Running UDT version 3.2.3
I had a device alert on a rogue DNS name. Afterwards I added the MAC to the DHCP deny filter and wireless controller exclusion list. Over the weekend UDT shows the same device as connected with a green color in the Rogue Devices section. Clicking on the device name to get the details I can see the IP address listed. Checking the reservation list in DHCP I can see the IP listed in UDT is being used by a different device. Hovering the mouse over the IP address shows it as connected, hovering over the MAC shows it as disconnected. I understand UDT used IP, Hostname and MAC to determine rogues, but is there a way it can see that the IP address used by a rogue device is no longer being used by that device?
Rogue DNS name alert: 7/21/2017 rogue.domain.com, IP 192.168.10.10, MAC aa:aa:aa:bb:bb:bb; added MAC to DHCP deny filter, WLC exclusion list
UDT Rogue Devices List: 7/24/2017 entry for rouge.domain.com (shows connected), IP 192.168.10.10 (shows connected) MAC aa:aa:aa:bb:bb:bb (shows disconnected); Check DHCP reservation list and MAC aa:aa:aa:bb:bb:bb is assigned to a different host.
I have seen this on three different occasions now. What i'd like to see is the device hostname listed in the rogue list as disconnected because it really is.