meter almost works for me. No counters via cli, via snmp, no snmp traps

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi

I have xos 16.1.3.6-patch1-8 on my summit670. Try to use meter as an ingress shaper to limit udp and icmp flood. Shaping seems to work but problem is with notification. As far as i tested, only syslog message works. Counters via cli still show 0, i can't find counters OID via snmp. There is no trap sended to my zabbix. Counter in ACL works, is accessible via snmp but only amount of packets.  There is some better version of xos without this bug ?

thanks for help
Pedro

entry 1 {
if match all {
    protocol udp ;
    destination-address 192.168.192.1/32 ;
}
then {
    count icmp_udp ;
    meter ingmeter0 ;
    permit;
}
}


 # show  configuration | include meter

configure meter ingmeter0 committed-rate 100 Pps max-burst-size 10 packets out-actions drop log trap ports "group_port_11"


# show access-list meter ports 11 ingress

=================================================================================
Policy Name      Vlan Name        Port
                       Committed     Max Burst     Out-of-Profile  Out-of-Profile
    Meter              Rate          Size          Action    DSCP    Packet Count
=================================================================================
icmp_drop        *                11
    ingmeter0          100 pps       10 pkt        L T - Dr     -               0


 # show access-list counter ports 11 ingress

Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
icmp_drop         *                11     ingress
    icmp_udp                       170584530


syslog:
 <Noti:ACL.IngrMeterOutActLogEvent> Ingress Traffic on port 11 exceeded the configured rate of meter ingmeter0 resulting in change of out-of-profile status to true.


 
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
  • dissapointed

Posted 2 years ago

  • 0
  • 1
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro, could you please check the command below and share if that works for you?

show meter {metername} out-of-profile {{disabled-ports} ports [portlist | port_group] | global-count}
Photo of Drew C.

Drew C., Community Manager

  • 39,442 Points 20k badge 2x thumb
Hello Pedro, This sounds very similar to the other question you're working on in this thread:  meter doesn't work for me
If this issue is related, let's keep conversation there to make it easier for others to assist.
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
Hi

I checked also Henrique advice, counter doesn't work in cli.  Don't know the oid of this counter, mayby via snmp works.


# show meter "ingmeter0" out-of-profile global-count  Global

                                      Out-of-profile
Meter                                   Packet Count
===================================  ===============
ingmeter0                                          0


In previous thread was about don't limiting by meter (little burst size helped) , this thread is about lack of notification. Maybe it should be merged
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro, I could not find any OID to get those values from snmp.

Regarding the counters I will perform some tests and update this thread.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro,

I was able to perform a quick test today and could see the Out-of-Profile packets incrementing as follows:

X670v-19-6A98.46 # show access-list meter "control" ports 3 ingress

Policy Name      Vlan Name        Port
                           Committed   Max Burst  Out-of-Profile  Out-of-Profile
    Meter              Rate (Kbps) Size (K)   Action    DSCP  Packet Count
=======================================================================
regra            *                3
    control            100         150        Drop            8214


I have tested sending a ping flood and created a meter with Committed Rate = 100K and Max Burst Size = 150K.

ACL used applied to ingress port:

entry R1 {
    if match all {
              source-address <ping flood generator source IP> ;
              protocol icmp ;
          } then {
                  permit  ;
                  meter control ;
                  count icmpcount ;
               }


I tried with X670V using EXOS 15.7.3 release.

Please provide more details regarding your scenario and setup.

Thanks.
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
Hi,

There are 2 kinds of meters: defined by user and 15 predefined in system.
Traps, logs and port disable work only with predefined meter like "ingmeter0"

When i'm using my counter ie. meter_10_K  counter in cli works but traps, logs and port disable don't work

When i'm using predefined counter ie. ingmeter0 i can get syslog message and nothing more, i mean: no traps, no cli counters as mentioned above


For testing i'm using ping -f and hping3

My system: X670-48x, xos 16.1.3.6  patch1-8

# show  policy "icmp_drop"Policies at Policy Server:
Policy: icmp_drop
entry 1 {
if match all {
    protocol udp ;
    destination-address 192.168.65.23/32 ;
}
then {
    count icmp_udp ;
    meter meter_10_K ;
}
}
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro, please see below a quick description for my lab results:

Server sending icmp -f (2.2.2.2) === port 3 === SW === port 1 === PC receiving the icmp (2.2.2.1)

X670V-48X using 16.1.3.6-patch1-3

Switch configuration:

conf meter "ingmeter10" committed-rate 10 k max-burst-size 10 Kb out-actions drop log trap ports 3

Policy: icmpdrop
entry R1 {
    if {
    protocol icmp ;
    destination-address 2.2.2.1/32 ;
}
then {
    count icmp_udp ;
    meter ingmeter10 ;
}
}

conf access-list icmpdrop ports 3 ingress

Results

ACL Counter:

Policy Name       Vlan Name        Port   Direction    Counter Name                   Packet Count         Byte Count
==================================================================
icmpdrop          *                3      ingress
    icmp_udp                       572
 

Meter Status:

SW.62 # show meter "ingmeter10" out-of-profile ports 3

Name                             Status         Disabled Rate-Limit Counter Port
====================================================================
ingmeter10                  Out of profile    No                              0          3


SNMP Trap:

SW.63 # show management

SNMP traps:     Sent   1


Switch Log

SW.64 # sh log

08/12/2016 16:36:38.16 <Noti:ACL.IngrMeterOutActLogEvent> Ingress Traffic on port 3 exceeded the configured rate of meter ingmeter10 resulting in change of out-of-profile status to true.

I could see the log and trap being sent when using internal meter (ingmeterX).

Hope it helps.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro,

This is the trap received by Extreme Management Center (Netsight) in my test: