Clear flow "delta" action

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hi everybody. I have trouble again...

I'd like to create an OpenFlow rule which sends the syslog message when broadcast rate reaches 1000 pps in some VLANs. I've applied this rule to VLAN and disabled all ports on the switch. But I see those syslog messages... What's wrong with rule?

entry BCAST-PKT {
        if {
                ethernet-destination-address ff:ff:ff:ff:ff:ff;
        }
        then {
               count bcast-pkt;
        }
}
entry BCAST_flood {
        if {
                delta  bcast-pkt > 1000;
                hysteresis 100;
                period 1 ;
        }
        then {
                syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120;
        }
        else {
                syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN;
    }
}
<Warn:ACL.CLEARFlow.Warning> Slot-1: Too many broadcast frames in VLAN v20... Rule BCAST_flood exceeds limit 1000.000000
<Warn:ACL.CLEARFlow.Warning> Slot-1: Too many broadcast frames in VLAN v11... Rule BCAST_flood exceeds limit 1000.000000
<Warn:ACL.CLEARFlow.Warning> Slot-1: Too many broadcast frames in VLAN v22... Rule BCAST_flood exceeds limit 1000.000000
<Warn:ACL.CLEARFlow.Warning> Slot-1: Too many broadcast frames in VLAN v31... Rule BCAST_flood exceeds limit 1000.000000

<Warn:ACL.CLEARFlow.Warning> Slot-1: Broadcast frames in VLAN v20 falls bellow rate.
<Warn:ACL.CLEARFlow.Warning> Slot-1: Broadcast frames in VLAN v11 falls bellow rate.
<Warn:ACL.CLEARFlow.Warning> Slot-1: Broadcast frames in VLAN v22 falls bellow rate.<Warn:ACL.CLEARFlow.Warning> Slot-1: Broadcast frames in VLAN v31 falls bellow rate.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
I haven't seen any log in my test switch as shown below,

B3U36.13 # show policy test
Policies at Policy Server:
Policy: test
entry BCAST-PKT {
if match all {
    ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
    count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
    delta bcast-pkt > 1000 ;
    hysteresis 100 ;
    period 1 ;
}
then {
    syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
    syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

* B3U36.14 #

B3U36.14 # show log
No log messages were displayed.
* B3U36.15 #

B3U36.15 # show access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
test              Default          *      ingress
    bcast-pkt                      0

* B3U36.16 #


Did you apply the policy on port or on VLAN?
DId you see the ACL counters are keeps on increasing?
If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.





Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
Thank you. This is really weird.
Did you apply the policy on port or on VLAN?
I applied this policy on some VLAN.
 
DId you see the ACL counters are keeps on increasing?
No, the ACL counters doesn't increase.
If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.
Ok. I'll try to apply this policy on ports and add matching condition vlan-id.


Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
* B3U36.6 # show access-listVlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
===================================================================
Default      *      test                 ingress  1      0

* B3U36.7 #

I have applied the policy on vlan too.

Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
It seems I was a bit obvious. I haven't seen any log messages too when all ports are disabled. Maybe I didn't quite understand the Concepts Guide, because...

I have simple config. Vlan 21 added untagged to port 1:1 and tagged to port 1:25. Port 1:25 is active.

I have the same policy file, but I've deleted "hysteresis 100" statement.

show policy "block-in-abonvlan"
Policies at Policy Server:
Policy: block-in-abonvlan
entry BCAST-PKT {
if match all {
    ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
    count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
    delta bcast-pkt > 1000 ;
    period 1 ;
}
then {
    syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
    syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once


show access-list
Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
===================================================================
v21          *      block-in-abonvlan    ingress  1      0      

show ports 1:25 vlan statistics no-refresh
Port    Vlan      Rx Frames          Rx Byte         Tx Frame        Tx Byte
                        Count          Count            Count          Count
================================================================================
xCore        v21        112           14289                0                0
================================================================================

05/24/2014 12:17:29.79 <Warn:ACL.CLEARFlow.Warning> Slot-1: Too many broadcast frames in VLAN v21... Rule BCAST_flood exceeds limit 1000.000000
05/24/2014 12:17:30.81 <Warn:ACL.CLEARFlow.Warning> Slot-1: Broadcast frames in VLAN v21 falls bellow rate.

show ports 1:25 vlan statistics no-refresh
Port    Vlan      Rx Frames          Rx Byte         Tx Frame        Tx Byte
                        Count          Count            Count          Count
================================================================================
xCore        v21        200           25287                0                0
================================================================================

show access-list counter
Policy Name       Vlan Name        Port   Direction 
    Counter Name                   Packet Count         Byte Count          
==================================================================
block-in-abonvlan v21              *      ingress  
    bcast-pkt                      1096                                     

05/24/2014 12:32:59.66 <Warn:ACL.CLEARFlow.Warning> Slot-1: Too many broadcast frames in VLAN v21... Rule BCAST_flood exceeds limit 1000.000000
05/24/2014 12:33:00.69 <Warn:ACL.CLEARFlow.Warning> Slot-1: Broadcast frames in VLAN v21 falls bellow rate.

show access-list counter
Policy Name       Vlan Name        Port   Direction 
    Counter Name                   Packet Count         Byte Count          
==================================================================
block-in-abonvlan v21              *      ingress  
    bcast-pkt                      1150    

If I have not misunderstood the Concepts Guide my policy should trigger when broadcasts frames in VLAN 21 will increase by 1000 per second. Is it right?

I'm sorry about my English. It's not my native language. I always make a lot of mistakes actualy.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
I've changed policy again

entry BCAST-PKT {
if match all {
    ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
    count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
    delta bcast-pkt > 20 ;
    period 10 ;
}
then {
    syslog "$RuleValue Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 30 ;
}
else {
    syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}

And it seems that rule works correct. Can I set the value of 1 second for the period?

Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
It's depends on how much traffic you are expecting.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
Hello everybody.

TAC has opened a "CR" about my problem. I have an ID of this CR. Unfortunately, it's still open.
Photo of Drew C.

Drew C., Community Manager

  • 37,324 Points 20k badge 2x thumb
What's the CR number?  I'll look it up for you.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
It would be great. The CR number is xos0057835.
Photo of Drew C.

Drew C., Community Manager

  • 37,324 Points 20k badge 2x thumb
Right now that CR shows that it is assigned to an engineer to be fixed, but hasn't been built into a release version of EXOS yet.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
Thanks for making it clear, Drew.
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,362 Points 4k badge 2x thumb
It might be fixed in the monthly release
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
Hope so. Thank you Parthiban.