Using the instrumentation monitor

The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch. The following table shows the operating parameters that can be monitored at pre-determined intervals, and the possible security attacks that may trigger an alert:

Parameters for monitoring

Parameter name

Description

pkts-to-closed-ports

The count of packets per minute sent to closed TCP/UDP ports. An excessive amount of packets could indicate a port scan, in which an attacker is attempting to expose a vulnerability in the switch.

arp-requests

The count of ARP requests processed per minute. A large amount of ARP request packets could indicate an host infected with a virus that is trying to spread itself.

ip-address-count

The number of destination IP addresses learned in the IP forwarding table. Some attacks fill the IP forwarding table causing legitimate traffic to be dropped.

system-resource-usage

The percentage of system resources in use. Some Denial-of- Service (DoS) attacks will cause excessive system resource usage, resulting in insufficient resources for legitimate traffic.<1–2147483647> – Set the threshold valuelow – Low thresholdmed – Medium thresholdhigh – High threshold

login-failures/min

The count of failed CLI login attempts or SNMP management authentication failures. This indicates an attempt has been made to manage the switch with an invalid login or password. Also, it might indicate a network management station has not been configured with the correct SNMP authentication parameters for the switch.

port-auth-failures/min

The count of times a client has been unsuccessful logging into the network.

system-delay

The response time, in seconds, of the CPU to new network events such as BPDU packets or packets for other network protocols. Some DoS attacks can cause the CPU to take too long to respond to new network events, which can lead to a breakdown of Spanning Tree or other features. A delay of several seconds indicates a problem.

mac-address-count

The number of MAC addresses learned in the forwarding table. Some attacks fill the forwarding table so that new conversations are flooded to all parts of the network.

mac-moves/min

The average number of MAC address moves from one port to another per minute. This usually indicates a network loop, but can also be caused by DoS attacks.

learn-discards/min

Number of MAC address learn events per minute discarded to help free CPU resources when busy.