Operating notes for the instrumentation monitor

  • To generate alerts for monitored events, you must enable the instrumentation monitoring log and SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see Configuring instrumentation monitor.

  • When a parameter exceeds its threshold, an alert (event log message and SNMP trap) is generated to inform network administrators of this condition. The following example shows an event log message that occurs when the number of MAC addresses learned in the forwarding table exceeds the configured threshold:

Event log message generated by instrumentation monitor
  • Alerts are automatically rate limited to prevent filling the log file with redundant information. The following is an example of alerts that occur when the device is continually subject to the same attack (too many MAC addresses in this instance):

Rate limiting when multiple messages are generated
In the preceding example, if a condition is reported 4 times (persists for more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes the condition still exists, the alerts cease for 30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is reported once a day. As with other event log entries, these alerts can be sent to a server.
  • Known Limitations: The instrumentation monitor runs once every five minutes. The current implementation does not track information such as the port, MAC, and IP address from which an attack is received.