每天到单位都会看交换机日志,有时会遇到这种日志信息
Jun 1 2020 16:19:40 Switch %%01QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=023006) Jun 1 2020 16:18:31 Switch %%01HWCM/4/TRAPLOG(l): OID 1.3.6.1.4.1.2011.6.10.2.1 configure changed. (EventIndex=107, CommandSource=1, ConfigSource=3, ConfigDestination=2) Jun 1 2020 16:09:40 Switch %%01QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=06987) Jun 1 2017 15:49:40 Switch %%01QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 2. (Protocol=arp-miss, Drop-Count=08175)
后来我查了下交换机的文档: 1 查看ARP表项的统计信息。 <JTFT> display arp statistics Total:452 Dynamic:388 Static:0 Interface:64
2 网关,ARP表项不是很大,单板存在大量ARP报文丢弃,怀疑网络中存在ARP攻执行命令display auto-defend attack-source查看攻击源信息。
display auto-defend attack-source -- Attack Source Port Table (MPU) ---------- InterfaceName Vlan:Outer/Inner TOTAL -------------------------------------------- GigabitEthernet3/0/2 2102 10560 GigabitEthernet2/0/19 2161 80 GigabitEthernet2/0/19 2133 16 GigabitEthernet2/0/18 2137 48 GigabitEthernet3/0/3 2103 16 GigabitEthernet2/0/19 2139 16
--------------------------------------------
-- Attack Source User Table (MPU) -------------------------------------------- InterfaceName Vlan:Outer/Inner MacAddress ARP DHCP IGMP TOTAL ------------------------------------------------------------------------------ GigabitEthernet3/0/2 2102 0810-7523-9ec2 10288 0 0 10288 GigabitEthernet3/0/2 2102 940c-6dd0-7519 16 0 0 16
------------------------------------------------------------------------------
从上述命令可以看出,GE3/0/2遭到ARP攻击。 |