A blog with tips, tricks and tutorials to help you prepare your CCIE Wireless lab exam.

Thursday, July 30, 2009

WCS: Acknowledge vs clear vs delete alarm

When you visualize alarms in WCS, by clicking the Alarm dashboard or through Monitor > Alarms, you have a couple of choices that look the same but are different. Options are (from the WCS help page):
- Assign to me—Assign the selected alarm(s) to the current user.
- Unassign—Unassign the selected alarm(s).
- Delete—Delete the selected alarm(s).
- Clear—Clear the selected alarm(s).
- Acknowledge—You can acknowledge the alarm to prevent it from showing up in the Alarm Summary window. The alarm remains in WCS and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge—You can choose to unacknowledge an already acknowledged alarm.
- Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications.

Assign and Unassign are simple, they determine who is supposed to deal with the alarm. But what about the others? Crystal clear isn't it? "Clear" clears, "delete" deletes and so on... okay, so what are the differences? You need to know them, because on the day of your CCIE Wireless lab, you may be asked to complete a task for which only one of these options is the right answer.

- Clear basically says "remove this alarm from this list". The alarm is removed from the list, but stays in the WCS database. If the event triggering the alarm occurs again, WCS will be able to tell you "here it happens AGAIN". If you run a report, you will see the alarm having occurred in the past. You would clear an alarm if the cause of the event disappeared and you still want to remember that it happened.

- Delete basically says "forget about this alarm". The alarm is removed from the list and from the WCS database. If the event triggering the alarm occurs again, WCS will discover it as if for the first time and tell you "oh, something new happens".

- Acknowledge basically says "Don't bother me with this anymore". The alarm is removed from the list, and WCS will not tell you if the event triggering the alarm occurs again.

When do you use them? Few examples:

- Your colleague brings his home AP and plugs it to the network. ALARM! ROGUE! You go to your colleague's desk, explain why he has been a bad boy, and remove the AP. As you are a nice guy, you tell him that you won't report him... so you CLEAR the alarm. As you removed the AP, you don't need that alarm anymore... but you want to keep track that it happened. If the guy brings the AP again, you want to get an alarm and know that it is not the first time. This time, you'll get him fired... :-) Why don't you delete or acknowledge? Because if you acknowledged, the alarm would not show anymore, even if the guy brings it back to the network (acknowledge says "don't bother me with this alarm anymore"). If you deleted, the alarm would re-appear the next time the guy brings the AP, but you would not be able to see if it was the first time or not...

- Your neighbour AP keeps showing up as a rogue. You get an alarm. You cannot remove this AP. So you ACKNOWLEDGE the alarm. This makes that the alarm will not show up anymore, regardless of your neighbour keeping the AP, changing its configuration or removing it. Basically, you know this AP, you cannot control it, so you just don't want to have warnings about something you cannot control and that is outside of your network anyway. Why don't you clear or delete it? Because then the alarm would show up again next time your neighbour plays with his AP...

- You remove an AP from the wall and put it in a box. AP status turns red on WCS and you get an alarm (AP status is down!). You remove the AP from WCS (monitor APs > Remove AP), and then DELETE the alarm. Why don't you clear it instead? Because if you re-plug the AP elsewhere, then remove it for another reason, you do not want the WCS to tell you: "Oh no, AP went down a second time!" It is not really a "second time" for you, as the AP was plugged elsewhere. To you, it is the AP second life, whereas for WCS it is still the same AP as the first time. So as these events are really distinct, you want to re-start from scratch, and this is why you delete the alarm. Why don't you Acknowledge the alarm? because if you re-plug the AP elsewhere, then remove it a second time, the AP status on the map will stay green! (with Acknowledge, you told WCS not to bother you with this AP status anymore, so it does it).

So watch what you are asked, these 3 actions are very different.

As a side note, WCS has a feature to hide Acknowledged or Cleared alarms automatically. To configure (or unconfigure) these features, go to Administration > Settings > Alarm and check (or uncheck) the corresponding boxes.

2 comments:

  1. A Cleared alarm will be delete by the WCS after seven (7) days. This will be done automatically.
    Once the alarm is delete and it's occuring again, the alarm will be listed again.

    ReplyDelete
  2. Thanks to you! Finally I got some stuff in your blog post related. I was searching for some material related to matter included in post. Very useful and very informative. Thanks once again and do share some more posts if you have! CCIE Security

    ReplyDelete