How to catch flood on Huawei MA5600

Once, on the port of one of the L3 switches of the Cisco 6509e, to which the Huawei MA5683T was connected, I saw that Multicast traffic increased very much, while the CPU load of the switch processor increased by 30%.

You can view package counters on the Huawei MA5683T through the terminal:

enable
config
display gpon statistics ethernet 0/0 0
display gpon statistics ethernet 0/0 1
display gpon statistics ethernet 0/0 2
...

Having found on which GPON port the counter value is increasing most, for example, broadcast or multicast traffic, then you can also look at the packet counters for each ONT:

interface gpon 0/0
display statistics ont-eth 0 0 ont-port 1
quit

However, for GPON ports it is more convenient to draw graphs, since the counters only increase, and the graph visually shows where the number of multicast and broadcast packets increased and decreased.

By the way, for SNMP, for some reason OLT did not give information to ifInBroadcastPkts, ifInMulticastPkts and ifHCInOctets, for example, ifInOctets gave information to a 32-bit counter, but this is pointless since a graph above 100 mb/s will not be drawn.

See also my article:
SNMP OID and MIB for interfaces

Fortunately, the company in which I caught flood used the iManager U2000 program, in which you can create graphs for the same counters that are displayed in the terminal using the command above.

Having opened the program, I selected “Performance Monitoring Management” – “NE” – “Access” – “Port” – “GPON UNI Port” and created graphics for all ports. More precisely, after I selected the ports for which to draw graphs, I clicked “Create Monitoring Template” and created my own template, in which I selected:

During Collection Period GPON UNI Port Ethernet Statistics Template(Profile Mode)
+ Received discarded frames during collection period(frames)
+ Received broadcast frames during collection period(frames)
+ Received multicast frames during collection period(frames)
+ Received CRC error frames during collection period(frames)
+ Sent broadcast frames during collection period(frames)
+ Sent multicast frames during collection period(frames)

And also to draw graphs of the general traffic on the ports:

GPON UNI Up and Down Stream Rate Statistics Template(Profile Mode)
+ Upstream Rate(kbit/s)
+ Downstream Rate(kbit/s)

Statistics update time I selected “15 min”.

As a result, according to the graphs, I saw that several thousand Multicast packets began to come from one of the GPON ports per second, on the graph it was displayed in millions, since data from the GPON ports were collected every 15 minutes (this is 900 seconds), that is, if on graph 2 700,000 pkts / 900 sec = 3000 pkts/s.

Next, I manually looked at the counters on all ONTs of this GPON port and found a harmful ONT, deactivated it and the flood disappeared.

If a Cisco switch is used in front of the OLT, then unknown multicast and unicast traffic can be blocked on it, for example:

interface ethernet 1/28
switchport block multicast
switchport block unicast
storm-control multicast level 0.01

See also my articles:
How to catch broadcast flood on D-Link switches
How to catch broadcast flooding on MikroTik
How to catch broadcast storms on FoxGate

Leave a comment

Leave a Reply