Enhancements

Release M.10.04 Enhancements

Alerts are automatically rate limited to prevent filling the log file with redundant information. The following is an example of alerts that occur when the device is continually subject to the same attack (too many MAC addresses in this instance):

W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)

W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)

W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)

W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)

W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes

Figure 17. Example of the rate limiting that occurs when multiple messages are generated

In the preceding example, if a condition is reported 4 times (persists for more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes the condition still exists, the alerts cease for 30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is reported once a day. Note that ProCurve switches also have the ability to send event log entries to a syslog server.

Known Limitations

As of release M.10.06, the instrumentation monitor runs once every five minutes. The current implementation does not track information such as the port, MAC, and IP address from which an attack is received.

72

Page 82
Image 82
HP 3400CL-24G manual Known Limitations