Switches, Hubs, and Modems
1748214 Members
3349 Online
108759 Solutions
New Discussion юеВ

PCM plus mac-lockout policy does not work on 2910al

 

PCM plus mac-lockout policy does not work on 2910al

hallo,
I have PCMplus v C.03.10.201 and I'm trying to do a policy that apply on a switch hp2910al-24g-poe. This policy must detect an snmp trap if on a switch port there is an utilization threshold violation and react sending an email and locking-out the mac-address of the host that causes that traffic violation. I slow down the tresholds on a specific port for testing an I started file transfer between two host on the same switch.
I see the threshold violation events on PCM and I receive the notification email BUT the policy does NOT LOCKOUT any MAC because there are "NO TARGETS FOUND IN THE EVENT".
If in the policy I specify the mac to lock it works fine but I want the macs to be DYNAMICALLY LEARNED !!
The switch has the last firmware.

can you hel me ?
best regards

Francesco




6 REPLIES 6
Tore Valberg
Trusted Contributor

Re: PCM plus mac-lockout policy does not work on 2910al

Hi Francesco

I suspect the event you are using is coming from PCM itself, not a switch trap.
Utilization errors are usually generated by traffic monitoring (sflow).

And i doubt the event you see contains the mac address to lock out, so i am afraid it will be difficult. At least this way.

Apologize if i misunderstand.

If you take some screenshots and add to a .doc and attach here, i can at least have a look.

There might be alternative ways to do it.

Tore

Re: PCM plus mac-lockout policy does not work on 2910al

Hi Tore,
I'll give you the print screens as soon as possible

thankyou

Franesco
Tore Valberg
Trusted Contributor

Re: PCM plus mac-lockout policy does not work on 2910al

Hi Francesco

As i havent played much with NIM yet, i set up a testbed for this.

Basically the event you are using for the policy does not contain the Mac address of the "offender" so PCM does not know what mac to lock out.

Mac-lockout can be used with any of the NIM events coming in. The threshold violation is a standard PCM event, and will only give the "offending" port.

In policy manager, if you expand the "security" Section you will see all the Alerts you can use with mac-lockout.

However i did set up a policy that disabled the port (the sending port) once a threshold event came in.

I tested by pushing multicast from port A3 to a receiver on Port A2. Port A3 got disabled, while port A2 left enabled.

What is important is to "tick" the "Act on Edge ports only" to avoid up-link ports being disabled. (could be nasty)

Im not sure if disabling the port is an option at all for you, but just in case ive attached a doc with screenshots of my policy config.

Hope it helps.

Tore

Re: PCM plus mac-lockout policy does not work on 2910al

Hi Tore,
thanks for your time.

I understood that the offending mac was in the trap message, but I'm wrong.

The policy that shuts down the offending port
could be a valid alternative because there are no hubs and we have a host per port.

I have only PCMplus without NIM, IDM, etch...

I understand that PCMplus alone has some limits that aren't so clear...

Hp should notify with a popup or something other message that the action or policy I'm writing could not work without some PCM components !!

Is there a place to see what are the basic alerts that I can use and the basic actions that they can do without testing each one ?

thankyou very mutch
Francesco
Tore Valberg
Trusted Contributor

Re: PCM plus mac-lockout policy does not work on 2910al

Hi Fracesco

I can understand that.

The problem is that Policty Manager is Such a universal and powerful tool. To list up all the possible combinations, would simply be too much.

You can look at policy manager as buiding blocks. There is so many ways of using Policy manager. In My opinion its the most powerful tool in PCM+.

The best advise i can give regards to event based alerts, is to make sure the information needed to trigger the action is in the event.

The Policy manager part of the manual (administration Guide) is also quite good. But it does not list possible combinations.

By the way, are you sure you do not have NIM installed? And its running on trial?

The mac-lockout policy action is a NIM feature. (if im not very mistaken)

Tore

Re: PCM plus mac-lockout policy does not work on 2910al

Hi Tore,
I'm running on trial but I have installed only basic PCM+ because this lab helps me in supporting a true installation where there is only PCM+.

It would be very helpful a table that assign each event to the PCM+ component.

I can't know if the information that trigger the policy action is in the event, I must tray it !

For example if the switches supports Virus Throthling I suppose that I can't use it if I don't have NIM installed.

Is it right ?

best regards

Francesco