Enhancements

 

Release M.10.04 Enhancements

 

 

Parameter Name

Description

 

 

 

 

ip-address-count

The number of destination IP addresses learned in the IP forwarding table. Some

 

 

attacks fill the IP forwarding table causing legitimate traffic to be dropped.

system-resource-usage

The percentage of system resources in use. Some Denial-of-Service (DoS) attacks

(Denial of Service logging)

will cause excessive system resource usage, resulting in insufficient resources for

 

legitimate traffic.

login-failures/min

The count of failed CLI login attempts or SNMP management authentication failures.

 

This indicates an attempt has been made to manage the switch with an invalid login

 

or password. Also, it might indicate a network management station has not been

 

configured with the correct SNMP authentication parameters for the switch.

port-auth-failures/min

The count of times a client has been unsuccessful logging into the network

system-delay

The response time, in seconds, of the CPU to new network events such as BPDU

 

packets or packets for other network protocols. Some DoS attacks can cause the

 

CPU to take too long to respond to new network events, which can lead to a

 

breakdown of Spanning Tree or other features. A delay of several seconds indicates

 

a problem.

mac-address-count

The number of MAC addresses learned in the forwarding table. Some attacks fill the

 

forwarding table so that new conversations are flooded to all parts of the network.

mac-moves/min

The average number of MAC address moves from one port to another per minute.

 

This usually indicates a network loop, but can also be caused by DoS attacks.

learn-discards/min

Number of MAC address learn events per minute discarded to help free CPU

 

resources when busy.

 

 

 

Operating Notes

To generate alerts for monitored events, you must enable the instrumentation monitoring log and/or SNMP trap. The threshold for each monitored parameter is configurable and can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor” on page 73).

When a parameter exceeds its threshold, an alert (event log message and/or SNMP trap) is generated to inform network administrators of this condition. The following example shows an event log message that occurs when the number of MAC addresses learned in the forwarding table exceeds the configured threshold:

Standard Date/Time Prefix

 

“inst-mon” label indicates an

 

 

 

Threshold

 

Current

 

 

Monitored

 

 

for Event Log Messages

 

Instrumentation Monitor event

 

Parameter

 

Value

 

Value

 

 

 

 

 

 

 

 

 

W 05/27/06 12:10:16 inst-mon: Limit for MAC addr count (300) is exceeded (321)

Figure 16. Example of Event Log Message generated by Instrumentation Monitor

71