Help Center/ Huawei Qiankun CloudService/ More Documents/ Device Alarm Handling/ V200 LSW Alarms/ ALM-3276800485 The packet dropped by DAI exceeds the alarm threshold
Updated on 2024-01-25 GMT+08:00

ALM-3276800485 The packet dropped by DAI exceeds the alarm threshold

Description

SECE/4/ DAI_VLANDROP_ALARM: OID [oid] The packet dropped by DAI exceeds the alarm threshold. (DroppedNum=[INTEGER], Threshold=[INTEGER], VLAN=[INTEGER], PacketInfo=[OCTET])

The number of packets discarded by Dynamic ARP Inspection (DAI) in a VLAN exceeds the alarm threshold.

Attribute

AlarmID

Alarm OID

Alarm Severity

Alarm Type

3276800485

1.3.6.1.4.1.2011.5.25.165.2.2.2.17

Warning

Equipment alarm

Parameters

Name

Meaning

OID

Indicates the MIB object ID of the alarm.

DroppedNum

Indicates the number of discarded packets.

Threshold

Indicates the alarm threshold.

VLAN

Indicates the ID of the VLAN where the DAI alarm function is configured.

Interface

Indicates the interface, VLAN, source MAC address, and source IP address of the packets.

Impact on the System

If this alarm is generated, the device may be attacked. If the attack traffic volume is heavy, the device is busy processing attack packets. As a result, services of authorized users are interrupted.

Possible Causes

The number of packets discarded by DAI in a VLAN exceeds the alarm threshold. By default, the alarm threshold for ARP packets discarded by DAI is 100.

Procedure

  • If user services are not affected, the alarm does not need to be handled.
  • If user services are interrupted, perform the following operations:
    1. Run the display dhcp static user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] or display dhcpv6 static user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the static binding entries, and run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id | bridge-domain bd-id } * | all } [ verbose ] command to check the dynamic binding entries to see whether they are correct.
    2. Find out the interface and user host that initiate the attack. Check whether the host is attacked. If not, the host belongs to the attacker. Take measures to defend against the attack, for example, disconnect the attacker's host.
    3. Collect log and configuration information and contact technical support.

Clearing

The alarm needs to be cleared manually.