Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller CLI Reference Guide

1151

53-1003098-01

21

event enable-all-events

event excessive

[80211-replay-check-failure|aggressive-scanning|auth-server-failures|

decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm

|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-s

tation] {filter-ageout [<0-86400>]|threshold-client

[<0-5535>]|threshold-radio <0-65535>}

wellenreiter

Tracks Wellenreiter events

filter-ageout <0-86400>

The following keywords are common to all of the above client anomaly events:

•

filter-ageout <0-86400> – Optional. Configures the filter expiration interval in seconds

•

<0-86400> – Sets the filter ageout interval from 0 - 86400 seconds. The default is 0

seconds.

NOTE: For each violation define a filter time in seconds, which determines how long the packets

(received from an attacking device) are ignored once a violation has been triggered. Ignoring
frames from an attacking device minimizes the effectiveness of the attack and the impact to the
site until permanent mitigation can be performed.

The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is
detected performing an attack and is filtered by one of the APs, the information is passed on to all APs
and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for
the specified period of time, across all devices.

enable-all-events

Enables tracking of all intrusion events (client anomaly and excessive events)

excessive

Enables the tracking of excessive events. Excessive events are actions performed continuously and
repetitively. These events can impact the performance of the controller managed network. DoS attacks
come under this category.

80211-replay-check-failure

Tracks 802.11replay check failure

aggressive-scanning

Tracks aggressive scanning events

auth-server-failures

Tracks failures reported by authentication servers

decryption-failures

Tracks decryption failures

dos-assoc-or-auth-flood

Tracks DoS association or authentication floods

dos-eapol-start-storm

Tracks DoS EAPOL start storms

dos-unicast-deauth-or-disassoc Tracks DoS dissociation or deauthentication floods

eap-flood

Tracks EAP floods

eap-nak-flood

Tracks EAP NAK floods

frames-from-unassoc-station

Tracks frames from unassociated clients

filter-ageout <0-86400>

The following keywords are common to all excessive events:

•

filter-ageout <0-86400> – Optional. Configures a filter expiration interval in seconds. It sets the
duration for which the client is filtered. The client is added to a ACL as a special entry and frames
received from this client are dropped.

•

<0-86400> – Sets a filter ageout interval from 0 - 86400 seconds. The default is

0 seconds.

NOTE: This value is applicable across the RF Domain. If a client is detected performing an attack and is

filtered by one of the APs, the information is passed to the domain controller. The domain
controller then propagates this information to all APs and wireless controllers in the RF Domain.