ALM-3276800485 The packet dropped by DAI exceeds the alarm threshold
Description
SECE/4/ DAI_VLANDROP_ALARM: OID [oid] The packet dropped by DAI exceeds the alarm threshold. (DroppedNum=[INTEGER], Threshold=[INTEGER], VLAN=[INTEGER], PacketInfo=[OCTET])
The number of packets discarded by Dynamic ARP Inspection (DAI) in a VLAN exceeds the alarm threshold.
Attribute
AlarmID |
Alarm OID |
Alarm Severity |
Alarm Type |
---|---|---|---|
3276800485 |
1.3.6.1.4.1.2011.5.25.165.2.2.2.17 |
Warning |
Equipment alarm |
Parameters
Name |
Meaning |
---|---|
OID |
Indicates the MIB object ID of the alarm. |
DroppedNum |
Indicates the number of discarded packets. |
Threshold |
Indicates the alarm threshold. |
VLAN |
Indicates the ID of the VLAN where the DAI alarm function is configured. |
Interface |
Indicates the interface, VLAN, source MAC address, and source IP address of the packets. |
Impact on the System
If this alarm is generated, the device may be attacked. If the attack traffic volume is heavy, the device is busy processing attack packets. As a result, services of authorized users are interrupted.
Possible Causes
The number of packets discarded by DAI in a VLAN exceeds the alarm threshold. By default, the alarm threshold for ARP packets discarded by DAI is 100.
Procedure
- If user services are not affected, the alarm does not need to be handled.
- If user services are interrupted, perform the following operations:
- Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] or display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the static binding entries, and run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id | bridge-domain bd-id } * | all } [ verbose ] command to check the dynamic binding entries to see whether they are correct.
- Find out the interface and user host that initiate the attack. Check whether the host is attacked. If not, the host belongs to the attacker. Take measures to defend against the attack, for example, disconnect the attacker's host.
- Collect log and configuration information and contact technical support.
Clearing
The alarm needs to be cleared manually.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot