This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: More alert on dos-protect notifies
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
More alert on dos-protect notifies
More alert on dos-protect notifies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 20 2013 1:08PM
Is there a way to enable more logging for things that trigger the notify-threshold for dos-protect? If something hits the alarm threshold, the ACL that gets created is logged, showing what the switch is being bombarded with; is there a way to log what is triggering the notify? (from Ansley_Barnes)
Is there a way to enable more logging for things that trigger the notify-threshold for dos-protect? If something hits the alarm threshold, the ACL that gets created is logged, showing what the switch is being bombarded with; is there a way to log what is triggering the notify? (from Ansley_Barnes)
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 23 2013 6:40PM
The problem I have is that those messages only get descriptive when the ACL is generated - the "alert" level. The "notify" level just says "hey, i see a lot of traffic here" but doesn't say what. It would be really helpful to show what was happening before the ACL is generated. There's a section of my network with a lot of dynamic factors so just taking its temperature with dos-protect simulated doesn't give me a good idea of where to set my limits. Besides that, if there's a section that's generating alarms, but with legitimate traffic, I'd like to be able to see that and take appropriate restructuring action so that the legitimate traffic isn't hitting the switches' CPUs. (from Ansley_Barnes)
The problem I have is that those messages only get descriptive when the ACL is generated - the "alert" level. The "notify" level just says "hey, i see a lot of traffic here" but doesn't say what. It would be really helpful to show what was happening before the ACL is generated. There's a section of my network with a lot of dynamic factors so just taking its temperature with dos-protect simulated doesn't give me a good idea of where to set my limits. Besides that, if there's a section that's generating alarms, but with legitimate traffic, I'd like to be able to see that and take appropriate restructuring action so that the legitimate traffic isn't hitting the switches' CPUs. (from Ansley_Barnes)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 23 2013 6:57AM
I see something like that (dos-protect simulated):
May 23 08:51:13 sw-2 DOSProt: Removed ACL from port 26, srcIP 192.168.44.5 to destIP 192.168.44.58, protocol tcp
May 23 08:51:13 sw-2 ACL from port 26, srcIP 192.168.44.5 to destIP 192.168.44.58, protocol tcp
May 23 08:48:07 sw-2 DOSProt: Added an ACL to port 5, srcIP 192.168.44.5 to destIP 192.168.44.4, protocol icmp
May 23 08:48:07 sw-2 an ACL to port 5, srcIP 192.168.44.5 to destIP 192.168.44.4, protocol icmp
May 23 08:48:19 sw-2 DOSProt: Notify-threshold for L3 Protect packet count of 20 reached
--
Jarek (from Jaroslaw_Kasjaniuk)
I see something like that (dos-protect simulated):
May 23 08:51:13 sw-2 DOSProt: Removed ACL from port 26, srcIP 192.168.44.5 to destIP 192.168.44.58, protocol tcp
May 23 08:51:13 sw-2 ACL from port 26, srcIP 192.168.44.5 to destIP 192.168.44.58, protocol tcp
May 23 08:48:07 sw-2 DOSProt: Added an ACL to port 5, srcIP 192.168.44.5 to destIP 192.168.44.4, protocol icmp
May 23 08:48:07 sw-2 an ACL to port 5, srcIP 192.168.44.5 to destIP 192.168.44.4, protocol icmp
May 23 08:48:19 sw-2 DOSProt: Notify-threshold for L3 Protect packet count of 20 reached
--
Jarek (from Jaroslaw_Kasjaniuk)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 22 2013 3:48PM
I added those, but it doesn't seem to increase the amount of info logged when the notify trigger is reached. Anyone else have tips? (from Ansley_Barnes)
I added those, but it doesn't seem to increase the amount of info logged when the notify trigger is reached. Anyone else have tips? (from Ansley_Barnes)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 21 2013 4:49PM
Awesome, I'll try this - thanks! (from Ansley_Barnes)
Awesome, I'll try this - thanks! (from Ansley_Barnes)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 21 2013 10:50AM
Hi,
you can log:
configure log filter "DefaultFilter" add events DOSProt?
"DOSProt.AddACLOK"
"DOSProt.CreateACLFail"
"DOSProt.DebugData"
"DOSProt.DebugSummary"
"DOSProt.DebugVerbose"
"DOSProt.DelACLOK"
"DOSProt.DuplACLDtect"
"DOSProt.Init"
"DOSProt.InitIPMLFail"
"DOSProt.PktCntExcd"
"DOSProt.PtrnNotFnd"
"DOSProt.ReadBktSizeInv"
"DOSProt.RecvNotifyInv"
"DOSProt.SetDOSDevFail"
"DOSProt.StartLibFail"
"DOSProt.UnExpDevErr"
--
Jarek
(from Jaroslaw_Kasjaniuk)
Hi,
you can log:
configure log filter "DefaultFilter" add events DOSProt?
"DOSProt.AddACLOK"
"DOSProt.CreateACLFail"
"DOSProt.DebugData"
"DOSProt.DebugSummary"
"DOSProt.DebugVerbose"
"DOSProt.DelACLOK"
"DOSProt.DuplACLDtect"
"DOSProt.Init"
"DOSProt.InitIPMLFail"
"DOSProt.PktCntExcd"
"DOSProt.PtrnNotFnd"
"DOSProt.ReadBktSizeInv"
"DOSProt.RecvNotifyInv"
"DOSProt.SetDOSDevFail"
"DOSProt.StartLibFail"
"DOSProt.UnExpDevErr"
--
Jarek
(from Jaroslaw_Kasjaniuk)
