1. <dfn id="ewalb"></dfn><ul id="ewalb"></ul>

    3. 

    






    


    


    


    


    





    


    


    



    

    ARP攻擊導(dǎo)致AR2240下面用戶斷網(wǎng)
    

    2015/3/3 16:57:12點擊:
    

    

    
	問題描述
	
    
		
    
			 
		
    
		
    
			核心和樓層交換機(jī)都是傻瓜型的,不能配置。 
    
 網(wǎng)關(guān)在AR路由器上,用戶均通過傻瓜路由器接入,傻瓜路由器均為tp-link類型的,傻瓜路由器的IP分為兩個網(wǎng)段,分別為190.131.1.0/16和190.131.3.0/16,傻瓜路由器下面的用戶通過DHCP獲得IP,并通過傻瓜路由器自帶的NAT功能轉(zhuǎn)換IP后接入網(wǎng)絡(luò)。 
    

    
 問題: 
    
 AR2240 下面的內(nèi)網(wǎng)段有時不能正常訪問外網(wǎng) 
		
    
	
    

    

    
	處理過程
	
    
		
    
			查看cpu-defend,發(fā)現(xiàn)有丟包 
    
 display cpu-defend statistic 
    
 ----------------------------------------------------------------------- 
    
 Packet Type               Pass Packets        Drop Packets 
    
 ----------------------------------------------------------------------- 
    
 8021X                                0                   0 
    
 arp-miss                          5744                   0 
    
 arp-reply                         3903                   0 
    
 arp-request                     448252                1390 
    
 bfd                                  0                   0 
    

    
 查看trapbuffer,發(fā)現(xiàn)有ARP沖突 
    
 #Dec  9 2014 10:09:34+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.131, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict). 
    
 #Dec  9 2014 10:01:44+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.130, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dbb, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict). 
    
 #Dec  9 2014 09:49:28+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.131, Local interface=GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict). 
    
 #Dec  9 2014 09:34:04+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=190.131.3.133, Local interface=GigabitEthernet0/0/1, Local MAC=7427-eae4-275b, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=0017-59de-b688, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict). 
		
    
		
    
			查看ARP表 
    
 <253_HW_AR2240> 
    
 IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
    
                                           VLAN/CEVLAN PVC                    
    
 190.131.1.107   0014-5e7a-75b4  20        D-0         GE0/0/1 
    
 190.131.3.121   0017-59de-b688  2         D-0         GE0/0/1 
    
 190.131.1.112   cc34-2999-9bbf  17        D-0         GE0/0/1 
    
 190.131.3.120   7427-eae4-275b  20        D-0         GE0/0/1 
    
 190.131.1.109   0014-5e19-a483  13        D-0         GE0/0/1 
    
 190.131.1.199   d815-0d38-3d3d  3         D-0         GE0/0/1 
    
 190.131.1.101   0014-5e7a-7574  19        D-0         GE0/0/1 
    
 190.131.1.206   0022-3fa5-b237  4         D-0         GE0/0/1 
    
 190.131.3.6     0017-59de-b688  18        D-0         GE0/0/1 
    
 190.131.1.6     90fb-a61e-13e5  16        D-0         GE0/0/1 //這個是正常的傻瓜路由器的MAC 
    
 190.131.1.233   7427-ea3d-e4ef  20        D-0         GE0/0/1 
    
 190.131.1.130   0060-6e9a-0d23  2         D-0         GE0/0/1 //這個應(yīng)該是正常的傻瓜路由器的MAC 
    
 190.131.1.50    4437-e676-91aa  2         D-0         GE0/0/1 
    
 190.131.3.130   0017-59de-b688  17        D-0         GE0/0/1 
    
 190.131.3.132   0021-272e-eb43  14        D-0         GE0/0/1 
    
 190.131.3.131   0017-59de-b688  5         D-0         GE0/0/1 
    
 190.131.3.133   0017-59de-b688  10        D-0         GE0/0/1 
		
    
	
    

    

    
	根因
	
    
		內(nèi)網(wǎng)存在ARP攻擊,且攻擊源MAC為:0017-59de-b688 
    

    
	
    

    

    
	解決方案
	
    
		1.跟網(wǎng)絡(luò)管理員確認(rèn)0017-59de-b688是不是接入傻瓜路由器的MAC:管理員已確認(rèn)不是接入傻瓜路由器的MAC 
    
 2.追蹤0017-59de-b688:核心和樓層交換機(jī)均為不可管理的傻瓜交換機(jī),無法查到0017-59de-b688的位置 
    
 3.在AR路由器上配置二層ARP流量過濾,問題解決 
    
 [Huawei]acl number 4444 
    
 [Huawei-acl-L2-4444]rule 5  deny  l2-protocol  arp  source-mac  0017-59de-b688 
    
 [Huawei]int g0/0/1 
    
 [Huawei-GigabitEthernet0/0/1]traffic-filter  inbound  acl  4444 
	
    

    


    





    



    


    


    


    


    






    



不卡人妻在线精品无码_亚洲国产日韩一区二区三区_亚洲AV福利无码无一区二区_国产无码精品一区
亚洲精品91天天久久人人
亚洲国产欧美不卡在线观看
国自产拍av在线天天更新不卡


      

    1. <dfn id="ewalb"></dfn><ul id="ewalb"></ul>

      3.