Controller-less WLANs

Wired-containment for L3 NAT rogue on iAP 4.2.3

Aruba Employee
Q:

Wired-containment for L3 NAT rogue on iAP 4.2.3



A:

Before 4.2.3.0, we did not support wired-containment for L3 NAT rogue.

In 4.2.3.0, we introduce 2 knobs to enable wired-containment to 2 kinds of L3 NAT rogue.

Note:

No UI support

configure terminal

 ids

    wired-containment-ap-adj-mac

    no wired-containment-ap-adj-mac

    wired-containment-susp-l3-rogue

    no wired-containment-sup-l3-rogue

Wired-containment-ap-adj-mac feature contains layer-3 APs whose wired interface MAC addresses are either the same as (or one character off from) their BSSIDs.

ac:a3:1e:cd:3c:4e# show ids aps

Unknown Access Points Detected

------------------------------

MAC Address        Network            Classification  Chan.  Type     Last Seen

-----------        -------            --------------  -----  ----     ---------

d0:c7:c0:32:77:24  000TP-LINK_227724  Rogue           1      GN 40MZ  06:03:11

 

Log (d0:c7:c0:32:77:24 is a L3-Rogue):

Jan  2 06:10:33  sapd[3562]: <127104> <WARN> |AP ac:a3:1e:cd:3c:4e@192.168.3.251 sapd| |ids-ap| AP(ac:a3:1e:53:c4:e0): AP Wired Containment: An AP attempted to contain an access point (BSSID d0:c7:c0:32:77:24) by disconnecting client (MAC d0:c7:c0:32:77:24) by disrupting device with IP 192.168.3.237 and MAC d0:c7:c0:32:77:23.

 

Wired-containment-susp-l3-rogue contain an AP with a preset wired MAC address that is completely different from the AP’s BSSID and if the MAC address that the AP provides to wireless clients as the “gateway MAC” is offset by one character from its wired MAC address.

Log (94:b4:0f:9b:0d:72 is a Susp-L3-Rogue ):

ac:a3:1e:cd:3c:4e# show ids aps

Unknown Access Points Detected

------------------------------

MAC Address        Network            Classification  Chan.  Type     Last Seen

-----------        -------            --------------  -----  ----     ---------

94:b4:0f:9b:0d:72  225nat             Suspect-Rogue   52     AC 80MZ  08:31:30

 

Jan  1 08:03:52  sapd[3595]: <127104> <WARN> |AP ac:a3:1e:cd:3c:4e@192.168.3.253 sapd| |ids-ap| AP(ac:a3:1e:53:c4:f0): AP Wired Containment: An AP attempted to contain an access point (BSSID 94:b4:0f:9b:0d:72) by disconnecting client (MAC 94:b4:0f:9b:0d:72) by disrupting device with IP 192.168.3.242 and MAC 94:b4:0f:c1:b0:d5.

 

Version history
Revision #:
2 of 2
Last update:
‎03-29-2017 04:32 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.