Reset Search
 

 

Article

DOS protect log message

« Go Back

Information

 
TitleDOS protect log message
Question
What does the following log message mean?
<Info:DOSProt.PktCntExcd> MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
Environment
  • All EXOS
Answer
If DOS-protect is enabled, the switch monitors the amount of packets per second that are being forwarded by the CPU. Once the number of packets forwarded by the CPU reaches the configured Notify-threshold it will log a message. This message does NOT indicate where this traffic originates from. Most traffic should NOT be forwarded by the CPU.

Normally the CPU is only utilized for processing
  • control traffic such as ARP packets (e.g., ARP requests) and routing protocols control packets (e.g., OSPF hellos)
  • management traffic such as telnet, SNMP, or SSH destined to the switch
  • broadcast packets, some multicast and all unknown unicast packets
As long as the switch has an entry in its hardware tables for the destination (entries such as FDB entry, ARP entry, IGMP entry or a route), traffic will NOT be handled by the CPU. When a new entry is learned, the CPU will program the the switche's hardware tables and the CPU forwarding will stop. CPU forwarding is sometimes referred to as slowpath forwarding. 

In some cases the CPU forwarding continues. This is an undesirable state and could be happening due to (among many other causes) an attack on the switch, some misconfigured devices in the network or an intrusive network testing tool. DOS-protect can be configured on the switch to detect this misbehavior.

Making a capture of packets to the CPU with debug packet would be the only method in this case to troubleshoot what is going to the CPU.
How to perform a local packet capture on an EXOS switch
 
DOS protect has 2 thresholds. What is discussed above is Notify-threshold. The other threshold is the Alert-threshold. If the Alert-threshold is reached DOS-protect will install an ACL to block the CPU forwarded packets, it will try to find a match for most of the traffic and install the ACL. This is only done when DOS-protect is enabled (it is enabled by default).

You can also enable DOS-protect in simulated mode, it will then only log which ACL it would install if DOS-protect was actually enabled but will not install the ACL. This way you can get an idea of the traffic forwarded by the CPU and resolve it.
Additional notes
  • DOS Protect mode is useful to gather information about normal traffic levels on the switch. This will assist in configuring denial of service protection so that legitimate traffic is not blocked.
  • These are just informational log messages and should not be much of a problem. To confirm, identify the device sending the packets to this switch.
  • Confirm with a packet capture or take a tcp dump to identify the source of these packets.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255