This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: How to display ACL counters attached to snmp?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to display ACL counters attached to snmp?
How to display ACL counters attached to snmp?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-24-2014 08:59 PM
I have created an ACL called acl167.pol that has a few IP addresses permited to access the switch via snmp readonly. Here is the ACL: entry e1 { if { source-address 1xx.72.68.38/32; } then { permit; count e1; }} entry e2 { if { source-address 1xx.72.200.158/32; } then { permit; count e2; }} entry e3 { if { source-address 1xx.72.200.194/32; } then { permit; count e3; }} entry e4 { if { source-address 1xx.72.43.0 mask 255.255.255.128; } then { permit; count e4; }} entry denyall { if { } then { deny; count denyall; }} I apply it to snmp here: configure snmp access-profile acl167 readonly Now, I'd like to see if the counters are incrementing but I can't figure out how to do that. Here are a couple more commands to show: Eng_lab_8810A.39 # ls -rw-rw-rw- 1 root 0 398 Feb 24 13:45 acl167.pol -rw-rw-rw- 1 root 0 370165 Feb 24 13:32 primary.cfg drwxrwxrwx 2 root 0 0 Feb 13 18:27 vmt -rw-rw-rw- 1 root 0 6605 Feb 19 08:40 voice_subnet_restriction.pol The other ACL is attached to a vlan and it is the only one that shows up when I do a: Eng_lab_8810A.42 # sh access-list counter Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count ================================================================== voice_subnet_restriction voice990 * ingress denyallcntr 188456 Eng_lab_8810A.43 # Any idea how I can show the counters for acl167.pol?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-26-2014 09:38 AM
Hi Jim,
It looks like this is not working for access-profile based on policy files.
I used two dynamic ACL rules and then it worked:
create access-list pc-1 " source-address 10.10.2.102/32 ;" " permit ;" application "Cli"
create access-list Deny-all " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"
configure snmp access-profile add "pc-1" first
configure snmp access-profile add "Deny-all" after "pc-1"
* X460-48p.3 # sh access-list counter process snmp
================================================================================
Access-list Permit Packets Deny Packets
================================================================================
pc-1 20 0
Deny-all 0 1264
================================================================================
Total Rules : 2
With a similar policy file it does not show the rules. I think that this is a wrong behavior.
To have a proper follow up and a possible fix for the policy files, I suggest that you open a TAC case so we can follow the escalation process towards development.
Thanks,
Ron
It looks like this is not working for access-profile based on policy files.
I used two dynamic ACL rules and then it worked:
create access-list pc-1 " source-address 10.10.2.102/32 ;" " permit ;" application "Cli"
create access-list Deny-all " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"
configure snmp access-profile add "pc-1" first
configure snmp access-profile add "Deny-all" after "pc-1"
* X460-48p.3 # sh access-list counter process snmp
================================================================================
Access-list Permit Packets Deny Packets
================================================================================
pc-1 20 0
Deny-all 0 1264
================================================================================
Total Rules : 2
With a similar policy file it does not show the rules. I think that this is a wrong behavior.
To have a proper follow up and a possible fix for the policy files, I suggest that you open a TAC case so we can follow the escalation process towards development.
Thanks,
Ron
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-26-2014 09:38 AM
Thanks Ron - I built the ACL as you suggested and it works also. I'll go ahead and open up a TAC case on this. It's much easier to create a policy than a dynamic ACL. One last question about this. When I was trying the policy, I attached it to snmp with: "configure snmp access-profile acl167 readonly" meaning (I think) that the readonly string is required. How do I require the readonly string with a dynamic ACL? Is there anyother keyword after each line?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-25-2014 01:42 PM
Hi Ron - Thanks for the response. I went ahead and did as you suggested, but was unable to get any results. I have the ACL applied to the snmp process, but the output of 'show access-list counter process snmpMaster returns no ACLs. Here are some show commands showing snmp is enabled, the ACL is applied but in the end shows as not applies: configure snmp access-profile acl167 readonly ------------------------------------------ Eng_lab_8810A.8 # sh snmp vr "VR-Default" SNMP access : Enabled SNMP ifMib ifAlias size : Default SNMP Traps : Enabled SNMP TrapReceivers : None SNMP stats: InPkts 72 OutPkts 0 Errors 0 AuthErrors 72 Gets 0 GetNexts 0 Sets 0 Drops 0 SNMP traps: Sent 0 AuthTraps Enabled ----------------------------------------- Eng_lab_8810A.2 # sh access-list counter process snmp ================================================================================ Access-list Permit Packets Deny Packets ================================================================================ ================================================================================ Total Rules : 0 ---------------------------------------- Any other ideas? Jim
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-25-2014 07:14 AM
Hi Jim,
To see the counters from an access-profile you need to get the counters for that specific process. The normal counters do apply to the port or vlan statistics.
To display the snmp process counter statistics, use the "show access-list counters process snmp" command.
The permit or deny counters are updated accordingly, regardless of whether the rule is
configured to add counters.
Thanks,
Ron
To see the counters from an access-profile you need to get the counters for that specific process. The normal counters do apply to the port or vlan statistics.
To display the snmp process counter statistics, use the "show access-list counters process snmp" command.
The permit or deny counters are updated accordingly, regardless of whether the rule is
configured to add counters.
Thanks,
Ron
