When the switch detects an intrusion on a port, it sets an "alert flag" for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.
When a security violation occurs on a port configured for Port Security, the switch responds in the following ways to notify you:
-
The switch sets an alert flag for that port. This flag remains set until:
-
You use either the CLI, menu interface, or WebAgent to reset the flag.
-
The switch is reset to its factory default configuration.
-
-
The switch enables notification of the intrusion through the following means:
-
In the CLI:
-
The
show port-security intrusion-log
command displays the Intrusion Log -
The
log
command displays the Event Log
-
-
In the menu interface:
-
The Port Status screen includes a per-port intrusion alert
-
The Event Log includes per-port entries for security violations
-
-
In the WebAgent:
-
The Alert Log includes entries for per-port security violations
-
The Intrusion Log lists per-port security violation entries
-
-
In network management applications such as HP PCM+ via an SNMP trap sent to a network management station
-
When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by resetting the alert flag.
The Intrusion Log lists the 20 most recently detected security violation attempts, regardless of whether the alert flags for these attempts have been reset. This gives you a history of past intrusion attempts. Thus, for example, if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1, only the most recent entry has not been acknowledged (by resetting the alert flag). The other entries give you a history of past intrusions detected on port A1.
Multiple intrusion log entries for the same port
HP Switch(config)# show port-security intrusion-log Status and Counters - Intrusion Log Port MAC Address Date / Time ----- ------------- -------------------------- 1 080009-e93d4f 03/07/11 21:09:34 1 080009-e93d4f 03/07/11 10:18:43
The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Log. The switch can detect and handle subsequent intrusions on that port, but will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port.
The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen.
-
Type [I] (Intrusion log) to display the Intrusion Log.
This example shows two intrusions for port 3 and one intrusion for port 1. In this case, only the most recent intrusion at port 3 has not been acknowledged (reset). This is indicated by the following:
-
Because the Port Status screen Port status screen with intrusion alert on port 3 does not indicate an intrusion for port 1, the alert flag for the intrusion on port 1 has already been reset.
-
Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
-
-
To acknowledge the most recent intrusion entry on port 3 and enable the switch to enter a subsequently detected intrusion on this port, type [R] For Reset alert flags.
Note that if there are unacknowledged intrusions on two or more ports, this step resets the alert flags for all such ports.
If you then re-display the port status screen, you will see that the Intrusion Alert entry for port 3 has changed to "No
". That is, your evidence that the Intrusion Alert flag has been acknowledged (reset) is that the Intrusion Alert column in the port status display no longer shows "Yes
" for the port on which the intrusion occurred (port 3 in this example). (Because the Intrusion Log provides a history of the last 20 intrusions detected by the switch, resetting the alert flags does not change its content. Thus, displaying the Intrusion Log again will result in the same display as in The Intrusion Log display, above.)
The following commands display port status, including whether there are intrusion alerts for any ports, list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected. The record of the intrusion remains in the log. For more information, see Operating notes for port security.
Syntax:
Example:
In the following example, executing show interfaces brief
lists the switch port status, indicating an intrusion alert on port 1.
To see the details of the intrusion, enter the show port-security intrusion-log
command. For example:
The above example shows three intrusions for port 1. Since the switch can show only one uncleared intrusion per port, the older two intrusions in this example have already been cleared by earlier use of the clear intrusion-log
or the port-security <port-list> clear-intrusion-flag
command. The intrusion log holds up to 20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added. The "prior to " text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
To clear the intrusion from port 1 and enable the switch to enter any subsequent intrusion for port 1 in the Intrusion Log, execute the port-security clear-intrusion-flag
command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port 1 has changed to "No
". (Executing show port-security intrusion-log
again will result in the same display as above, and does not include the Intrusion Alert status.)
HP Switch(config)# port-security 1 clear-intrusion-flag
HP Switch(config)# show interfaces brief
For more on clearing intrusions, see Keeping the intrusion log current by resetting alert flags.
The Event Log lists port security intrusions as:
where "W" is the severity level of the log entry and FFI
is the system module that generated the entry. For further information, display the Intrusion Log, as shown below.
From the manager or Configuration level:
Syntax:
For more Event Log information, see "Using the Event Log to identify problem sources" in the Management and Configuration Guide for your switch.