Reference Guide (Supporting software release 5.5.0.0 and later) Owner manual

ManualsBrandsBrocade ManualsComputer AccessoriesMobility RFS Controller CLI

1151

Brocade Mobility RFS Controller CLI Reference Guide 1151

53-1003098-01

event enable-all-events

event excessive

[80211-replay-check-failure|aggressive-scanning|auth-server-failures|

decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm

|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-s

tation] {filter-ageout [<0-86400>]|threshold-client

[<0-5535>]|threshold-radio <0-65535>}

wellenreiter Tracks Wellenreiter events

filter-ageout <0-86400> The following keywords are common to all of the above client anomaly events:

• filter-ageout <0-86400> – Optional. Configures the filter expiration interval in seconds

• <0-86400> – Sets the filter ageout interval from 0 - 86400 seconds. The default is 0

seconds.

NOTE: For each violation define a filter time in seconds, which determines how long the packets

(received from an attacking device) are ignored once a violation has been triggered. Ignoring

frames from an attacking device minimizes the effectiveness of the attack and the impact to the

site until permanent mitigation can be performed.

The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is

detected performing an attack and is filtered by one of the APs, the information is passed on to all APs

and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for

the specified period of time, across all devices.

enable-all-events Enables tracking of all intrusion events (client anomaly and excessive events)

excessive Enables the tracking of excessive events. Excessive events are actions performed continuously and

repetitively. These events can impact the performance of the controller managed network. DoS attacks

come under this category.

80211-replay-check-failure Tracks 802.11replay check failure

aggressive-scanning Tracks aggressive scanning events

auth-server-failures Tracks failures reported by authentication servers

decryption-failures Tracks decryption failures

dos-assoc-or-auth-flood Tracks DoS association or authentication floods

dos-eapol-start-storm Tracks DoS EAPOL start storms

dos-unicast-deauth-or-disassoc Tracks DoS dissociation or deauthentication floods

eap-flood Tracks EAP floods

eap-nak-flood Tracks EAP NAK floods

frames-from-unassoc-station Tracks frames from unassociated clients

filter-ageout <0-86400> The following keywords are common to all excessive events:

• filter-ageout <0-86400> – Optional. Configures a filter expiration interval in seconds. It sets the

duration for which the client is filtered. The client is added to a ACL as a special entry and frames

received from this client are dropped.

• <0-86400> – Sets a filter ageout interval from 0 - 86400 seconds. The default is

0 seconds.

NOTE: This value is applicable across the RF Domain. If a client is detected performing an attack and is

filtered by one of the APs, the information is passed to the domain controller. The domain

controller then propagates this information to all APs and wireless controllers in the RF Domain.