Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl
421422423424425426427428429430
11-23
Configuring Advanced Threat Protection
Using the Instrumentation Monitor
Operating Notes
To generate alerts for monitored events, you must enable the instru-
mentation monitoring log and/or SNMP trap. The threshold for each
monitored parameter can be adjusted to minimize false alarms (see
“Configuring Instrumentation Monitor” on page 11-24).
When a parameter exceeds its threshold, an alert (event log message
and/or SNMP trap) is generated to inform network administrators of
this condition. The following example shows an event log message
that occurs when the number of MAC addresses learned in the
forwarding table exceeds the configured threshold:
Figure 1. Example of Event Log Message generated by Instrumentation Monitor
login-failures/min The count of failed CLI login attempts or SNMP management
authentication failures. This indicates an attempt has been
made to manage the switch with an invalid login or password.
Also, it might indicate a network management station has not
been configured with the correct SNMP authentication param-
eters for the switch.
port-auth-failures/min The count of times a client has been unsuccessful logging into
the network
system-delay The response time, in seconds, of the CPU to new network
events such as BPDU packets or packets for other network
protocols. Some DoS attacks can cause the CPU to take too
long to respond to new network events, which can lead to a
breakdown of Spanning Tree or other features. A delay of
several seconds indicates a problem.
mac-address-count The number of MAC addresses learned in the forwarding table.
Some attacks fill the forwarding table so that new conversa-
tions are flooded to all parts of the network.
mac-moves/min The average number of MAC address moves from one port to
another per minute. This usually indicates a network loop, but
can also be caused by DoS attacks.
learn-discards/min Number of MAC address learn events per minute discarded to
help free CPU resources when busy.
Parameter Name Description
Standard Date/Time Prefix
for Event Log Messages
Monitored
Parameter
Threshold
Value
“inst-mon” label indicates an
Instrumentation Monitor event
Current
Value
W 05/27/06 12:10:16 inst-mon: Limit for MAC addr count (300) is exceeded (321)