meter doesn't work for me


Hi,

On summmit X670-48x with 15.5.4.2 v1554b2-patch1-5 I have problem with meter, i try to limit icmp traffic but looks that ingress shaper doesn't work.
i see packets on counter icmp but i don't see any dropped packets. After the switch, on router, i also see all packets, nothing was dropped..


test:
ping 192.168.65.23 -i 0.0001 -c 100000

Here is my config

entry 1 {
if {
protocol icmp;
destination-address 192.168.65.23/32 ;
} then {
# deny ;
# permit ;
count icmp;
meter meter_10_K;
}
}

configure access-list icmp_drop ports 25 ingress

create meter meter_10_K
configure meter meter_10_K committed-rate 10 Kbps out-actions drop
create meter meter_100_K
configure meter meter_100_K committed-rate 100 Kbps out-actions drop

Summit1.27 # show access-list counter ports 25 ingressPolicy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
icmp_drop * 25 ingress
icmp 18981

Summit1.26 # show access-list meter ports 25 ingressPolicy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate (Kbps) Size (K) Action DSCP Packet Count
===============================================================================
icmp_drop * 25
meter_10_K 10 Max Drop 0

Thanks for any help or advice

9 replies

After editing the acl did you refresh the policy?
Userlevel 7
Hello Pedro,

ping is a bit problematic if you are trying to create network load, because ping waits for responses before sending a new packet. The -i option adjusts the wait time after receiving an ICMP Echo Reply resp. after the timeout for a reply expires. You can try a flood ping (ping -f) to send more packets.

Because ping adapts to the network conditions (RTT), it is quite hard to generate a specific traffic rate in the presence of packet loss. Thus ping is a bad tool to measure rate limiters, which induce packet loss (or delayed packets in the case of shaping).

You should consider using iperf in UDP mode to test specific traffic rates.

Br,
Erik
Userlevel 6
Hi Pedro, for ICMP traffic I would recommend you to test with some application that sends traffic flows continuously (e.g. 1M/sec ICMP flow).

As already mentioned by Erik, -i option might be tricky as well as burst traffic.
Hi,

thanks for anserwers. I had to reduce burts size and i test with udp packet by hping. Looks better, drop counter counting..

There is some oid via snmp for Out-of-Profile dropped packtes/bits ? Can't find

greets,
Pedro
Userlevel 6
Hi Pedro, you can add the "trap" option in the meter CLI to generate an SNMP trap if traffic exceeds the configured rate.
Hi,
How you can get trap parameter ? Maybe in 16.x xos ? For now i have only 15.5.4.2

i try
Summit1.27 # configure meter meter_1_M committed-rate 1000 Kbps max-burst-size 2 Kb out-actions drop trap

^%% Invalid input detected at '^' marker.

In acl i also can't use snmtrap

entry 1 {if {
protocol udp;
destination-address 192.168.65.23/32 ;
} then {
# deny ;
# permit ;
count icmp_udp;
meter meter_10_K;
snmptrap 123 "Traffic icmp_drop entry 1 exceeds threshold";
}
}

Line 11 : Statements from Access Control List applicaton line 10 cannot be mixed with statements from Clear Flow application.
Userlevel 6
Hi Pedro, you are correct.

I forgot to mention that the trap option was introduced in EXOS 16.1, sorry about that.
now i have xos 16.1.3.6 patch1-8 on some test summit670 and some problem with this snmptrap. I have tried to set trap action in acl in global meter configuration but without success

# configure meter meter_1_K committed-rate 10 Pps max-burst-size 1 packets out-actions drop trap
Software actions (log, trap, disable port) are not supported for global meters

8 # configure meter meter_1_K committed-rate 10 Pps max-burst-size 1 packets out-actions drop trap log ports "group_port_11"
Software actions (log, trap, disable port) are not supported for global meters

i tried using acl but also failed.

entry 1 {
if match all {
protocol udp ;
# destination-address 192.168.65.23/32 ;
}
then {
count icmp_udp ;
meter meter_1_K ;
log ;
trap ;
}
}

# refresh policy "icmp_drop"
Error: Was not able to refresh policy icmp_drop Line 11 : "trap" is not a valid attribute

I can set snmp trap only broadcast flood on ingress port

# show configuration | include trap
configure port "group_port_11" rate-limit flood broadcast 100 out-actions log trap

Can i use snmptrap with meter ? How i can set "no global" action ? I'm doing something wrong or it's just a bug ?

thanks for help
It's not a bug. there are 2 kinds of meters: defined by user and 15 predefined in system.
Traps, logs and port disable work only with predefined meter.

# show configuration | include meterconfigure meter ingmeter0 committed-rate 10 Pps max-burst-size 1 packets out-actions drop log trap ports 11

entry 1 {
if match all {
protocol udp ;

}
then {
count icmp_udp ;
meter ingmeter0 ;
log ;

}
}

Reply