Clear flow "delta" action


Userlevel 3
Hi everybody. I have trouble again...

I'd like to create an OpenFlow rule which sends the syslog message when broadcast rate reaches 1000 pps in some VLANs. I've applied this rule to VLAN and disabled all ports on the switch. But I see those syslog messages... What's wrong with rule?

entry BCAST-PKT {
if {
ethernet-destination-address ff:ff:ff:ff:ff:ff;
}
then {
count bcast-pkt;
}
}
entry BCAST_flood {
if {
delta bcast-pkt > 1000;
hysteresis 100;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN;
}
}
[/code] Slot-1: Too many broadcast frames in VLAN v20... Rule BCAST_flood exceeds limit 1000.000000
Slot-1: Too many broadcast frames in VLAN v11... Rule BCAST_flood exceeds limit 1000.000000
Slot-1: Too many broadcast frames in VLAN v22... Rule BCAST_flood exceeds limit 1000.000000
Slot-1: Too many broadcast frames in VLAN v31... Rule BCAST_flood exceeds limit 1000.000000

[/code] Slot-1: Broadcast frames in VLAN v20 falls bellow rate.
Slot-1: Broadcast frames in VLAN v11 falls bellow rate.
Slot-1: Broadcast frames in VLAN v22 falls bellow rate. Slot-1: Broadcast frames in VLAN v31 falls bellow rate.[/code]

14 replies

Userlevel 4
I haven't seen any log in my test switch as shown below,

B3U36.13 # show policy test
Policies at Policy Server:
Policy: test
entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 1000 ;
hysteresis 100 ;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

* B3U36.14 #

B3U36.14 # show log
No log messages were displayed.
* B3U36.15 #

B3U36.15 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
test Default * ingress
bcast-pkt 0

* B3U36.16 #

Did you apply the policy on port or on VLAN?
DId you see the ACL counters are keeps on increasing?
If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.
Userlevel 3
Sumit Tokle wrote:

I haven't seen any log in my test switch as shown below,

B3U36.13 # show policy test
Policies at Policy Server:
Policy: test
entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 1000 ;
hysteresis 100 ;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

* B3U36.14 #

B3U36.14 # show log
No log messages were displayed.
* B3U36.15 #

B3U36.15 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
test Default * ingress
bcast-pkt 0

* B3U36.16 #

Did you apply the policy on port or on VLAN?
DId you see the ACL counters are keeps on increasing?
If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.

Thank you. This is really weird.

Did you apply the policy on port or on VLAN?

I applied this policy on some VLAN.


DId you see the ACL counters are keeps on increasing?

No, the ACL counters doesn't increase.

If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.

Ok. I'll try to apply this policy on ports and add matching condition vlan-id.
Userlevel 4
Sumit Tokle wrote:

I haven't seen any log in my test switch as shown below,

B3U36.13 # show policy test
Policies at Policy Server:
Policy: test
entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 1000 ;
hysteresis 100 ;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

* B3U36.14 #

B3U36.14 # show log
No log messages were displayed.
* B3U36.15 #

B3U36.15 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
test Default * ingress
bcast-pkt 0

* B3U36.16 #

Did you apply the policy on port or on VLAN?
DId you see the ACL counters are keeps on increasing?
If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.

* B3U36.6 # show access-listVlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
Default * test ingress 1 0

* B3U36.7 #

I have applied the policy on vlan too.
Userlevel 3
Sumit Tokle wrote:

I haven't seen any log in my test switch as shown below,

B3U36.13 # show policy test
Policies at Policy Server:
Policy: test
entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 1000 ;
hysteresis 100 ;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

* B3U36.14 #

B3U36.14 # show log
No log messages were displayed.
* B3U36.15 #

B3U36.15 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
test Default * ingress
bcast-pkt 0

* B3U36.16 #

Did you apply the policy on port or on VLAN?
DId you see the ACL counters are keeps on increasing?
If there are less number of ports in vlan then try to apply the policy per port basis and try to narrow down the issue.

It seems I was a bit obvious. I haven't seen any log messages too when all ports are disabled. Maybe I didn't quite understand the Concepts Guide, because...

I have simple config. Vlan 21 added untagged to port 1:1 and tagged to port 1:25. Port 1:25 is active.

I have the same policy file, but I've deleted "hysteresis 100" statement.

show policy "block-in-abonvlan"
Policies at Policy Server:
Policy: block-in-abonvlan
entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 1000 ;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
v21 * block-in-abonvlan ingress 1 0

show ports 1:25 vlan statistics no-refresh
Port Vlan Rx Frames Rx Byte Tx Frame Tx Byte
Count Count Count Count
================================================================================
xCore v21 112 14289 0 0
================================================================================

05/24/2014 12:17:29.79 Slot-1: Too many broadcast frames in VLAN v21... Rule BCAST_flood exceeds limit 1000.000000
05/24/2014 12:17:30.81 Slot-1: Broadcast frames in VLAN v21 falls bellow rate.

show ports 1:25 vlan statistics no-refresh
Port Vlan Rx Frames Rx Byte Tx Frame Tx Byte
Count Count Count Count
================================================================================
xCore v21 200 25287 0 0
================================================================================

show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
block-in-abonvlan v21 * ingress
bcast-pkt 1096

05/24/2014 12:32:59.66 Slot-1: Too many broadcast frames in VLAN v21... Rule BCAST_flood exceeds limit 1000.000000
05/24/2014 12:33:00.69 Slot-1: Broadcast frames in VLAN v21 falls bellow rate.

show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
block-in-abonvlan v21 * ingress
bcast-pkt 1150

If I have not misunderstood the Concepts Guide my policy should trigger when broadcasts frames in VLAN 21 will increase by 1000 per second. Is it right?

I'm sorry about my English. It's not my native language. I always make a lot of mistakes actualy.
Userlevel 3
It seems I was a bit obvious. I haven't seen any log messages too when all ports are disabled. Maybe I didn't quite understand the Concepts Guide, because...

I have simple config. Vlan 21 added untagged to port 1:1 and tagged to port 1:25. Port 1:25 is active.

I have the same policy file, but I've deleted "hysteresis 100" statement.

show policy "block-in-abonvlan"
Policies at Policy Server:
Policy: block-in-abonvlan
entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 1000 ;
period 1 ;
}
then {
syslog "Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 120 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
v21 * block-in-abonvlan ingress 1 0

show ports 1:25 vlan statistics no-refresh
Port Vlan Rx Frames Rx Byte Tx Frame Tx Byte
Count Count Count Count
================================================================================
xCore v21 112 14289 0 0
================================================================================

05/24/2014 12:17:29.79 Slot-1: Too many broadcast frames in VLAN v21... Rule BCAST_flood exceeds limit 1000.000000
05/24/2014 12:17:30.81 Slot-1: Broadcast frames in VLAN v21 falls bellow rate.

show ports 1:25 vlan statistics no-refresh
Port Vlan Rx Frames Rx Byte Tx Frame Tx Byte
Count Count Count Count
================================================================================
xCore v21 200 25287 0 0
================================================================================

show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
block-in-abonvlan v21 * ingress
bcast-pkt 1096

05/24/2014 12:32:59.66 Slot-1: Too many broadcast frames in VLAN v21... Rule BCAST_flood exceeds limit 1000.000000
05/24/2014 12:33:00.69 Slot-1: Broadcast frames in VLAN v21 falls bellow rate.

show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
block-in-abonvlan v21 * ingress
bcast-pkt 1150

If I have not misunderstood the Concepts Guide my policy should trigger when broadcasts frames in VLAN 21 will increase by 1000 per second. Is it right?

I'm sorry about my English. It's not my native language. I always make a lot of mistakes actualy.
Userlevel 3
I've changed policy again

entry BCAST-PKT {
if match all {
ethernet-destination-address ff:ff:ff:ff:ff:ff ;
}
then {
count bcast-pkt ;
}
}
entry BCAST_flood {
if match all {
delta bcast-pkt > 20 ;
period 10 ;
}
then {
syslog "$RuleValue Too many broadcast frames in VLAN $VlanName... Rule $ruleName exceeds limit $ruleThreshold" WARN 30 ;
}
else {
syslog "Broadcast frames in VLAN $VlanName falls bellow rate." WARN ;
}
}

And it seems that rule works correct. Can I set the value of 1 second for the period?
Userlevel 4
It's depends on how much traffic you are expecting.
Userlevel 3
Hello everybody.

TAC has opened a "CR" about my problem. I have an ID of this CR. Unfortunately, it's still open.
Userlevel 7
eyeV wrote:

Hello everybody.

TAC has opened a "CR" about my problem. I have an ID of this CR. Unfortunately, it's still open.

What's the CR number? I'll look it up for you.
Userlevel 3
eyeV wrote:

Hello everybody.

TAC has opened a "CR" about my problem. I have an ID of this CR. Unfortunately, it's still open.

It would be great. The CR number is xos0057835.
Userlevel 7
eyeV wrote:

Hello everybody.

TAC has opened a "CR" about my problem. I have an ID of this CR. Unfortunately, it's still open.

Right now that CR shows that it is assigned to an engineer to be fixed, but hasn't been built into a release version of EXOS yet.
Userlevel 3
eyeV wrote:

Hello everybody.

TAC has opened a "CR" about my problem. I have an ID of this CR. Unfortunately, it's still open.

Thanks for making it clear, Drew.
Userlevel 4
It might be fixed in the monthly release
Userlevel 3
Hope so. Thank you Parthiban.

Reply