ALM-3276800485 The packet dropped by DAI exceeds the alarm threshold

Description

SECE/4/ DAI_VLANDROP_ALARM: OID [oid] The packet dropped by DAI exceeds the alarm threshold. (DroppedNum=[INTEGER], Threshold=[INTEGER], VLAN=[INTEGER], PacketInfo=[OCTET])

The number of packets discarded by Dynamic ARP Inspection (DAI) in a VLAN exceeds the alarm threshold.

Attribute

Parameters

Impact on the System

If this alarm is generated, the device may be attacked. If the attack traffic volume is heavy, the device is busy processing attack packets. As a result, services of authorized users are interrupted.

Possible Causes

The number of packets discarded by DAI in a VLAN exceeds the alarm threshold. By default, the alarm threshold for ARP packets discarded by DAI is 100.

Procedure

• If user services are not affected, the alarm does not need to be handled.
• If user services are interrupted, perform the following operations:
  1. Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } ^* | all } [ verbose ] or display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } ^* | all } [ verbose ] command to check the static binding entries, and run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id | bridge-domain bd-id } ^* | all } [ verbose ] command to check the dynamic binding entries to see whether they are correct.
  2. Find out the interface and user host that initiate the attack. Check whether the host is attacked. If not, the host belongs to the attacker. Take measures to defend against the attack, for example, disconnect the attacker's host.
  3. Collect log and configuration information and contact technical support.

Clearing

The alarm needs to be cleared manually.