Notizen vom CW Termin, Rückmeldung USA ...
* "show active policy rule" sollte auch gematchte Regeln des VM-Snooping anzeigen
* "Count" wird für andere Regeln hochgezählt
* "show qos log" enthält keine VM-Snooping VXLAN-Regel matches (obwohl "log" angegeben ist)
*
Admin-Status!!!!
VXLAN-GW-2-> interfaces 1/1/1 beacon ?
^
LED-MODE LED-COLOR ADMIN-STATUS
(Interface Command Set)
VXLAN-GW-2-> interfaces 1/1/1 beacon
Leaf-1->
Leaf-1-> show active ?
^
POLICY MULTICAST
(QoS Command Set)
Leaf-1->
Leaf-1->
Leaf-1-> show vm-snooping ?
^
VIRTUAL-MACHINES STATISTICS STATIC-POLICY PORT
LINKAGG FILTERING-RESOURCE DATABASE CONFIG
(Vm_Snooping Command Set)
Leaf-1-> show vm-snooping virtual-machines ?
^
(Vm_Snooping Command Set)
Leaf-1-> show vm-snooping virtual-machines
Port SRC MAC VLAN
------+-----------------+-----+
1/1/3 00:50:56:BE:68:95 -
Leaf-1-> show vm-snooping virtual-machines ?
^
(Vm_Snooping Command Set)
Leaf-1-> show vm-snooping st
static-policy statistics
Leaf-1-> show vm-snooping statistics
Total number of Hardware Statistics: 1
Policy Rule Policy List Number of pkts Number of Bytes
--------------------------------+--------------------------------+---------------------+---------------------+
RESTRICT_VNID_5000 Default 672 104832
Total number of Sampling Statistics: 1
VXLAN VXLAN VM VM Pkts
Port UDP PORT VNI SRC MAC SRC IP
-----+---------+------+------------------+---------------+---------+
1/1/3 8472 5000 00:50:56:BE:68:95 172.20.175.135 8
Leaf-1-> show vm-snooping statistics ?
^
SAMPLING HARDWARE
(Vm_Snooping Command Set)
Leaf-1-> show vm-snooping statistics hardware ?
^
(Vm_Snooping Command Set)
Leaf-1-> show vm-snooping statistics hardware
Total number of Hardware Statistics: 1
Policy Rule Policy List Number of pkts Number of Bytes
--------------------------------+--------------------------------+---------------------+---------------------+
RESTRICT_VNID_5000 Default 684 106704
Leaf-1-> show vm-snooping statistics hardwar
Leaf-1->
Leaf-1->
Leaf-1-> show ip interface
Total 14 interfaces
Flags (D=Directly-bound)
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Mgmt-CompA 192.168.110.1 255.255.255.0 UP YES vlan 110
Mgmt-CompB 192.168.120.1 255.255.255.0 UP YES vlan 120
Mgmt-Mgmt 192.168.100.1 255.255.255.0 DOWN NO vlan 100
Trans-CompA 192.168.210.1 255.255.255.0 UP YES vlan 210
Trans-CompB 192.168.220.1 255.255.255.0 UP YES vlan 220
Trans-Mgmt 192.168.200.1 255.255.255.0 DOWN NO vlan 200
vMotion-CompA 10.10.110.1 255.255.255.0 UP YES vlan 1110
vMotion-CompB 10.10.120.1 255.255.255.0 UP YES vlan 1120
vMotion-Mgmt 10.10.100.1 255.255.255.0 DOWN NO vlan 1100
vlan1 10.1.1.1 255.255.255.0 UP YES vlan 1
vlan10 10.99.1.1 255.255.255.0 UP YES vlan 10
vlan20 10.99.2.1 255.255.255.0 UP YES vlan 20
Leaf-1->
Leaf-1-> ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=11.3 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.640 ms
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.640/5.991/11.343/5.352 ms
Leaf-1->
Leaf-1-> policy condition test source ip
ip ip-port ipv6
Leaf-1-> policy condition test source ip 10.1.1.1 destination 10.1.1.2 ?
^
ERROR: Invalid entry: "10.1.1.2"
Leaf-1-> policy condition test source ip 10.1.1.1 destination ip 10.1.1.2 ?
^
802.1P APPFP-GROUP
DESTINATION
DPI-APPLICATION-GROUP
DPI-APPLICATION-NAME DSCP
ESTABLISHED ETHERTYPE
FLOW-LABEL FRAGMENTS FROM
ICMPCODE ICMPTYPE INNER
IP-PROTOCOL IPV6 MASK
MULTICAST NO SERVICE SIP
SOURCE TCPFLAGS TOS VRF
(QoS Command Set)
Leaf-1-> policy condition test source ip 10.1.1.1 destination ip 10.1.1.2
Leaf-1->
Leaf-1-> policy action accept disposition accept ?
^
802.1P CIR COLOR-ONLY CPU
DISPOSITION DSCP EGRESS FROM
INGRESS MAP MAXIMUM MIRROR NO
NO-CACHE PERMANENT
PORT-DISABLE PRIORITY REDIRECT
RTCP-DSCP RTCP-MONITORING
SHARED TOS TRUST-DSCP
(QoS Command Set)
Leaf-1-> policy action accept disposition accept dscp ?
^
(QoS Command Set)
Leaf-1-> policy action accept disposition accept dscp 46 ?
^
802.1P CIR COLOR-ONLY
CPU DISPOSITION DSCP EGRESS
FROM INGRESS MAP MAXIMUM
MIRROR NO NO-CACHE PERMANENT
PORT-DISABLE PRIORITY
REDIRECT RTCP-DSCP
RTCP-MONITORING SHARED TOS
TRUST-DSCP
(QoS Command Set)
Leaf-1-> policy action accept disposition accept dscp 46
Leaf-1->
Leaf-1-> policy rule test condition test action accept ?
^
ACTION CONDITION COUNT
DEFAULT-LIST DISABLE ENABLE
FROM LOG LOG-INTERVAL NO
PRECEDENCE SAVE TRAP
VALIDITY-PERIOD
(QoS Command Set)
Leaf-1-> policy rule test condition test action accept lo
log log-interval
Leaf-1-> policy rule test condition test action accept log
Leaf-1->
Leaf-1->
Leaf-1->
Leaf-1-> ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.881 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.782 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.685 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=64 time=0.710 ms
64 bytes from 10.1.1.2: icmp_seq=5 ttl=64 time=0.652 ms
64 bytes from 10.1.1.2: icmp_seq=6 ttl=64 time=0.693 ms
--- 10.1.1.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.652/0.733/0.881/0.084 ms
Leaf-1-> show active policy rule
Rule name : RESTRICT_VNID_5000
Condition name = VNID,
Action name = DROP,
Log = Yes
Leaf-1->
Leaf-1-> qos apply
Leaf-1-> show active policy rule
Rule name : RESTRICT_VNID_5000
Condition name = VNID,
Action name = DROP,
Log = Yes
Rule name : test
Condition name = test,
Action name = accept,
Log = Yes
Leaf-1-> ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.945 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.681 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.672 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=64 time=0.664 ms
64 bytes from 10.1.1.2: icmp_seq=5 ttl=64 time=0.674 ms
64 bytes from 10.1.1.2: icmp_seq=6 ttl=64 time=0.648 ms
--- 10.1.1.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 4999ms
rtt min/avg/max/mdev = 0.648/0.714/0.945/0.103 ms
Leaf-1->
Leaf-1-> show active policy rule
Rule name : RESTRICT_VNID_5000
Condition name = VNID,
Action name = DROP,
Log = Yes
Rule name : test
Condition name = test,
Action name = accept,
Log = Yes,
Packets = 6
Leaf-1-> show qos log
**QOS Log**
8/03/15 14:37:52 Log Init (55bf7cc0).
8/03/15 14:37:52 qosMuxGroupRegisterApp: registered handler 0x10072834 for appid ab
8/03/15 14:37:52 qosNIStateInit: allocated id 0 for all NI mux group.
8/03/15 14:37:52 Reactor initialized
8/03/15 14:37:52 QoS registered with Chassis Supervisor
8/03/15 14:37:52 QoS registered with MIP library
8/03/15 14:37:52 QoS registered with Port Manager
8/03/15 14:37:52 QoS registered with Vlan Manager
8/03/15 14:37:52 Got eoic (55bf7cc0)
8/03/15 14:37:52 Apply QoS configuration (cli)
8/03/15 14:37:52 Calling cslib_unblock (55bf7cc0)
8/03/15 14:37:52 QoS registered with ipedr
8/03/15 14:37:52 QoS registered with ipv6
8/03/15 14:37:52 PM Link Status register for slot 1/1 ports 28 - 2b
8/03/15 14:37:52 Connect from API 1/1
8/03/15 14:37:52 Connect from API 1/2
8/03/15 14:37:53 Connect from API 1/3
8/03/15 14:37:53 Connect from API 1/4
8/03/15 14:37:53 Connect from API 1/5
8/03/15 14:37:54 Connect from API 1/6
8/03/15 14:37:56 Connect from API 1/7
8/03/15 14:37:58 Connect from API 1/8
8/03/15 14:38:03 Connect from API 1/9
8/03/15 14:38:05 Connect from API 1/10
8/03/15 14:38:05 Connect from API 1/11
8/03/15 14:38:05 Connect from API 1/12
8/03/15 14:38:05 add VRF [id 0] name ""
8/03/15 14:38:08 Connect from API 1/13
8/03/15 14:38:08 qosApiHandleOpenFlowMsg: got message ab0100 [CfgTables] 00000000
8/03/15 14:38:08 muxid 1 allocated for OpenFlow.
8/03/15 14:38:47 Connect from slot 1/1
8/03/15 14:38:47 Enabling ipmsv4
8/03/15 14:38:47 Enabling ipmsv6
8/03/15 14:38:50 Connect reply from 1:1 (seq 0, insync 0: 80000000)
8/03/15 14:38:57 NI 1/1 Up
8/03/15 14:38:57 PM Link Status register for slot 1/1 ports 0 - 13
8/03/15 14:39:12 qosLDAPIdFileGet: LDAP Id is e8:e7:32:77:f7:29:20130418:025448
8/03/15 14:39:12 Config sent to Slot 1/1
8/03/15 14:39:12 Send 2 vpa status, 0 ip interface messages for slot 1
8/03/15 14:39:12 Slot 1/1 Ready.
8/03/15 14:39:12 Disabling ipmsv4
8/03/15 14:39:12 Disabling ipmsv6
8/03/15 14:39:12 qosApiHandleOpenFlowMsg: got message ab0100 [CfgTables] 00000000
8/03/15 14:39:17 VC Takeover in progress (55bf7d15).
8/03/15 14:39:17 VC Takeover complete (55bf7d15).
8/03/15 14:39:17 qosSocketClose 234:parent socket API disconnected, fd 95
8/03/15 14:39:17 Disconnect from API 1/4
8/03/15 14:39:17 Connect from API 1/4
8/03/15 14:39:18 Connect from API 1/14
8/03/15 14:39:18 Connect from API 1/15
8/03/15 14:39:19 NI[1/1]: Apply QoS configuration (cli)
8/03/15 14:39:19 NI[1/1]: Apply QoS configuration (cli)
8/03/15 14:46:17 AppFp takeover timer handler running.
8/03/15 14:53:17 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 15:14:58 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 15:15:09 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:19:50 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:19:55 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:01 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:04 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:08 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:14 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:19 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:22 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:29 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:35 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 16:20:38 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:38:36 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:38:36 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:38:36 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:38:51 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:38:51 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:38:51 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:16 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:16 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:16 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:34 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:34 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:34 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:43 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:43 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/03/15 17:42:43 qosNIMsgSendRtrMac: mac e8:e7:32:77:f7:29 send to 0:0, 1 nis
8/04/15 10:36:19 Apply QoS configuration (cli)
8/04/15 10:36:20 NI[1/1]: Apply QoS configuration (cli)
8/04/15 10:38:48 Apply QoS configuration (cli)
8/04/15 10:38:50 NI[1/1]: Apply QoS configuration (cli)
8/04/15 11:05:08 Apply QoS configuration (cli)
8/04/15 11:05:10 NI[1/1]: Apply QoS configuration (cli)
8/04/15 11:05:15 [@11:05:14] rule 'test' matched:accept
8/04/15 11:05:15 svlan 1 port 1/0/0 -> 1/1/42
8/04/15 11:05:15 MAC E8:E7:32:77:F7:29 -> E8:E7:32:77:FC:75
8/04/15 11:05:15 TOS 0x00 (ICMP 8:0) 10.1.1.1 -> 10.1.1.2
8/04/15 11:05:20 [@11:05:15] rule 'test' matched:accept
8/04/15 11:05:20 svlan 1 port 1/0/0 -> 1/1/42
8/04/15 11:05:20 MAC E8:E7:32:77:F7:29 -> E8:E7:32:77:FC:75
8/04/15 11:05:20 TOS 0x00 (ICMP 8:0) 10.1.1.1 -> 10.1.1.2
8/04/15 11:05:20 [@11:05:16] rule 'test' matched:accept
8/04/15 11:05:20 svlan 1 port 1/0/0 -> 1/1/42
8/04/15 11:05:20 MAC E8:E7:32:77:F7:29 -> E8:E7:32:77:FC:75
8/04/15 11:05:20 TOS 0x00 (ICMP 8:0) 10.1.1.1 -> 10.1.1.2
8/04/15 11:05:20 [@11:05:17] rule 'test' matched:accept
8/04/15 11:05:20 svlan 1 port 1/0/0 -> 1/1/42
8/04/15 11:05:20 MAC E8:E7:32:77:F7:29 -> E8:E7:32:77:FC:75
8/04/15 11:05:20 TOS 0x00 (ICMP 8:0) 10.1.1.1 -> 10.1.1.2
8/04/15 11:05:20 [@11:05:18] rule 'test' matched:accept
8/04/15 11:05:20 svlan 1 port 1/0/0 -> 1/1/42
8/04/15 11:05:20 MAC E8:E7:32:77:F7:29 -> E8:E7:32:77:FC:75
8/04/15 11:05:20 TOS 0x00 (ICMP 8:0) 10.1.1.1 -> 10.1.1.2
8/04/15 11:05:20 [@11:05:19] rule 'test' matched:accept
8/04/15 11:05:20 svlan 1 port 1/0/0 -> 1/1/42
8/04/15 11:05:20 MAC E8:E7:32:77:F7:29 -> E8:E7:32:77:FC:75
8/04/15 11:05:20 TOS 0x00 (ICMP 8:0) 10.1.1.1 -> 10.1.1.2
Leaf-1-> show configuration snapshot qos
! QOS:
policy condition VNID vxlan vxlan-port 8472 vni 5000 inner source ip 172.20.175.135
policy condition test source ip 10.1.1.1 destination ip 10.1.1.2
policy action DROP disposition drop
policy action accept dscp 46
policy rule RESTRICT_VNID_5000 condition VNID action DROP log
policy rule test condition test action accept log
qos apply