KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

391

392

393

394

395

396

397

398

399

400

When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports

are written to hardware. This occurs during these events:

• Switch initialization

• Hot swap

• A dynamic IP lockdown-enabled port is moved to a DHCP snoopingenabled VLAN

• DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP

lockdown is enabled on the ports.

Potential issues with bindings

• When dynamic IP lockdown enabled, and a port or switch has the maximum number of

bindings configured, the client DHCP request will be dropped and the client will not receive

an IP address through DHCP.

• When dynamic IP lockdown is enabled and a port is configured with the maximum number

of bindings, adding a static binding to the port will fail.

• When dynamic IP lockdown is enabled globally, the bindings for each port are written to

hardware. If global dynamic IP lockdown is enabled and disabled several times, it is possible

to run out of buffer space for additional bindings. The software will delay adding the bindings

to hardware until resources are available.

Using the instrumentation monitor

The instrumentation monitor can be used to detect anomalies caused by security attacks or other

irregular operations on the switch. The following table shows the operating parameters that can

be monitored at pre-determined intervals, and the possible security attacks that may trigger an

alert:

Table 40 Parameters for monitoring

DescriptionParameter Name

The count of packets per minute sent to closed TCP/UDP

ports. An excessive amount of packets could indicate a

pkts-to-closed-ports

port scan, in which an attacker is attempting to expose a

vulnerability in the switch.

The count of ARP requests processed per minute. A large

amount of ARP request packets could indicate an host

infected with a virus that is trying to spread itself.

arp-requests

The number of destination IP addresses learned in the IP

forwarding table. Some attacks fill the IP forwarding table

causing legitimate traffic to be dropped.

ip-address-count

The percentage of system resources in use. Some Denial-of-

Service (DoS) attacks will cause excessive system resource

system-resource-usage

usage, resulting in insufficient resources for legitimate

traffic.

<1–2147483647>—Set the threshold value

low—Low threshold

med—Medium threshold

high—High threshold

The count of failed CLI login attempts or SNMP

management authentication failures. This indicates an

attempt has been made to manage the switch with an

invalid login or password. Also, it might indicate a network

management station has not been configured with the

correct SNMP authentication parameters for the switch.

394 Port Security