Product and Software: This article applies to all Aruba APs and ArubaOS 2.x.
Sometimes a station MAC causes an AP to be triggered as a rogue. This can happen if we do not see some packets from the station that help us to determine its state, but we do see other packets that are relayed by the AP on behalf of the station. The following changes should help with this scenario and others.
1) Make classification through valid/unsecure APs configurable. The new CLI option for this is "wms ap-policy overlay-classification". This mode is disabled by default to reduce false positives. Enable this option to use this feature.
If overlay-classification is enabled, the wired-MAC addresses collected on the air for valid/rogue APs will be used as addresses of devices on the trusted network. They will be compared against wired-MAC addresses that are collected on the air for an interfering AP to detect a rogue. This mechanism shows up as a Match-Type of "AP-Wired-MAC" in the "show wms rogue-ap" info.
If "overlay-classification" is disabled, these MAC addresses will not be used for detecting a rogue. Only wired-MAC addresses that are collected on the Aruba AP's Ethernet interface will be used to detect a rogue. This means that the Match-Type of "AP-Wired-MAC" will not be triggered.
2) Use only the gateway MACs that are collected on the Ethernet interface to match the wired MACs for interfering APs. This reduces false positives due to packets seen from a station before the device can be determined to be a station.
The gateway MACs are the gateway MACs of the Aruba AP and other Aruba APs that are in the same building (not the controller).
3) Use the +/-1 Match method ONLY for matching against BSSIDs to detect NAT APs