Table 1 Dynamic IP lockdown host limits
CommentsDHCP Snooping LimitNumber of HostsSwitch
This limit is shared with DHCP snooping because they
both use the snooping database.
8192 entries64 bindings per port
Up to 4096 manual
bindings per switch
3500/5400
This limit is shared with DHCP snooping because they
both use the snooping database.
2048 entries32 bindings per port
Up to 2048 manual
bindings per switch
2530/2620
The number of IP lockdown hardware resources is not
guaranteed because they are shared with ACL and QoS
policies.
This limit is shared with DHCP snooping because they
both use the snooping database.
128 entries8 bindings per port
Up to 128 manual
bindings per switch
2615/2915
The number of IP lockdown hardware resources is not
guaranteed because they are shared with ACL and QoS
policies.
• A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP snooping
enabled.
Using the instrumentation monitor
Use the instrumentation monitor to detect anomalies caused by security attacks or other irregular
operations on the switch. “Instrumentation monitor — Monitored parameters” (page 26) shows the
operating parameters that can be monitored at pre-determined intervals, and the possible security
attacks that may trigger an alert.
Table 2 Instrumentation monitor — Monitored parameters
Description — Possible security attacksParameter Name
Number of ARP requests processed per minute. Many ARP request packets could indicate an
host infected with a virus that is trying to spread itself.
arp-requests
The number of destination IP addresses learned in the IP forwarding table. Some attacks fill the
IP forwarding table causing legitimate traffic to be dropped.
ip-address-count
Number of MAC address learn events per minute discarded to help free CPU resources when
busy.
learn-discards/min
The number of failed CLI login attempts or SNMP management authentication failures per minute.
This indicates an attempt has been made to manage the switch with an invalid login or password,
login-failures/min
and may indicate that a network management station has not been configured with the correct
SNMP authentication parameters for the switch.
The number of MAC addresses learned in the forwarding table. Some attacks fill the forwarding
table causing new conversations to flood all parts of the network.
mac-address-count
The average number of MAC address moves from one port to another per minute. This usually
indicates a network loop, but can also be caused by DoS attacks.
mac-moves/min
The count of packets per minute sent to closed TCP/UDP ports. An excessive amount of packets
could indicate a port scan, where an attacker attempts to expose a vulnerability in the switch.
pkts-to-closed-ports
The number of times per minute that a client has made unsuccessful attempts to log into the
network.
port-auth-failures/min
The response time, in seconds, of the CPU to new network events such as BPDU packets or
packets for other network protocols. Some DoS attacks can cause the CPU to take too long to
system-delay
respond to new network events, which can lead to a breakdown of Spanning Tree or other
features. A delay of several seconds indicates a problem.
The percentage of system resources in use. Some Denial-of-Service (DoS) attacks will cause
excessive system resource usage, resulting in insufficient resources for legitimate traffic.
system-resource-usage
26 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
Need help?
General
