This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

UDT - Multiple MAC per port

Hi,

I'm new to UDT (evaluating the product),  and i'm trying to set up alerting for when devices have multiple mac addresses attached(2+). (looking for rogue hubs or switches) I figured out how to do it using endpoint count, but it also flags any VoIP ports as hitting the alert.

Is there a way to do this and tell the alert to ignore MAC addresses based on OUI, Vendor, or any fingerprinting?

Thanks!

Parents
  • This can be done using the built in UDT whitelist feature.  When building the whitelist you can define mac addresses even with wild card characters.  Example: ab.cd.ef.*.  This will force UDT to ignore your defined vendor OUI and only look at the rest.  If UDT finds systems that do not match it will be identified as rogue. Then if you have the "alert me when a rogue mac address appears on the network" alert enabled, you can be emailed with the email trigger action.

    Now, keep in mind when you build the white list, do not define any criteria for IP and hostname.  Leave those as "any".

    This is just taking a different approach using the white list as opposed to just using alert logic to find mac anomalies in your network.

    Here is an example using the UDT white list adding all Dell mac addresses:

    pastedImage_1.png

Reply
  • This can be done using the built in UDT whitelist feature.  When building the whitelist you can define mac addresses even with wild card characters.  Example: ab.cd.ef.*.  This will force UDT to ignore your defined vendor OUI and only look at the rest.  If UDT finds systems that do not match it will be identified as rogue. Then if you have the "alert me when a rogue mac address appears on the network" alert enabled, you can be emailed with the email trigger action.

    Now, keep in mind when you build the white list, do not define any criteria for IP and hostname.  Leave those as "any".

    This is just taking a different approach using the white list as opposed to just using alert logic to find mac anomalies in your network.

    Here is an example using the UDT white list adding all Dell mac addresses:

    pastedImage_1.png

Children
No Data