I need assistance creating an alert that triggers whenever a Wireless MAC Address is seen on the LAN. In our environment, the Wireless and LAN networks are completely segregated, so we should never see a MAC Address on the LAN, that's also been seen on the Wireless Network. UDT has all of the information, I just need to figure out how to write this alert. With the exception of a rouge wireless router, this should take care of any rouge access points that are connected to a network.
Just to mention that most devices will have different MAC addresses for wireless connections and wired connections.I do not see how a wireless MAC would show up on a LAN connection...
SELECT DISTINCT Nodes.NodeID AS NetObjectID, Nodes.Caption AS Name
WHERE Nodes.Wireless = 0
AND Nodes.NodeID IN
WHERE NodeMACAddresses.NodeID IN
(SELECT UDT_AllWLEndpoints.NodeID FROM UDT_AllWLEndpoints))
This should work as a Custom SQL Alert for Nodes.
I haven't taken a hard look at the UDT tables and views, but I am not 100% sure there will be something in there that marks devices as non-Wireless (so to speak). There are 2 main views for UDT endpoints: UDT_AllEndpoints and UDT_AllWLEndpoints...
I *think* that the UDT_AllEndpoints holds all endpoints, not just the wired. And AllWLEndpoints holds all of the Wireless Endpoints.
So, it isn't as easy as saying "IF Wired.MAC = Wireless.MAC THEN Alert". But the above SQL will work if you take the time to add your endpoints and mark them with a custom property.
I'm hopeful someone in the community might be able to provide some insight into another part of UDT that might mark nodes as wired. If we can find that point, then it simplifies this considerably.
Loop1 Systems: SolarWinds Training and Professional Services
We are not monitoring endpoints. The wireless networks are essentially treated as "Guest Networks". UDT logs all of the MAC Addresses that are seen on the wireless and tracks which APs they have been seen on.
Perhaps the approach is to look at each MAC address, alert if it has been both associated with an SSID, and seen on a port?
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.