meter doesn't work for me

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hi,

On summmit X670-48x with  15.5.4.2 v1554b2-patch1-5 I have problem with meter, i try to limit icmp traffic but looks that ingress shaper doesn't work.
i see packets on counter  icmp but i don't see any dropped packets. After the switch, on router, i also see all packets, nothing was dropped..
 

test:
ping 192.168.65.23 -i 0.0001 -c 100000

Here is my config


entry 1 {
if {
    protocol icmp;
    destination-address 192.168.65.23/32 ;
} then {
#   deny ;
#    permit ;
     count icmp;
     meter meter_10_K;
}
}

configure access-list icmp_drop ports 25 ingress

create meter meter_10_K
configure meter meter_10_K committed-rate 10 Kbps out-actions drop
create meter meter_100_K
configure meter meter_100_K committed-rate 100 Kbps out-actions drop


Summit1.27 # show access-list counter ports 25 ingressPolicy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
icmp_drop         *                25     ingress
    icmp                           18981




Summit1.26 # show  access-list meter ports 25 ingressPolicy Name      Vlan Name        Port
                       Committed   Max Burst  Out-of-Profile  Out-of-Profile
    Meter              Rate (Kbps) Size (K)   Action    DSCP  Packet Count
===============================================================================
icmp_drop        *                25
    meter_10_K         10          Max        Drop            0




Thanks for any help or advice
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Balaji

Balaji, Employee

  • 776 Points 500 badge 2x thumb
After editing the acl did you refresh the policy?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,458 Points 10k badge 2x thumb
Hello Pedro,

ping is a bit problematic if you are trying to create network load, because ping waits for responses before sending a new packet. The -i option adjusts the wait time after receiving an ICMP Echo Reply resp. after the timeout for a reply expires. You can try a flood ping (ping -f) to send more packets.

Because ping adapts to the network conditions (RTT), it is quite hard to generate a specific traffic rate in the presence of packet loss. Thus ping is a bad tool to measure rate limiters, which induce packet loss (or delayed packets in the case of shaping).

You should consider using iperf in UDP mode to test specific traffic rates.

Br,
Erik
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro, for ICMP traffic I would recommend you to test with some application that sends traffic flows continuously (e.g. 1M/sec ICMP flow). 

As already mentioned by Erik, -i option might be tricky as well as burst traffic.
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
Hi,

thanks for anserwers. I had to reduce burts size and i test with udp packet by hping. Looks better, drop counter counting.. 

There is some oid via snmp for Out-of-Profile dropped packtes/bits ? Can't find

greets,
Pedro
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro, you can add the "trap" option in the meter CLI to generate an SNMP trap if traffic exceeds the configured rate.
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
Hi,
How you can get trap parameter  ? Maybe in 16.x xos ? For now i have only 15.5.4.2

i try
Summit1.27 # configure meter meter_1_M committed-rate 1000 Kbps max-burst-size 2 Kb out-actions drop trap

                                                                                                      ^%% Invalid input detected at '^' marker.

In acl i also can't use snmtrap

entry 1 {if {
    protocol udp;
    destination-address 192.168.65.23/32 ;
} then {
#   deny ;
#    permit ;
    count icmp_udp;
    meter meter_10_K;
    snmptrap 123 "Traffic icmp_drop entry 1 exceeds threshold";
}
}


Line 11 : Statements from Access Control List applicaton line 10 cannot be mixed with statements from Clear Flow application.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Pedro, you are correct.

I forgot to mention that the trap option was introduced in EXOS 16.1, sorry about that.
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
now i have xos 16.1.3.6 patch1-8  on some test summit670  and  some problem with this snmptrap. I have tried to set trap action in acl  in global meter configuration but without success 


 # configure meter meter_1_K committed-rate 10 Pps max-burst-size 1 packets out-actions drop trap
Software actions (log, trap, disable port) are not supported for global meters

8 # configure meter meter_1_K committed-rate 10 Pps max-burst-size 1 packets out-actions drop trap log ports "group_port_11"
Software actions (log, trap, disable port) are not supported for global meters

i tried using acl but also failed.

entry 1 {
if match all {
    protocol udp ;
#    destination-address 192.168.65.23/32 ;
}
then {
    count icmp_udp ;
    meter meter_1_K ;
    log ;
    trap ;
}
}

 # refresh policy "icmp_drop"
Error:  Was not able to refresh policy icmp_drop Line 11 : "trap" is not a valid attribute


I can set snmp trap only broadcast flood on ingress port 

# show  configuration | include  trap
configure port "group_port_11" rate-limit flood broadcast 100 out-actions log trap


Can i use snmptrap with meter ? How i can set "no global" action ? I'm doing something wrong or it's just a bug ?

thanks for help
Photo of Pedro

Pedro

  • 322 Points 250 badge 2x thumb
It's not a bug. there are 2 kinds of meters: defined by user and 15 predefined in system.
Traps, logs and port disable work only with predefined meter.

# show  configuration | include  meterconfigure meter ingmeter0 committed-rate 10 Pps max-burst-size 1 packets out-actions drop log trap ports 11


entry 1 {
if match all {
    protocol udp ;

}
then {
    count icmp_udp ;
    meter ingmeter0 ;
    log ;

}
}
(Edited)