交換機運維-排查用戶反應網速卡的問題

阿新 • • 發佈：2018-09-11

eth 部分 summary 配置問題 timezone dhcpv6 str work

故障類型：樓棟某幾間房間出現網絡慢的情況

網關交換機型號：Ruijie 10G Routing Switch(S5750-24GT/12SFP) By Ruijie Network

日誌：

*Sep 12 04:10:39: %ARPGUARD-4-DOS_DETECTED: ARP DoS attack was detected.
*Sep 12 04:11:01: %ARPGUARD-4-PORT_ATTACKED: ARP DoS attack was detected on port Gi0/6.
*Sep 12 04:11:25: %ARPGUARD-4-DOS_DETECTED: ARP DoS attack was detected.
*Sep 12 04:12:56: %ARPGUARD-4-DOS_DETECTED: ARP DoS attack was detected.
*Sep 12 04:14:51: %ARPGUARD-4-DOS_DETECTED: ARP DoS attack was detected.

查看Gi0/6口接入交換機

型號：Ruijie Gigabit Security & Intelligence Access Switch (S2628G-E) By Ruijie Networks

日誌：

*Sep 12 04:35:54: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:30:12)
*Sep 12 04:36:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=00e0.705d.1ef0,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:31:43)
*Sep 12 04:36:54: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:31:43)
*Sep 12 04:37:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=3497.f6b7.d88e,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:32:54)
*Sep 12 04:37:54: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:32:54)
*Sep 12 04:38:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=a81e.840c.0ba8,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:33:18)
*Sep 12 04:38:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=408d.5ca2.f75e,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:33:18)
*Sep 12 04:39:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=00e0.705e.0ea9,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:33:19)
*Sep 12 04:39:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=d017.c2cf.5586,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:33:41)
*Sep 12 04:40:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=fc45.963e.cab9,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:34:25)
*Sep 12 04:40:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=28d2.44f9.c5f1,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:35:10)
*Sep 12 04:41:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:35:11)
*Sep 12 04:41:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=d8cb.8ac4.62c4,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:35:59)
*Sep 12 04:42:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=4ccc.6a7e.5a85,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:35:59)
*Sep 12 04:42:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=3497.f611.bd11,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:35:59)
*Sep 12 04:43:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:36:44)
*Sep 12 04:43:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=1c1b.0d11.c890,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:37:8)
*Sep 12 04:44:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=1c6f.658e.2fb3,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:37:8)
*Sep 12 04:44:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=00e0.4c70.439e,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:38:14)
*Sep 12 04:45:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:38:15)
*Sep 12 04:45:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=408d.5cd3.7a61,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:39:29)
*Sep 12 04:46:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:39:29)
*Sep 12 04:46:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=f832.e475.a81f,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:41:22)
*Sep 12 04:47:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:41:23)
*Sep 12 04:47:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=fc45.963e.cab9,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:41:48)
*Sep 12 04:48:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:41:49)
*Sep 12 04:48:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=b888.e3a8.9287,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:43:46)
*Sep 12 04:49:24: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-12 4:43:46)
*Sep 12 04:49:54: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=1c1b.0d11.c890,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:44:8)
*Sep 12 04:50:24: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=fc45.963e.c9f1,port=Fa0/11,VLAN=4011> was detected.(2018-9-12 4:44:32)

1個端口下怎麽可能會有這麽多mac地址？

時間不對，先設置下時間：

進入config模式，

配置ntp服務器地址：ntp server ip

配置時區：clock timezone beijing 8

連接用戶的接口開啟IP Source Guard功能

Ruijie(config)#interface range fastEthernet 0/1-24

Ruijie(config-if-range)#ip verify source port-security

開啟源IP+MAC的報文檢測，將DHCP Snooping形成的snooping表寫入地址綁定數據庫中，請正確配置ip verfiy soure port-security，不要使用ip verify source（僅綁定IP），部分產品存在限制，只綁定IP的情況下可能出現異常。

Ruijie(config-if-range)#arp-check

開啟該功能後，對於接口收到的ARP報文會檢測ARP報文字段裏面的Sender IP及Sender MAC，與地址綁定庫中的IP及MAC進行匹配，如果匹配將放行，否則丟棄該ARP報文

查看IP地址綁定表

S08CT# show ip dhcp snooping binding

開了這些之後發現攻擊還是存在：

*Sep 11 20:45:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=2047.476e.7ab7,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:43:42)
*Sep 11 20:46:10: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-11 20:43:42)
*Sep 11 20:46:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=3497.f6d0.4dac,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:43:48)
*Sep 11 20:47:10: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=1803.7394.c867,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:43:48)
*Sep 11 20:47:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=c8d3.ffdd.ce75,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:43:48)
*Sep 11 20:48:10: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=00e0.705d.1ef0,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:44:4)
*Sep 11 20:48:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=e0d5.5e57.7540,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:44:12)
*Sep 11 20:49:10: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=9c5c.8e75.c986,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:44:53)
*Sep 11 20:49:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=507b.9d65.d915,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:44:53)
*Sep 11 20:50:10: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=3497.f6b7.d88e,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:44:56)
*Sep 11 20:50:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=1c1b.0d06.b23d,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:45:15)
*Sep 11 20:51:10: %NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPv6 DoS attack was detected on port Fa0/11.(2018-9-11 20:45:15)
*Sep 11 20:51:40: %NFPP_DHCPV6_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=a81e.840c.0ba8,port=Fa0/11,VLAN=4011> was detected.(2018-9-11 20:45:19)

查看交換機nfpp dhcpv6-gurad 功能是否打開：

S08CT#show nfpp dhcpv6-guard summary

技術分享圖片

status是enable的，也就是說是開啟的

在接入端口上開啟

nfpp dhcpv6-guard enable

配置nfpp

進入config模式

進入nfpp模式

S08CT(config-nfpp)#dhcpv6-guard rate-limit per-port 5

每個端口每秒超過5個dhcp包就丟棄

交換機運維-排查用戶反應網速卡的問題

eth 部分 summary 配置問題 timezone dhcpv6 str work 故障類型：樓棟某幾間房間出現網絡慢的情況網關交換機型號：Ruijie 10G Routing Switch(S5750-24GT/12SFP) By Ruijie Network

交換機運維-排查用戶反應網速卡的問題

交換機運維-排查用戶反應網速卡的問題

Linux運維筆記（一）網絡基礎知識

做運維需要了解的網絡知識，TCP/IP協議棧

用戶空間網絡提升 NFV 的性能

了解Linux運維要用到的web集群架構知識

Linux實現開機自動運行普通用戶腳本

說說“用戶無線網絡時不時斷開重連”的故障！

新來的運維這樣用HDFS，CIO都懵了···

重灌Win10系統後導致網速卡的解決辦法

關於nspm品類產品在行業用戶網絡架構中的研究分析（建議安全自動化運維工具開發者，了解）

linux雲自動化運維基礎知識5.6(用戶管理及文件權限）

Mysql DBA 高級運維學習筆記-創建mysql用戶及授權的多種方法實戰

如何從root用戶切換到普通用戶？零基礎學Linux運維

2-8. LDAP 網絡用戶賬戶

張書樂：學會拒絕用戶，陌陌、知乎、網易狂推腦補廣告的真相……

python運維接口調用示例

iOS 運行時RunTime使用場景一：打點統計用戶行為，深度解耦

利用shell實現判斷局域網內在線用戶有那些

支付網關 | 京東618、雙11用戶支付的核心承載系統（上篇）

多線程判斷用戶是否在線(後臺運行ping腳本)

交換機運維-排查用戶反應網速卡的問題

相關推薦