Welcome, Guest. Please login or register.

Author Topic: Monitoring->Events question  (Read 5265 times)

bgeary

  • Guest
Monitoring->Events question
« on: October 12, 2011, 06:02:13 PM »
Under Monitoring / Events I see two events that I am not sure how to decipher?

The first is "80 MAC entries exceed threshold of 50 on Gi0/17"

and the second is "12 IP addresses found for 001b.2176.c722".

Thanks
bg

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2494
    • View Profile
    • NeDi
Re: Monitoring->Events question
« Reply #1 on: October 12, 2011, 08:15:03 PM »
Hi and welcome. Those are security events triggered by settings in nedi.conf:

  • One of the switch ports learned 80 addresses could mean someone is flooding the switch with arbitrary MAC addresses, a broken device sending rubbish, a link to an unmanaged device or even a loop. You can increase macflood   to avoid getting notified.
  • Do a show ip arp on the device where this event originates from to find out which IPs those are. In Nodes-Status you might find them as well under IP Track. It could be someone performing ARP spoofing, a virtual host or loadbalancer. You can increase arppoison or add this MAC or part of it to ignored macs in nedi.conf to avoid those messages.
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

bgeary

  • Guest
Re: Monitoring->Events question
« Reply #2 on: October 12, 2011, 08:17:24 PM »
I shall take a look.
I now understand the other one. Some of those are from our ESX server.

thanks