2 Replies Latest reply on Feb 7, 2017 11:01 AM by aaswi

    UDT - Multiple MAC per port

    derek_vieira

      Hi,

       

      I'm new to UDT (evaluating the product),  and i'm trying to set up alerting for when devices have multiple mac addresses attached(2+). (looking for rogue hubs or switches) I figured out how to do it using endpoint count, but it also flags any VoIP ports as hitting the alert.

       

      Is there a way to do this and tell the alert to ignore MAC addresses based on OUI, Vendor, or any fingerprinting?

       

      Thanks!

        • Re: UDT - Multiple MAC per port
          josh.haberman

          I'm also evaluating the product and I have this question as well.  I'm about to pull the trigger on a UTX license and this could be a make or break topic for that.

          • Re: UDT - Multiple MAC per port
            aaswi

            This can be done using the built in UDT whitelist feature.  When building the whitelist you can define mac addresses even with wild card characters.  Example: ab.cd.ef.*.  This will force UDT to ignore your defined vendor OUI and only look at the rest.  If UDT finds systems that do not match it will be identified as rogue. Then if you have the "alert me when a rogue mac address appears on the network" alert enabled, you can be emailed with the email trigger action.

             

            Now, keep in mind when you build the white list, do not define any criteria for IP and hostname.  Leave those as "any".

             

            This is just taking a different approach using the white list as opposed to just using alert logic to find mac anomalies in your network.

             

            Here is an example using the UDT white list adding all Dell mac addresses:

             

            1 of 1 people found this helpful