KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

391

392

393

394

395

396

397

398

399

400

Table 40 Parameters for monitoring (continued)

DescriptionParameter Name

The count of times a client has been unsuccessful logging

into the network.

port-auth-failures/min

The response time, in seconds, of the CPU to new network

events such as BPDU packets or packets for other network

system-delay

protocols. Some DoS attacks can cause the CPU to take

too long to respond to new network events, which can lead

to a breakdown of Spanning Tree or other features. A

delay of several seconds indicates a problem.

The number of MAC addresses learned in the forwarding

table. Some attacks fill the forwarding table so that new

conversations are flooded to all parts of the network.

mac-address-count

The average number of MAC address moves from one port

to another per minute. This usually indicates a network

loop, but can also be caused by DoS attacks.

mac-moves/min

Number of MAC address learn events per minute discarded

to help free CPU resources when busy.

learn-discards/min

Operating notes for the instrumentation monitor

• To generate alerts for monitored events, you must enable the instrumentation monitoring log

and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize

false alarms (see “Configuring instrumentation monitor” (page 364).

• When a parameter exceeds its threshold, an alert (event log message and/or SNMP trap) is

generated to inform network administrators of this condition. The following example shows

an event log message that occurs when the number of MAC addresses learned in the

forwarding table exceeds the configured threshold:

Figure 291 Event log message generated by instrumentation monitor

• Alerts are automatically rate limited to prevent filling the log file with redundant information.

The following is an example of alerts that occur when the device is continually subject to the

same attack (too many MAC addresses in this instance):

Figure 292 Rate limiting when multiple messages are generated

In the preceding example, if a condition is reported 4 times (persists for more than 15 minutes)

then alerts cease for 15 minutes. If after 15 minutes the condition still exists, the alerts cease for

Overview 395