SECE_1.3.6.1.4.1.2011.5.25.165.2.2.1.3 hwStrackDenyPacket
Description
SECE/4/STRACK_DENY: OID [oid] Some packets are dropped because an attack is detected. (Interface=[OCTET], SourceMAC=[OCTET], SourceIP=[OCTET], InnerVlan=[INTEGER], OuterVlan=[INTEGER])
The system detected an attack source and dropped packets sent from the attack source.
Indicates the packets are not traced based on source VLAN if the values of InnerVlan and OuterVlan are 2147483647.
Indicates the packets are not traced based on source MAC if the value of SourceMAC is NA.
Indicates the packets are not traced based on source IP if the value of SourceIP is NA.
Attribute
| Alarm ID | Alarm Severity | Alarm Type |
|---|---|---|
1.3.6.1.4.1.2011.5.25.165.2.2.1.3 |
Warning |
securityServiceOrMechanismViolation(10) |
Parameters
| Name | Meaning |
|---|---|
OID |
Indicates the MIB object ID of the alarm. |
Interface |
Indicates the access interface of the attacker. |
SourceMAC |
Indicates the Source MAC address of packets sent from the attacker. |
SourceIP |
Indicates the Source IP address of packets sent from the attacker. |
InnerVlan |
Indicates the inner VLAN ID of packets sent from the attacker. NOTE:
The value of inner VLAN ID 2147483647 indicates the vlan does not exist. |
OuterVlan |
Indicates the outer VLAN ID of packets sent from the attacker. NOTE:
The value of outer VLAN ID 2147483647 indicates the vlan does not exist. |
Impact on the System
The device detected an attack to the CPU and dropped packets sent from the attack source to the CPU.
Possible Causes
A user sent a large number of packets to the user, and the number of packets exceeded the threshold for identifying an attack.
Procedure
- Run the display auto-defend attack-source detail command to check the detected attack source and check whether it is an authorized user.
- If the detected attack source is an unauthorized user, you do not need to take any actions because the attack packets have been dropped by the device. Go to Step 6.
- If the detected attack source is an authorized user, add the user to the whitelist to exclude the user from attack source tracing.
- If multiple attack sources are detected and all of them are authorized users, the attack source tracing threshold is too low. (The default value is 128 pps). Run the auto-defend threshold threshold command to increase the threshold. Go to Step 6.
- If the alarm persists, collect the configuration, alarms, and logs of the device and contact technical support personnel.
- End.