From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Dec 07 2006 - 03:53:01 ART
Ed,
Basically ThrottleInterval and ChokeThreshold are used together to produce
what is called "Varible Summary" mode:
<quote http://www.ciscopress.com/articles/article.asp?p=25330&seqNum=3&rl=1>
The variable summary modes are controlled by the ChokeThreshold parameter.
This parameter enables you to configure a signature to automatically switch
between AlarmThrottle modes, based on the number of alarms detected per
throttle interval
for a specific signature.
</quote>
So you see, ChokeThreshold defines "auto-switching" mode, which is used
to
automatically promote AlarmThrottle modes, from most detailed, to a very
compact.
What is ThrottleInterval? It's just a *time* interval, over which number of
fired
alarms is being counted. It's not a "sliding" window, like AlarmInterval,
rather it
defines the fixed portions of time scale.
Allow me to quote DocCD still :)
<DocCD>
ChokeThreshold enables or disables the automatic upgrade/downgrade feature.
This feature is turned off (disabled) by leaving ChokeThreshold blank if
ChokeThreshold does not have a default value or by setting ChokeThreshold to
a large value such as 100,000. ** A numeric value for ChokeThreshold denotes
the threshold number of alarms in the interval to trigger an auto-upgrade
**.
The upgrade sequence is FireAll to Summarize to GlobalSummarize.
</DocCD>
So you see now, that number of alarms produced over "time interval =
ThrottleInterval"
is compared to ChokeThreshold. If it does exceed it, the AlarmThrottle mode
is switched say from FireAll to Summarize.
<DocCD>
It goes straight from FireAll to GlobalSummarize if 2 times the
ChokeThreshold value
is exceeded. Downgrades occur at the start of the next interval. It reverts
to its
normal behavior starting at the next interval (right after the summary alarm
is sent).
</DocCD>
An important note - if over next Throttle Interval ChokeThreshold is not
exceeded,
the downgrade occurs!
<DocCD>
Example: SIG 20000 AlarmThrottle FireAll ChokeThreshold 100 ThrottleInterval
60
Traffic1: 90 alarms in 60 seconds. Result: You get 90 regular alarms.
Traffic2: 120 alarms in 60 seconds. Result: You get 100 regular alarms and
1 IntervalSummary alarm with count 120.
Traffic3: 240 alarms in 60 seconds. Result: You get 100 regular alarms and
1 GlobalSummary alarm with count 240.
</DocCD>
Try repeating this example with signature 2000. It has AlarmThrottle set to
Summary
mode by default, but you may set it to FireAll. Set ThrottleInterval to a
lower value, say
10 seconds, and produce ping packets stream of a larger size and stream
length
(e.g. 10000 packets). Then set ChokeThreshold to a reasonable value, say
100,
and see what will happen.
A best way is to learn by example here :)
2006/12/7, Lab Rat #109385382 <techlist01@gmail.com>:
>
> Can someone explain the difference/relation between:
>
>
>
> ChokeThreshold
>
>
>
> and
>
>
>
> ThrottleInterval
>
>
>
> Please don't quote the Doc CD. I read it, but still don't understand it.
>
>
>
> Thanks,
>
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART