An important part of monitoring is reducing the noise of unnecessary alerts.

 

In monitoring the connection ports on your network devices, while you want to know what endpoints are connected through which ports, you can usually function best when those connections are presented through an event log. In contrast, an alert is most useful to receive when a rogue endpoint, either unsanctioned or explicitly prohibited, connects to a device port.

 

Identifying rogue endpoints on the network depends on first knowing that some set of devices are explicitly allowed. For that you need a white list.

 

With a white list setup, assuming your monitoring system supports this feature, you then need some way to generate alerts upon a rogue endpoint connecting. In this case, by having your network devices trigger a trap when each endpoint connects to it, your monitoring application should be able to receive and compare trap information against its white list, sending an alert only when the endpoint (identified by MAC address or hostname) in the trap data does not appear on the white list.

 

As a result, you will setup your device port monitoring to alert you in real-time when a rogue device connects to your network. This allows alerts to standout among other normal events.

 

SolarWinds User Device Tracker (UDT) supports white listing, rogue endpoint detection and alerting. Consider UDT's feature set a supplement that effectively takes node monitoring visibility down to the device port level.