Руководство По Проектированию для Cisco Cisco 5508 Wireless Controller
1-47
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Adaptive WIPS Management Best Practices
The figure above is a snapshot of the aWIPS alarms summary for Cisco lab environment over the last
four weeks. The Spoofed MAC address detected count is almost 50% of the total alarms in this
environment. First, this is an alarm with High fidelity and Major severity. As per the general guideline,
No. 2 above, administrators should proceed to troubleshoot and find out why it was triggered so often in
the last four weeks. To collect traces for analysis, administrators can try to enable Forensic for this alarm
first. If it is not sufficient, you must locate detecting APs and reporting area, and start global forensic
captures on those APs to collect more traces. Also engage Cisco TAC to analyze the traces and to
troubleshoot.
four weeks. The Spoofed MAC address detected count is almost 50% of the total alarms in this
environment. First, this is an alarm with High fidelity and Major severity. As per the general guideline,
No. 2 above, administrators should proceed to troubleshoot and find out why it was triggered so often in
the last four weeks. To collect traces for analysis, administrators can try to enable Forensic for this alarm
first. If it is not sufficient, you must locate detecting APs and reporting area, and start global forensic
captures on those APs to collect more traces. Also engage Cisco TAC to analyze the traces and to
troubleshoot.
Quick Tips
Based on field experience and feedback, the administrators can use the following quick tips to tune some
WIPS alarms in this section. Note that these recommendations are applied for all conditions, unless they
are specified otherwise.
WIPS alarms in this section. Note that these recommendations are applied for all conditions, unless they
are specified otherwise.
Alarms to Turn off or Ignore:
•
Alarms triggered by probe requests and threshold-based.
Mobile devices are very chatty in regard to probe requests and they often trigger this type of alarms.
These alarms do not really cause any operation impact:
These alarms do not really cause any operation impact:
–
DoS: Probe request flood
–
Device probing for APs
–
NetStumbler detected
–
NetStumbler victim detected
•
Alarms based on certain encryption or authentication.
If WEP encryption is not implemented in your wireless production network:
–
AP with encryption disabled
–
Client with encryption disabled