This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

meter almost works for me. No counters via cli, via snmp, no snmp traps

meter almost works for me. No counters via cli, via snmp, no snmp traps

Pedro2
New Contributor

‎08-02-2016 03:08 PM

Hi

I have xos 16.1.3.6-patch1-8 on my summit670. Try to use meter as an ingress shaper to limit udp and icmp flood. Shaping seems to work but problem is with notification. As far as i tested, only syslog message works. Counters via cli still show 0, i can't find counters OID via snmp. There is no trap sended to my zabbix. Counter in ACL works, is accessible via snmp but only amount of packets. There is some better version of xos without this bug ?

thanks for help
Pedro

entry 1 {
if match all {
protocol udp ;
destination-address 192.168.192.1/32 ;
}
then {
count icmp_udp ;
meter ingmeter0 ;
permit;
}
}

# show configuration | include meter

configure meter ingmeter0 committed-rate 100 Pps max-burst-size 10 packets out-actions drop log trap ports "group_port_11"

# show access-list meter ports 11 ingress

=================================================================================
Policy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate Size Action DSCP Packet Count
=================================================================================
icmp_drop * 11
ingmeter0 100 pps 10 pkt L T - Dr - 0

# show access-list counter ports 11 ingress

Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
icmp_drop * 11 ingress
icmp_udp 170584530

syslog:
Ingress Traffic on port 11 exceeded the configured rate of meter ingmeter0 resulting in change of out-of-profile status to true.
0 Kudos
8 REPLIES 8

Henrique
Extreme Employee

‎08-12-2016 06:08 PM

Hi Pedro, please see below a quick description for my lab results:

Server sending icmp -f (2.2.2.2) === port 3 === SW === port 1 === PC receiving the icmp (2.2.2.1)

X670V-48X using 16.1.3.6-patch1-3

Switch configuration:

conf meter "ingmeter10" committed-rate 10 k max-burst-size 10 Kb out-actions drop log trap ports 3

Policy: icmpdrop
entry R1 {
if {
protocol icmp ;
destination-address 2.2.2.1/32 ;
}
then {
count icmp_udp ;
meter ingmeter10 ;
}
}

conf access-list icmpdrop ports 3 ingress

Results

ACL Counter:

Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
icmpdrop * 3 ingress
icmp_udp 572


Meter Status:

SW.62 # show meter "ingmeter10" out-of-profile ports 3

Name Status Disabled Rate-Limit Counter Port
====================================================================
ingmeter10 Out of profile No 0 3


SNMP Trap:

SW.63 # show management

SNMP traps: Sent 1


Switch Log

SW.64 # sh log

08/12/2016 16:36:38.16 Ingress Traffic on port 3 exceeded the configured rate of meter ingmeter10 resulting in change of out-of-profile status to true.

I could see the log and trap being sent when using internal meter (ingmeterX).

Hope it helps.
0 Kudos

Henrique
Extreme Employee
In response to Henrique

‎08-12-2016 06:08 PM

Hi Pedro,

This is the trap received by Extreme Management Center (Netsight) in my test:

649de956b02449c3a46d25c563d95fe0_RackMultipart20160812-99799-6156u8-MeterTrapMgmtCenter_inline.png



0 Kudos

Pedro2
New Contributor

‎08-08-2016 05:25 PM

Hi,

There are 2 kinds of meters: defined by user and 15 predefined in system.
Traps, logs and port disable work only with predefined meter like "ingmeter0"

When i'm using my counter ie. meter_10_K counter in cli works but traps, logs and port disable don't work

When i'm using predefined counter ie. ingmeter0 i can get syslog message and nothing more, i mean: no traps, no cli counters as mentioned above

For testing i'm using ping -f and hping3

My system: X670-48x, xos 16.1.3.6 patch1-8

# show policy "icmp_drop"Policies at Policy Server:
Policy: icmp_drop
entry 1 {
if match all {
protocol udp ;
destination-address 192.168.65.23/32 ;
}
then {
count icmp_udp ;
meter meter_10_K ;
}
}

0 Kudos

Henrique
Extreme Employee

‎08-05-2016 05:41 PM

Hi Pedro,

I was able to perform a quick test today and could see the Out-of-Profile packets incrementing as follows:

X670v-19-6A98.46 # show access-list meter "control" ports 3 ingress

Policy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate (Kbps) Size (K) Action DSCP Packet Count
=======================================================================
regra * 3
control 100 150 Drop 8214

I have tested sending a ping flood and created a meter with Committed Rate = 100K and Max Burst Size = 150K.

ACL used applied to ingress port:

entry R1 {
if match all {
source-address ;
protocol icmp ;
} then {
permit ;
meter control ;
count icmpcount ;
}
}

I tried with X670V using EXOS 15.7.3 release.

Please provide more details regarding your scenario and setup.

Thanks.
0 Kudos
GTM-P2G8KFN