System information
Note on Testing
Rate-Limiting
Port Traffic Controls
All-Traffic Rate-Limiting for the 5300xl, 3400cl and 6400cl Switches
The switch does not send more traps or Event Log messages for excess ICMP
traffic on the affected port until the system operator resets the port’s ICMP
trap function. The reset can be done through SNMP from a network manage-
ment station or through the CLI with the following setmib command.
Syntax: setmib hpIcmpRatelimitPortAlarmflag.< internal-port-# > -i 1
On a port configured with ICMP rate-limiting, this command
resets the ICMP trap function, which allows the switch to
generate a new SNMP trap and an Event Log message if ICMP
traffic in excess of the configured limit is detected on the port.
For example, an operator noticing an ICMP rate-limiting trap or Event Log
message originating with port A1 on a 5300xl switch would use the following
setmib command to reset the port to send a new message if the condition
occurs again.
ProCurve(config)# setmib hpicmpratelimitportalarm-
flag.1 -i 1
Operating Notes for ICMP Rate-Limiting
ICMP rate-limiting is byte-based and is applied to the available bandwidth on
an interface. If the total bandwidth requested by all ICMP traffic is less than
the available, configured maximum rate, then no ICMP rate-limit can be
applied. That is, an interface must be receiving more inbound ICMP traffic
than the configured bandwidth limit allows. If the interface is configured with
both rate-limit all and rate-limit icmp, then the ICMP limit can be met or
exceeded only if the rate limit for all types of inbound traffic has not already
been met or exceeded. Also, to test the ICMP limit it is necessary to generate
ICMP traffic that exceeds the configured ICMP rate limit. Using the recom-
mended settings—1% for edge interfaces and 5% maximum for core inter-
faces—it is easy to generate sufficient traffic. However, if you are testing with
higher maximums, it is necessary to ensure that the ICMP traffic volume
exceeds the configured maximum. Note also that testing ICMP rate-limiting
where inbound ICMP traffic on a given interface has destinations on multiple
outbound interfaces, the test results must be based on the received outbound
ICMP average aggregate traffic over time.
ICMP rate-limiting is not reflected in counters monitoring inbound traffic
because inbound packets are counted before the ICMP rate-limiting drop
action occurs.
14-17