Rogue AP Alarm in Prime

Hi, I'm working on Prime alarm and I'm wondering how to do this :
1) I would like that all rogue AP not containing a substring to be friendly
2) I would like that all rogue AP containing that substring malicious.
Is it possible ? I can't seem to figure out how the Rogue AP rules works...
Thanks,
Simon Laurendeau

Hi Simon,
Yes, you are correct. You require 7.5.x onwards to have wildcard rogue SSID classification. Here is what 7.5.102.0 Release notes says about it.
 "In the earlier releases, you could create rogue policy rules based on SSID, but the SSID had to be an exact match. In this release, you can create rogue policy rules based on wildcard SSID, where the rule is enforced by any SSID that contains the wildcard SSID string. You can configure up to 25 wildcard rule per rogue rule."
HTH
Rasika
**** Pls rate all useful responses ****

Similar Messages

  • Cisco Prime Infrastructure 1.2 - web browser freezes when managing rogue APs alarms

    Hello all,
    has anybody faced a freezing problem when you click in Cisco Prime Infrastructure 1.2 down on alarm bar and then to Rogue AP alarms and then try to add an annotitation or change a rogue alarm to Friendly?
    I tried it on different PC, different browsers (Firefox 14.0.1. Chrome ...) and the problem is still there.
    Has anybody an idea?
    Thanks.
    Regards
    Karel

    I just tried it from my lab VM and had no problems.  I use Chrome and the browser does sometimes not refresh for a while but that is just when I start to  click around.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • WCS Rogue AP Alarms

    Over the weekend, I moved a bunch of rogue APs into the "Unclassified Rogue AP" group that I felt were not interfering with my network because they were being detected at -80 and above. When I arrived today, I was surprised to find all of those alarms back in "Malicious Rogue AP" alarms. When the rogues aren't detected for a short amount of time, they become "Removed" state and I suspect what's happening is that they lose their grouping when they go undetected and when they are detected again, they are re-grouped into "Malicious." Is anyone else suffering from this? Is there a workaround, or even, a better way to filter out distant rogue APs?

    By the way, I'm running WCS version 6.0.181.0.

  • Rogue Rules and Rogue AP alert in Prime

    Hi Supportcommunity,
    i have done a lot of research according this topic but i was unfortunately unable to find an helpful post.
    If i missed something I am sorry about.
    I got the following issue my customer complains about Rogue AP Alerts in Cisco Prime.
    There are always many of them.
    I already configured the Rogue Rules at the WLC´s security tab as follows.
    Here are the rules in detail.
    1st rule
    2nd rule
    3rd rule
    Could you please help me to understand what I did wrong.
    I dont understand why there are still so many Rogue warnings although I configure it to not alert.
    Thanks for your support
    With kind regards
    Benedikt

    Rogue detection is a way of being aware of other APs in your surroundings, I would not advise on turning the SNMP traps off totally. On the other hand the customer cant really blame you because there are other APs around their network? In 99,9% of all networks there will be....
    However, if you want to tidy up among the rogue alarms, the rules can be used. 
    What your rules are saying is "Anyone except me using my SSIDs? - mark it as a Bad Guy" (OK).
    Then it gets a bit weird to me, lets do a short one on Signal strength:
    - 30 dBm = Less than one meter from the AP at max European output level 20 dBm EIRP
    -40 dBm = Ten times weaker, some 2-4m from AP. All distances are roughly speaking...
    -50 dBm = 1/100 weaker, less than 10m from AP
    -60 dBm = 1/1000 weaker, some 16m from AP, a "normal" and strong signal
    -70 dBm = 1/10000, within 30m from AP, not great, but lower end of "normal" span
    -80 dBm = hardly useable signal, might be able to connect @ 1-2 Mbps, not much more
    -90 dBm = almost no clients can use this weak levels
    -100 dBm = background noise.
    You delete rule says that "Any other AP located less than a meter from mine (-30 dBm) should be marked as Malicious and deleted". Lower this to, say -70 dBm and see what happens.
    Also note that the order of the rules can be important. It runs from top down, and as far as I remember the last one that matched determines if it is Friendly or Malicious. Play around with the levels first, then if necessary the order of the rules, and get back...
    **Please rate helpful posts**

  • Cisco Prime Rogue AP Report - No Rogues from 3702 Series AP's

    I am running Cisco Prime Infrastructure (2.1) that manages a Cisco 5508 WLC (7.6). We have multiple version of AP's managed by this WLC to include 1142, 2602, 3702, etc...In Cisco prime when we run a Rogue AP Report. None of the Rogue AP's discovered by 3702's are displayed in the report. The Rogues show on the WLC though from all AP's. Cannot find a reason for this. Any ideas?

    The Rogue alarm state always stays on "removed" once deleted
    CSCuo91446
    Description
    Symptom:
    Once one of the alarm of rogue AP is deleted the newer rogue AP alarm changed to removed state even for different mac address.
    Because of the removed state the detecting AP which detected the rogue is not displayed
    Conditions:
    1) Auto SPT is turned on
    2) Prime 2.0 or 2.1
    Workaround:
    Click on refresh from network for each alarm in removed state or disable auto spt
    Last Modified:
    Jun 30,2014
    Status:
    Fixed
    Severity:
    3 Moderate
    Product:
    Cisco Prime Network Control System Series Appliances
    Known Affected Releases:
    (1)
    2.1(0.0.1)

  • Prime Infrastructure 2.0 functionalities

    PI 2.0 version can be already found at sw dowload site. I am interested in the "converged" features of LMS and PI. Is there available an update for the document under this link?
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/app_note_c27-716266.html
    Does PI 2.0 provides the functionalities referred "future plan converged" like
    - IP-SLA management
    - Configuration audit
    - VLAn Management
    - IPv6 support
    Thanks, Egon

    Hi Graham,
    What settings do you have checked when you navigate to here? 
    Operate > Alarms & Events > Email Notification 
    Also you can define within your network what the level of alarming should be through navigation to here: 
    Administration > System Settings > Severity Configuration
    It doesn't take much to become overburdened by alarms from Prime, I set only a couple of parameters as critical for switch and router state, and set to receive emails from those at this time. 
    Regards,
    Brandon

  • Prime Infrastructure 2.0 disk requirements

    The installation guide for Prime 2.0 says it requires 200 MB/s of disk throughput.  Does this mean 200 MB/s sustained IO?
    http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/quickstart/guide/cpi_qsg.html#wp69178

    Hi Graham,
    What settings do you have checked when you navigate to here? 
    Operate > Alarms & Events > Email Notification 
    Also you can define within your network what the level of alarming should be through navigation to here: 
    Administration > System Settings > Severity Configuration
    It doesn't take much to become overburdened by alarms from Prime, I set only a couple of parameters as critical for switch and router state, and set to receive emails from those at this time. 
    Regards,
    Brandon

  • Prime Infrastructure no Interface Tx and RX Utlisation Graph on L2VLAN and PROPVIRTUAL Interfaces

    Hello Community,
    i'm wondering why don't get any interface statistics on subinterfaces or vlan interfaces on a router. On all other interfaces i see the graph.
    Any Idea?
    thanks in advanced
    Alex

    Hi Graham,
    What settings do you have checked when you navigate to here? 
    Operate > Alarms & Events > Email Notification 
    Also you can define within your network what the level of alarming should be through navigation to here: 
    Administration > System Settings > Severity Configuration
    It doesn't take much to become overburdened by alarms from Prime, I set only a couple of parameters as critical for switch and router state, and set to receive emails from those at this time. 
    Regards,
    Brandon

  • SNMP TRAP ON Secondary WLC 5508

    Hi I'm Louis,
    I work on 2 WLC 5508 with version 7.4 and Prime Infrastructure 1.3
    We have activate AP SSO to work with a primary and secondary controller.
    We have added the controller to Prime infrastructure and activated SNMP.
    We receive correctly the alarms on Prime.
    But when we work on Primary WLC, and the secondary crash we haven't got information about that. No SNMP received.
    That is normal ?
    Thx for your reply
    Regards

    I find this, in Monitoring and Troubleshooting the Redundancy States
    http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/1.2/user/guide/chgdevconfig.html
    On my primary controller, in SNMP => Trap Log , I can see :
    RF failure notification ErrorType: 34 Reason :Lost Peer, Moving to Active-No-Peer State! => When I unplug RP link
    RF progress notification unitId: -1407319963 peerUnitId :14 unitState: -1407319863 peerUnitState :5
    RF progress notification unitId: -1407319963 peerUnitId :14 unitState: -1407319863 peerUnitState :9  => When I plug the RP link.
    So I can see the trap on my controller but there is nothing in Prime ...

  • Cisco prime Infrastructure alarms by e-mail

    hi all,
    my Cisco PI1.2 not send me a notification e-mail with specific alarm if occurred twice and the first time is not cleared or deleted.
    i.e.
    if a switch is down it send me a notification e-mail, and this switch comes up again but i did not remove the first alarm, the PI not send me a notification.
    please advice
    thanks in advance

    Alarm Status
    Description
    New
    When an event triggers a new alarm or an event is associated with an existing alarm.
    Acknowledged
    When you acknowledge an alarm, the status changes from New to Acknowledged.
    Cleared
    An alarm can be in these statuses:
    Auto-clear from the device—The fault is resolved on the device and an event is triggered for the same. For example, a device-reachable event clears the device-unreachable event. This in-turn, clears the device-unreachable alarm.
    Manual-clear from Prime Infrastructure users: You can manually clear an active alarm without resolving the fault in the network. A clearing event is triggered and this event clears the alarm.
    If the fault continues to exist in the network, a new event and alarm are created subsequently based on the event notification (traps/syslogs).
    This might be the reason, I believe.
    Please refer the following link for better understanding.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/1-2/user/guide/prime_infra_ug/alarms.html
    Hope that helps.

  • Prime Infrastructure: Can you export Alarms and Events?

    Hello
    In Prime 1.4, you had the ability to export the alarms and events you saw being reported, at least according to the PDF manual: http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-4/configuration/guide/pi_14_cg.pdf
    I want to export these events and alarms that can be found in the Monitor section of Prime 2.1, but the export option does not seem to be available.
    Does anyone know if it is possible to export these via a scheduled report or by looking in a particular place on Prime? I would like to import the information into Splunk to see if we can gain an insight into the information that is being collected.
    thanks
    Bryn

    HI,
    Did you ever determine an answer to this question? I really need to export data after a certain date... (I would also like to publish a calendar, after a certain date-- as no one needs to see the "old" events).
    Stu

  • Cisco Prime Infrastructure 1.4 SNMP Traps are not converted into Alarms

    Hi everybody,
    I just configured SNMP Traps on a Cisco Catalyst 3750-x to send to our Cisco Prime Infrastructure 1.4 Appliance.
    Now I forced the Switch to send some traps (Power off a Power Supply, Interface errdisable). The only events I see in Alarms & Events on PI is the same information message everytime:
    Configuration management event has been recorded in ccmHistoryEventTable.
    I think the forced traps should be converted into alarms? Why can't I see them?
    Thanks,
    Marc

    Ok, I started debugging as you said. I get the following output:
    Mar 13 09:28:13.711: SNMP: V2 Trap, reqid 11689, errstat 0, erridx 0
     sysUpTime.0 = 198609846
     snmpTrapOID.0 = ciscoSyslogMIB.2.0.1
     clogHistoryEntry.2.1688 = PM
     clogHistoryEntry.3.1688 = 5
     clogHistoryEntry.4.1688 = ERR_RECOVER
     clogHistoryEntry.5.1688 = Attempting to recover from bpduguard err-disable state on Gi1/0/13
     clogHistoryEntry.6.1688 = 198609844
    Mar 13 09:28:13.737: SNMP: Queuing packet to xx.xx.xx.xx
    Looks like the Switch is sending SNMP Traps from the ciscoSyslogMIB. Is this why PI can't show the Traps and convert it into a alarm?
    After this test I configured logging (syslog) to the PI. Now the errors are showed but still not converted into alarms. I just want to be notified by email when such errors occurs.
    Thanks,
    Marc

  • Cisco Prime Infrastructure and no new events / alarms since update to 2.2.1

    Hello,
    I have upgraded our Cisco Prime Infrastructure from version 2.1 to 2.2.1 (with a backup and restore). We have round about 700 APs and three 5208 Controller. So far everything seems to work really fine. The only problem is that there are no new alarms/events under "Monitor", "Alarms and Events".
    The last entries (events and alarms) are dated before the upgrade. Other informations (like client counts for example) are correct.
    Is there a known bug related to my problem? Can anybody help?
    Thanks

    I have done some research:
    I see the following problems in the log-package (downloaded from Prime):
    ===
    <msg time='2015-04-07T12:10:50.620+02:00' org_id='oracle' comp_id='rdbms'
     client_id='' type='UNKNOWN' level='16'
     host_id='rzprime' host_addr='xxx.xxx.xxx.xxx' module='JDBC Thin Client'
     pid='9499'>
     <txt>ORA-1652: unable to extend temp segment by 128 in tablespace                 TS_EVENTS 
     </txt>
    </msg>
    <msg time='2015-04-07T12:10:50.727+02:00' org_id='oracle' comp_id='rdbms'
     client_id='' type='UNKNOWN' level='16'
     host_id='rzprime' host_addr='xxx.xxx.xxx.xxx' module='JDBC Thin Client'
     pid='15177'>
     <txt>ORA-1652: unable to extend temp segment by 128 in tablespace                 TS_EVENTS 
     </txt>
    </msg>
    ===
    I think that there is a problem with a too small tablespace. But I can´t fix that. Anybody? ;)

  • Cisco Prime Infrastructure 2.0 Alarms (switch port down)

    We have a cisco Prime Infrastructure 2.0 managing switches, routers and AP.
    By default, when a port of a switch goes down, the cisco Prime Infrastructre generates a Critical Alarm for that. (this is a problem, because every phone of laptop disconnection will generate a critical alarm for me)
    I found out that if we go to Administration --> Alarm Severity --> Link down, I can change the Alarm from Critical to another type of alarm.(ex: warning)
    The problem is that I want to keep the Critical Alarm for my Uplinks ports and for some important switch ports, and I would like to make the alarm as warning for the normal user ports.
    I know that I can create Port Groupping and add ports to each group and apply monitoring templates on those groups. But This couldn't Help me solving my alarm problem.
    So I just need to know how to manage the alarms severity for each group of ports.
    Thank you

    Hi,
    Same problem here.
    I am using Cisco Prime Infrastructure 2.0 (evaluation version for 60 days). I want to deploy port monitoring for my trunk ports between switches and some other important ports e.g. servers. Basically I want to get alarms when these ports are down, there are errors on ports and etc.
    So in Design>Port Grouping I created User Defined group with important ports. In Deploy>Monitoring Deployment I selected Interface Health (default)>Deploy selected Port Groups and when selected port group I created.
    Now the rule shows Deployed: Yes and Status: Active. After that I just pulled out one port which was in monitored group, waited 5min as it is set in Interface Health (default) template, and nothing happened, and worse, alarms started to show up of other ports where regular users are connected (computers was turned off), which I do not want to see at all. I tried redeploy template, I even created my own template but still no desired result.
    Any suggestions how to make port monitoring work?

  • Rogue detection with Prime 2.1

    Hi@all,
    i know many questions in the last days, but i must say, the last WCS works better as the compination Prime 2.1 and 5760 ;).
    My problem, we have a huge campus and at peaks ~ 1500 rogue-aps. 
    In my new configuration (2x 5760 and Prime 2.1), the wlc see the rogue-aps but in the security dashboard at the prime no rogue are listet.
    The 5760 are in the same mobility/rf-group, the polling interval at the Prime are 15 minutes.
    Maybe some one has a similar problem and could help.
    regards
      René

    Hi
    Do you see the rogue AP on 5760 itself ? "show wireless wps rogue ap summary" output shows you the identified rogue APs. If you can't see anything there, then you may not enable Rogue AP detection on your controller. See whether in your 5760 configuration, the first line below is configured (which will enable rogue detection). Second line is to increase the threshold to minimize false detection. Refer 5760 RRM config guide for more details.
    wireless wps ap-authentication
    wireless wps ap-authentication threshold 50
    This document describe some of the best practices of 5760 configuration including rogue detection as well.
    Cisco 5760 IOS Wireless LAN Controller Configuration Best Practices
    HTH
    Rasika
    **** Pls rate all useful responses ****

Maybe you are looking for