NE40E-X3 V600R001 ospf震荡问题

OSPF邻居震荡，设备重启之后故障仍然存在

ospf震荡原因为ospf hello超时，即保活时间内未收到hello报文超时down

Aug 30 2023 19:06:35 AL_ZD_NE40E_X3 %
OSPF/3/NBR_CHG_DOWN(l)[1]:Neighbor event:neighbor state changed to Down. (ProcessId=1, NeighborAddress=x.x.x.x, NeighborEvent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)

Aug 30 2023 19:03:38 AL_ZD_NE40E_X3 %
OSPF/3/NBR_CHG_DOWN(l)[14]:Neighbor event:neighbor state changed to Down. (ProcessId=1, NeighborAddress=x.x.x.x, NeighborEvent=InactivityTimer, NeighborPreviousState=Exchange, NeighborCurrentState=Down)

Aug 30 2023 19:02:41 AL_ZD_NE40E_X3 %
OSPF/3/NBR_CHG_DOWN(l)[23]:Neighbor event:neighbor state changed to Down. (ProcessId=1, NeighborAddress=x.x.x.x, NeighborEvent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)

Aug 30 2023 18:55:30 AL_ZD_NE40E_X3 %
OSPF/3/NBR_CHG_DOWN(l)[60]:Neighbor event:neighbor state changed to Down. (ProcessId=1, NeighborAddress=x.x.x.x, NeighborEvent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)

Aug 30 2023 18:53:45 AL_ZD_NE40E_X3 %
OSPF/3/NBR_CHG_DOWN(l)[88]:Neighbor event:neighbor state changed to Down. (ProcessId=1, NeighborAddress=x.x.x.x, NeighborEvent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)

1、查看cpu-defend，发现有大量上送cpu的ospf报文超cpcar丢弃

2、查看设备记录的攻击溯源，发现GigabitEthernet1/0/1.20端口收到大量的ospf hello组播报文

[AL_ZD_NE40E_X3-hidecmd]display attack-source-trace slot 1 original-information ...

No 2 packet Info:

Interface Name    : GigabitEthernet1/0/1.20

PeVlanid          : 20

CeVlanid          : 0

Attack Type       : Application apperceive

Attack Pack Time  : 2023-08-31 10:30:55

Attack Source Data:

01 00 5e 00 00 05 28 6e d4 20 38 2b 81 00 00 14 08 00 45 c0 00 40 f4 5c 00

00 01 59 71 66 0a bc 68 21 e0 00 00 05 02 01 00 2c 0a bc 64 03 00 00 00 08

1a 0a 00 00 00 00 00 00 00 00 00 00 ff ff ff f0 00 0a 02 01 00 00 00 28 0a

bc 68 21 00 00 00

----------------------------------

3、排查NE设备下联的Switch交换机，发现vlan=20的端口流量达到90%，查看该端口有大量组播报文，怀疑下挂二层网络存在环路，ospf 组播报文在二层网络形成环路

将NE下挂交换机的vlan=20端口shutdown，之后业务恢复正常，ospf邻居恢复稳定

（1）NE下挂的二层网络存在环路，导致大量的ospf组播报文发送给NE。GigabitEthernet1/0/1.20端口收到大量的ospf组播报文，超过设备的cpcar值导致其他端口的ospf hello报文被随机丢弃，引起ospf震荡；

（2）需要排查二层环路原因