Header Only - DO NOT REMOVE - Extreme Networks

meter almost works for me. No counters via cli, via snmp, no snmp traps

  • 2 August 2016
  • 8 replies
  • 392 views

Hi

I have xos 16.1.3.6-patch1-8 on my summit670. Try to use meter as an ingress shaper to limit udp and icmp flood. Shaping seems to work but problem is with notification. As far as i tested, only syslog message works. Counters via cli still show 0, i can't find counters OID via snmp. There is no trap sended to my zabbix. Counter in ACL works, is accessible via snmp but only amount of packets. There is some better version of xos without this bug ?

thanks for help
Pedro

entry 1 {
if match all {
protocol udp ;
destination-address 192.168.192.1/32 ;
}
then {
count icmp_udp ;
meter ingmeter0 ;
permit;
}
}

# show configuration | include meter

configure meter ingmeter0 committed-rate 100 Pps max-burst-size 10 packets out-actions drop log trap ports "group_port_11"

# show access-list meter ports 11 ingress

=================================================================================
Policy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate Size Action DSCP Packet Count
=================================================================================
icmp_drop * 11
ingmeter0 100 pps 10 pkt L T - Dr - 0

# show access-list counter ports 11 ingress

Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
icmp_drop * 11 ingress
icmp_udp 170584530

syslog:
Ingress Traffic on port 11 exceeded the configured rate of meter ingmeter0 resulting in change of out-of-profile status to true.

8 replies

Userlevel 6
Hi Pedro, could you please check the command below and share if that works for you?

show meter {metername} out-of-profile {{disabled-ports} ports [portlist | port_group] | global-count}
Userlevel 7
Hello Pedro, This sounds very similar to the other question you're working on in this thread: meter doesn't work for me
If this issue is related, let's keep conversation there to make it easier for others to assist.
Hi

I checked also Henrique advice, counter doesn't work in cli. Don't know the oid of this counter, mayby via snmp works.

# show meter "ingmeter0" out-of-profile global-count Global

Out-of-profile
Meter Packet Count
=================================== ===============
ingmeter0 0

In previous thread was about don't limiting by meter (little burst size helped) , this thread is about lack of notification. Maybe it should be merged
Userlevel 6
Hi Pedro, I could not find any OID to get those values from snmp.

Regarding the counters I will perform some tests and update this thread.
Userlevel 6
Hi Pedro,

I was able to perform a quick test today and could see the Out-of-Profile packets incrementing as follows:

X670v-19-6A98.46 # show access-list meter "control" ports 3 ingress

Policy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate (Kbps) Size (K) Action DSCP Packet Count
=======================================================================
regra * 3
control 100 150 Drop 8214

I have tested sending a ping flood and created a meter with Committed Rate = 100K and Max Burst Size = 150K.

ACL used applied to ingress port:

entry R1 {
if match all {
source-address ;
protocol icmp ;
} then {
permit ;
meter control ;
count icmpcount ;
}
}

I tried with X670V using EXOS 15.7.3 release.

Please provide more details regarding your scenario and setup.

Thanks.
Hi,

There are 2 kinds of meters: defined by user and 15 predefined in system.
Traps, logs and port disable work only with predefined meter like "ingmeter0"

When i'm using my counter ie. meter_10_K counter in cli works but traps, logs and port disable don't work

When i'm using predefined counter ie. ingmeter0 i can get syslog message and nothing more, i mean: no traps, no cli counters as mentioned above

For testing i'm using ping -f and hping3

My system: X670-48x, xos 16.1.3.6 patch1-8

# show policy "icmp_drop"Policies at Policy Server:
Policy: icmp_drop
entry 1 {
if match all {
protocol udp ;
destination-address 192.168.65.23/32 ;
}
then {
count icmp_udp ;
meter meter_10_K ;
}
}
Userlevel 6
Hi Pedro, please see below a quick description for my lab results:

Server sending icmp -f (2.2.2.2) === port 3 === SW === port 1 === PC receiving the icmp (2.2.2.1)

X670V-48X using 16.1.3.6-patch1-3

Switch configuration:

conf meter "ingmeter10" committed-rate 10 k max-burst-size 10 Kb out-actions drop log trap ports 3

Policy: icmpdrop
entry R1 {
if {
protocol icmp ;
destination-address 2.2.2.1/32 ;
}
then {
count icmp_udp ;
meter ingmeter10 ;
}
}

conf access-list icmpdrop ports 3 ingress

Results

ACL Counter:

Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
icmpdrop * 3 ingress
icmp_udp 572


Meter Status:

SW.62 # show meter "ingmeter10" out-of-profile ports 3

Name Status Disabled Rate-Limit Counter Port
====================================================================
ingmeter10 Out of profile No 0 3


SNMP Trap:

SW.63 # show management

SNMP traps: Sent 1


Switch Log

SW.64 # sh log

08/12/2016 16:36:38.16 Ingress Traffic on port 3 exceeded the configured rate of meter ingmeter10 resulting in change of out-of-profile status to true.

I could see the log and trap being sent when using internal meter (ingmeterX).

Hope it helps.
Userlevel 6
Hi Pedro, please see below a quick description for my lab results:

Server sending icmp -f (2.2.2.2) === port 3 === SW === port 1 === PC receiving the icmp (2.2.2.1)

X670V-48X using 16.1.3.6-patch1-3

Switch configuration:

conf meter "ingmeter10" committed-rate 10 k max-burst-size 10 Kb out-actions drop log trap ports 3

Policy: icmpdrop
entry R1 {
if {
protocol icmp ;
destination-address 2.2.2.1/32 ;
}
then {
count icmp_udp ;
meter ingmeter10 ;
}
}

conf access-list icmpdrop ports 3 ingress

Results

ACL Counter:

Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
icmpdrop * 3 ingress
icmp_udp 572


Meter Status:

SW.62 # show meter "ingmeter10" out-of-profile ports 3

Name Status Disabled Rate-Limit Counter Port
====================================================================
ingmeter10 Out of profile No 0 3


SNMP Trap:

SW.63 # show management

SNMP traps: Sent 1


Switch Log

SW.64 # sh log

08/12/2016 16:36:38.16 Ingress Traffic on port 3 exceeded the configured rate of meter ingmeter10 resulting in change of out-of-profile status to true.

I could see the log and trap being sent when using internal meter (ingmeterX).

Hope it helps.
Hi Pedro,

This is the trap received by Extreme Management Center (Netsight) in my test:

Reply