Using The Instrumentation Monitor - HP 2530 Manual Supplement

Table 1 Dynamic IP lockdown host limits
Switch Number of Hosts
3500/5400 64 bindings per port
Up to 4096 manual
bindings per switch
2530/2620 32 bindings per port
Up to 2048 manual
bindings per switch
2615/2915 8 bindings per port
Up to 128 manual
bindings per switch
A source is considered "trusted" for all VLANs if it is seen on any VLAN without DHCP snooping
enabled.

Using the instrumentation monitor

Use the instrumentation monitor to detect anomalies caused by security attacks or other irregular
operations on the switch.
operating parameters that can be monitored at pre-determined intervals, and the possible security
attacks that may trigger an alert.
Table 2 Instrumentation monitor — Monitored parameters
Parameter Name
arp-requests
ip-address-count
learn-discards/min
login-failures/min
mac-address-count
mac-moves/min
pkts-to-closed-ports
port-auth-failures/min
system-delay
system-resource-usage
26 Updates for the HP Switch Software Access Security Guide
DHCP Snooping Limit
8192 entries
2048 entries
128 entries
"Instrumentation monitor — Monitored parameters" (page 26)
Description — Possible security attacks
Number of ARP requests processed per minute. Many ARP request packets could indicate an
host infected with a virus that is trying to spread itself.
The number of destination IP addresses learned in the IP forwarding table. Some attacks fill the
IP forwarding table causing legitimate traffic to be dropped.
Number of MAC address learn events per minute discarded to help free CPU resources when
busy.
The number of failed CLI login attempts or SNMP management authentication failures per minute.
This indicates an attempt has been made to manage the switch with an invalid login or password,
and may indicate that a network management station has not been configured with the correct
SNMP authentication parameters for the switch.
The number of MAC addresses learned in the forwarding table. Some attacks fill the forwarding
table causing new conversations to flood all parts of the network.
The average number of MAC address moves from one port to another per minute. This usually
indicates a network loop, but can also be caused by DoS attacks.
The count of packets per minute sent to closed TCP/UDP ports. An excessive amount of packets
could indicate a port scan, where an attacker attempts to expose a vulnerability in the switch.
The number of times per minute that a client has made unsuccessful attempts to log into the
network.
The response time, in seconds, of the CPU to new network events such as BPDU packets or
packets for other network protocols. Some DoS attacks can cause the CPU to take too long to
respond to new network events, which can lead to a breakdown of Spanning Tree or other
features. A delay of several seconds indicates a problem.
The percentage of system resources in use. Some Denial-of-Service (DoS) attacks will cause
excessive system resource usage, resulting in insufficient resources for legitimate traffic.
Comments
This limit is shared with DHCP snooping because they
both use the snooping database.
This limit is shared with DHCP snooping because they
both use the snooping database.
The number of IP lockdown hardware resources is not
guaranteed because they are shared with ACL and QoS
policies.
This limit is shared with DHCP snooping because they
both use the snooping database.
The number of IP lockdown hardware resources is not
guaranteed because they are shared with ACL and QoS
policies.
shows the