceName    Vlan:Outer/Inner    TOTAL
  -------------------------------------------------------------------------
  0023-b83c-e215 GigabitEthernet2/0/13       1             9504
  -------------------------------------------------------------------------
  Total: 1

  Attack Source Port Table (LPU2)
  -----------------------------------------------------
InterfaceName       Vlan:Outer/Inner    TOTAL
  -----------------------------------------------------
  GigabitEthernet2/0/13 1                   11520
  -----------------------------------------------------
  Total: 1

  Attack Source IP Table (LPU2)
  -------------------------------------
IPAddress       TOTAL Packets
  -------------------------------------
  -------------------------------------
  Total: 0
[BiShan-9306-127.201-cpu-defend-policy-arp-policy]display auto-defend attack-source slot 2
  Attack Source User Table (LPU2):
  -------------------------------------------------------------------------
   MacAddress    InterfaceName    Vlan:Outer/Inner    TOTAL
  -------------------------------------------------------------------------
  0023-b83c-e215 GigabitEthernet2/0/13       1             13104
  -------------------------------------------------------------------------
  Total: 1

  Attack Source Port Table (LPU2)
  -----------------------------------------------------
InterfaceName       Vlan:Outer/Inner    TOTAL
  -----------------------------------------------------
  GigabitEthernet2/0/13 1                   15968
  -----------------------------------------------------
  Total: 1

  Attack Source IP Table (LPU2)
  -------------------------------------
IPAddress       TOTAL Packets
  -------------------------------------
  -------------------------------------
  Total: 0

5、根据攻击朔源的报文特征，临时将这部分报文通过黑名单丢弃，然后查看业务正常，CPU利用率恢复正常。

#
acl number 4567
rule 5 permit source-mac 0023-b83c-e215
#

#

cpu-defend policy arp-policy
blacklist 1 acl 4567

#

[BiShan-9306-127.201]display cpu-usage
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage          : 11% Max: 99%
CPU Usage Stat. Time : 2016-07-28  20:50:09
CPU utilization for five seconds: 11%: one minute: 12%: five minutes: 13%.

TaskName       CPU  Runtime(CPU Tick High/Tick Low)  Task Explanation

根因
1、设备收到大量的dhcp-server报文，导致CPU处理dhcp正常报文异常。
解决方案
1、通过黑名单丢弃攻击报文，防止CPU处理不过来场景。

#
acl number 4567
rule 5 permit source-mac 0023-b83c-e215
#

#

cpu-defend policy arp-policy
blacklist 1 acl 4567

#

建议与总结

游客，如果您要查看本帖隐藏内容请回复

独钓寒江 · 发表于 2016-8-18 10:34:44

sy7527951 · 发表于 2016-8-18 21:44:32

支持一下~~

内裤超人CO · 发表于 2016-9-13 09:27:19

谢谢楼主分享

rose8000 · 发表于 2016-9-25 21:02:30

S9300下挂用户无法正常获取

z247386032 · 发表于 2016-9-25 21:09:16

Navigation_H · 发表于 2016-9-28 14:53:16

ghost9710181 · 发表于 2016-12-7 16:29:11

很好的案例

hcyok918 · 发表于 2017-1-7 10:46:10

跟小乔学DHCP

nzjwz · 发表于 2017-1-10 13:46:10

学习了

小小明明 · 发表于 2017-1-17 13:59:23

感谢分享

pk6678365 · 发表于 2017-1-19 11:36:04

哇噻好厉害

pk6678365 · 发表于 2017-1-19 11:36:13

哇噻好厉害

inet · 发表于 2017-2-19 23:36:53

学习

18878628404 · 发表于 2017-3-8 09:02:56

111111111111111111111

账号		自动登录	找回密码
密码			论坛注册

[分享] S9300下挂用户无法正常获取（DHCP）IP地址解决方案

客服中心

投诉建议