Display rogue endpoint connections in real-time

Suppose you have a White List set up, but you want real-time or near real-time alerts for when a rogue device connects to the network.

To do this, set up your devices to send connection-related traps to the UDT server. UDT checks the database for trap-related information at a set interval. If an endpoint connects to a UDT device, and the endpoint is not on the White List, UDT posts an alert in the web console.

The following instructions are for Cisco devices only.

You can remove device configurations by running a given command with 'no' in front of it. For example:
no set logging server ip_address

removes that target from the remote logging stream.

To enable your Cisco devices to send trap messages:

  1. Open a command line in config mode on each device.
  2. Execute the commands from the examples below, changing the IP address to match your UDT server:
    • Traps (IOS)

        snmp-server host ip_address public config

        snmp trap mac-notification change added

        snmp trap mac-notification change removed

    • Traps (CatOS)

        set snmp trap ip_address public config

        snmp trap mac-notification change added

        snmp trap mac-notification change removed

  3. From the Web Console, go to Settings > All Settings.
  4. Select UDT Settings in the Product Specific Settings section.
  5. Click Advanced Settings in the UDT Settings section.
  6. Change the value for MAC-Notification Processing Interval to the frequency that you want UDT to check for new trap messages. The default is 120 seconds.
  7. Click Save.
  8. To verify your setup, connect a device to the network that is not on the UDT White List.
  9. Wait for the time set in Step 6 to elapse, and check the Active Alerts and All Triggered Alerts widgets for an entry that shows the MAC address of the device you just connected.