Configuring Instrumentation Monitor - HP 2530 Manual Supplement

To generate alerts for monitored events, enable the instrumentation monitoring log or SNMP trap.
Adjust the threshold for each monitored parameter to minimize false alarms (see
instrumentation monitor" (page
When a parameter exceeds its threshold, an alert (event log message or SNMP trap) is generated
to inform network administrators of this condition.
monitor" (page 27)
learned in the forwarding table exceeds the configured threshold:
Figure 2 Event log message generated by instrumentation monitor
Alerts are automatically rate-limited to prevent filling the log file with redundant information.
limiting when multiple messages are generated" (page 27)
when the device is continually subject to the same attack (too many MAC addresses in this instance):
Example 18 Rate limiting when multiple messages are generated
W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)
W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)
W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)
W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)
W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes
In "Rate limiting when multiple messages are generated" (page
times (persists for more than 15 minutes), then alerts cease for 15 minutes. If after 15 minutes the
condition still exists, the alerts cease for 30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours,
and after that the persisting condition is reported once a day. As with other event log entries, these
alerts can be sent to a syslog server.
Known Limitations: The instrumentation monitor runs once every five minutes. The current
implementation does not track information such as the port, MAC, and IP address from which an
attack is received.

Configuring instrumentation monitor

The following commands and parameters are used to configure the operational thresholds that are
monitored on the switch. By default, the instrumentation monitor is disabled.
Syntax:
[no] instrumentation monitor [ parameterName | all ] [ <low | med | high
| limitValue> ]
Parameter
[all]
[arp-requests]
27)).
shows an event log message that occurs when the number of MAC addresses
Task
Enables/disables all counter types
on the switch but does not
enable/disable instrumentation
monitor logging.
The number of arp requests
processed each minute.
"Event log message generated by instrumentation
shows an example of alerts that occur
27), if a condition is reported 4
Detail: default
Default threshold setting when
enabled: see parameter details
below
Default threshold setting when
enabled: 1000 (med)
Using the instrumentation monitor
"Configuring
"Rate
27