局域网网络极度异常，大家来分析

下载贤集网APP入驻自媒体

局域网网络异常已经持续了一段时间，
1、网络情况如下：
服务器网段：vlan 30: 10.1.30.0/24
用户网段：vlan 11  12  13  14  15  16 17，分别对应 10.1.1.0/24，10.1.2.0/24，
10.1.3.0/24，
10.1.4.0/24，
10.1.5.0/24，
10.1.6.0/24，
10.1.7.0/24，用户数量大概250-300人。

网络拓扑描述：

分公司员工通过华为S5700核心交换机-上网行为管理设备-防火墙访问互联网，另通过
华为S5700核心交换机-
mstp广域网路由器-广域网线路-集团总部访问内网系统。



2、异常情况如下：
分公司员工访问集团系统时不时中断，通过ping服务器地址，发现时不时丢包或者延迟高，有一个聊天工具客户端时不时掉线，隔一定的时候恢复登陆。访问互联网则正常。异常的时候从总部通过mstp专线ping分公司的服务器网段10.1.30.254是正常的，ping用户网段网关则异常！
一般刚开始上班的时候异常更加严重，早上或者下午上班。


已经在核心交换机配置cpu防护：
cpu-defend policy policy1
linkup-car packet-type ftp cir 5000 cbs 940000
auto-defend enable
auto-defend threshold 90
auto-defend alarm enable
auto-defend trace-type source-mac source-ip
auto-defend protocol arp
auto-defend action deny
auto-defend whitelist 1 inter GigabitEthernet0/0/1
auto-defend whitelist 2 inter GigabitEthernet0/0/2
auto-defend whitelist 3 inter GigabitEthernet0/0/3
auto-defend whitelist 13 inter GigabitEthernet0/0/13
auto-port-defend protocol arp-request threshold 40
auto-port-defend whitelist 1 inter GigabitEthernet0/0/1
auto-port-defend whitelist 2 inter GigabitEthernet0/0/2
auto-port-defend whitelist 3 inter GigabitEthernet0/0/3
auto-port-defend whitelist 13 inter GigabitEthernet0/0/13


arp speed-limit source-ip maximum 10
arp-miss speed-limit source-ip maximum 30


查看交换机日志，有些这样的异常日志：

Auto port-defend started.(SourceAttackInter=GigabitEthernet0/0/19, AttackProtocol=ARP-REQUEST, VLAN=14)
Nov  4 2015 15:26:08-05:07 SH_LAN_S5700_02 %%01IFPDT/4/IF_STATE(l)[4]:Inter GigabitEthernet0/0/15 has turned into DOWN state.
Nov  4 2015 15:07:48-05:07 SH_LAN_S5700_02 %%01DEFD/4/CPCAR_DROP_MPU(l)[5]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=arp-request, CIR/CBS=64/10000, ExceededPacketCount=202)
Nov  4 2015 15:03:38-05:07 SH_LAN_S5700_02 %%01SECE/4/PORT_ATTACK_OCCUR(l)[6]:Auto port-defend started.(SourceAttackInter=GigabitEthernet0/0/19, AttackProtocol=ARP-REQUEST, VLAN=14)
Nov  4 2015 14:27:48-05:07 SH_LAN_S5700_02 %%01DEFD/4/CPCAR_DROP_MPU(l)[7]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=arp-request, CIR/CBS=64/10000, ExceededPacketCount=288)
Nov  4 2015 13:37:48-05:07 SH_LAN_S5700_02 %%01DEFD/4/CPCAR_DROP_MPU(l)[8]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=arp-request, CIR/CBS=64/10000, ExceededPacketCount=204)
Nov  4 2015 13:35:37-05:07 SH_LAN_S5700_02 %%01SECE/4/PORT_ATTACK_OCCUR(l)[9]:Auto port-defend started.(SourceAttackInter=GigabitEthernet0/0/19, AttackProtocol=ARP-REQUEST, VLAN=14)
Nov  4 2015 13:35:36-05:07 SH_LAN_S5700_02 %%01LINE/4/LOGIN_FAIL(s)[10]:Failed to login. (Ip=10.23.4.196, Reason="The channel configuration is incorrect.")
Nov  4 2015 13:17:48-05:07 SH_LAN_S5700_02 %%01DEFD/4/CPCAR_DROP_MPU(l)[11]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=arp-request, CIR/CBS=64/10000, ExceededPacketCount=409)
Nov  4 2015 13:10:55-05:07 SH_LAN_S5700_02 %%01SECE/4/STRACK_DENY(l)[12]:Some packets are dropped because an attack is detected.(Inter=GigabitEthernet0/0/19, sourceMAC=0000-0000-0000, sourceIP=10.23.4.186, CVLAN=0, PVLAN=0)
Nov  4 2015 13:10:55-05:07 SH_LAN_S5700_02 %%01SECE/4/SPECIFY_SIP_ATTACK(l)[13]:The specified source IP address attack occurred.(Slot=MPU, SourceAttackIP=10.23.4.186, AttackProtocol=ARP, AttackPackets=112 packets per second)
Nov  4 2015 13:10:55-05:07 SH_LAN_S5700_02 %%01SECE/4/STRACK_DENY(l)[14]:Some packets are dropped because an attack is detected.(Inter=GigabitEthernet0/0/19, sourceMAC=6451-063e-75a6, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Nov  4 2015 13:10:55-05:07 SH_LAN_S5700_02 %%01SECE/4/USER_ATTACK(l)[15]:User attack occurred.(Slot=MPU, SourceAttackInter=GigabitEthernet0/0/19, OuterVlan/InnerVlan=14/0, UserMacAddress=6451-063e-75a6, AttackProtocol=ARP AttackPackets=112 packets per second)
Nov  4 2015 13:10:54-05:07 SH_LAN_S5700_02 %%01SECE/4/PORT_ATTACK_OCCUR(l)[16]:Auto port-defend started.(SourceAttackInter=GigabitEthernet0/0/19, AttackProtocol=ARP-REQUEST, VLAN=14)



请大家给说说是啥问题呢？帮忙分析下，谢谢啦