Monitoring resources

Displaying current resource usage

To display current resource usage in the switch, enter the following command:

Syntax:

show <qos | access-list | policy> resources

Displays the resource usage of the policy enforcement engine on the switch by software feature. For each type of resource, the amount still available and the amount used by each software feature is shown.

show resources

This output allows you to view current resource usage and, if necessary, prioritize and reconfigure software features to free resources reserved for less important features.

qos

access-list

openflow

policy
Display the same command output and provide different ways to access task-specific information.

NOTE: See “Viewing OpenFlow Resources” in the OpenFlow Administrators Guide for your switch.

Displaying current resource usage shows the resource usage on a switch configured for ACLs, QoS, RADIUS-based authentication, and other features:

The "Rules Used" columns show that ACLs, VT, mirroring, and other features (For example, Management VLAN) have been configured globally or per-VLAN, because identical resource consumption is displayed for each port range in the switch. If ACLs were configured per-port, the number of rules used in each port range would be different.
Displaying current resource usage
HP Switch(config)# show access-list resources

 Resource usage in Policy Enforcement Engine

        | Rules       | Rules Used
  Ports | Available   | ACL | QoS | IDM | Other |
  ------+-------------+-----+-----+-----+-------|
  1-48  |        2006 |  10 |   5 |   0 |    6  |

        | Meters      | Meters Used
  Ports | Available   | ACL | QoS | IDM | Other |
  ------+-------------+-----+-----+-----+-------|
  1-48  |         255 |     |   5 |     |     0 |

        | Application |
        | Port Ranges |  Application Port Ranges Used
  Ports |  Available  | ACL | QoS | IDM | Other |
  ------+-------------+-----+-----+-----+-------|
  1-48  |          31 |   1 |   0 |   0 |     0 |

2 of 16 Policy Engine management resources used.

Key:
ACL = Access Control Lists
QoS = Device & Application Port Priority
IDM = Identity Driven Management
Other = Management VLAN, DHCP Snooping, ARP Protection, RA Guard.

Resource usage includes resources actually in use, or reserved for future
use by the listed feature. Internal dedicated-purpose resources, such as
port bandwidth limits or VLAN QoS priority, are not included.

Viewing information on resource usage

The switch allows you to view information about the current usage and availability of resources in the Policy Enforcement engine, including the following software features:

Access control lists (ACL)
Quality-of-service (QoS), including device and application port priority, ICMP rate-limiting, and QoS policies
Dynamic assignment of per-port or per-user ACLs and QoS through RADIUS authentication designated as “IDM”, with or without the optional identity-driven management (IDM) application
Virus throttling (VT) using connection-rate filtering
Mirroring policies, including switch configuration as an endpoint for remote intelligent mirroring
Other features, including:
- Management VLAN
- DHCP snooping
- Dynamic ARP protection
- Jumbo IP-MTU

Policy enforcement engine

The policy enforcement engine is thehardware element in the switch that manages QoS, mirroring, and ACL policies, as well as other software features, using the rules that you configure. Resource usage in the policy enforcement engine is based on how these features are configured on the switch:

Resource usage by dynamic port ACLs is determined as follows:
- Dynamic port ACLs configured by a RADIUS server (with or without the optional IDM application) for an authenticated client determine the current resource consumption for this feature on a specified slot. When a client session ends, the resources in use for that client become available for other uses.
When the following features are configured globally or per-VLAN, resource usage is applied across all port groups or all slots with installed modules:
- ACLs
- QoS configurations that use the following commands:
  - QoS device priority (IP address) through the CLI using the qos device-priority command
  - QoS application port through the CLI using qos tcp-port or qos udp-port
  - VLAN QoS policies through the CLI using service-policy
- Management VLAN configuration
- DHCP snooping
- Dynamic ARP protection
- Remote mirroring endpoint configuration
- Mirror policies per VLAN through the CLI using monitor service
- Jumbo IP-MTU
When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured:
- ACLs or QoS applied per-port or per-user through RADIUS authentication
- ACLs applied per-port through the CLI using the ip access-group or ipv6 traffic-filter commands
- QoS policies applied per port through the CLI using the service-policy command
- Mirror policies applied per-port through the CLI using the monitor all service and service-policycommands
- ICMP rate-limiting through the CLI using the rate-limit icmp command

Usage notes for show resources output

A 1:1 mapping of internal rules to configured policies in the switch does not necessarily exist. As a result, displaying current resource usage is the most reliable method for keeping track of available resources. Also, because some internal resources are used by multiple features, deleting a feature configuration may not increase the amount of available resources.
Resource usage includes resources actually in use or reserved for future use by the listed features.
"Internal dedicated-purpose resources" include the following features:
- Per-port ingress and egress rate limiting through the CLI using rate-limit in/out
- Per-port or per-VLAN priority or DSCP through the CLI using qos priority or qos dscp
- Per protocol priority through the CLI using qos protocol
The "Available" columns display the resources available for additional feature use.
The "IDM" column shows the resources used for RADIUS-based authentication with or without the IDM option.
"Meters" are used when applying either ICMP rate-limiting or a QoS policy with a rate-limit class action.

When insufficient resources are available

The switch has ample resources for configuring features and supporting RADIUS-authenticated clients (with or without the optional IDMapplication).

If the resources supporting these features become fully subscribed:

The current feature configuration, RADIUS-authenticated client sessions, and VT instances continue to operate normally.
The switch generates anevent log notice to say that current resources are fully subscribed.
Currently engaged resources must be released before any of the following actions are supported:
- Modifying currently configured ACLs, IDM, VT, and other software features, such as Management VLAN, DHCP snooping, and dynamic ARP protection.
  
  You can modify currently configured classifier-base QoS and mirroring policies if a policy has not been applied to an interface. However, sufficient resources must be available when you apply a configured policy to an interface.
- Acceptance of new RADIUS-based client authentication requests (displayed as a new resource entry for IDM).
  
  Failure to authenticate a client that presents valid credentials may indicate that insufficient resources are available for the features configured for the client in the RADIUS server. To troubleshoot, check the event log.
- Throttling or blocking of newly detected clients with high rate-of-connection requests (as defined by the current VT configuration).
  
  The switch continues to generate Event Log notifications (and SNMP trap notification, if configured) for new instances of high-connection-rate behavior detected by the VT feature.

prev	up	next
SNTP messages in the Event Log	home	Port Status and Configuration