Controllerless Networks

Reply
Occasional Contributor I

Multi-Swarm IDS Classify

We have some buildings that have more than one Instant swarm. Access points from either swarm see the other swarms access points as interferers/rogues. This might explain some of our roaming problems. I've gone in and manually reclassified them as valid, but they seem to be bouncing back to interfering after being detected (or at least it seems). 

 

Anyway to work around this? Auto-classify them based on MAC OUI? Other settings that should be set that wouldn't cause this to occur?

Guru Elite

Re: Multi-Swarm IDS Classify

You need to separate your two issues:

 

Roaming does not affect IDS and vice versa.  If you are somehow containing APs that are rogue or interferring (not the default), that is the only way it could affect roaming...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Multi-Swarm IDS Classify

We don't actively turn on the containment function, however when I classified the other swarm's APs as valid - I noticed in the VC GUI that the neighboring APs/clients graph increased. From that I came to a conclusion that because it previously wasn't valid, clients wouldn't necessarily roam to it since the AP really doesn't see it anyways, as it's been labeled as rogue/interfering. Sounds like that assumption is wrong.

 

Anyway I can get the APs auto-classified as valid?

Re: Multi-Swarm IDS Classify

There is no mechanism that I am aware of to auto classify adjacent IAPs as valid from an IDS perspective. They should all be on separate L2 networks so they would never (or SHOULD never) flag as rogue (unless you are trunking adjacent VC VLANs to other VCs). But a neighboring VC classified as interfering should not impact any user sessions or roaming.

Jerrod Howard
Sr. Technical Marketing Engineer
Occasional Contributor I

Re: Multi-Swarm IDS Classify

They should all be on separate L2 networks

They currently are.

 

they would never (or SHOULD never) flag as rogue

They have been for quite a few APs, the rest are labeled as interfering

 

unless you are trunking adjacent VC VLANs to other VCs

We do not, AP switch port gets one VLAN assignment (depending on swarm)

 

But a neighboring VC classified as interfering should not impact any user sessions or roaming.

Good to know

Re: Multi-Swarm IDS Classify

If a VC is flagging another AP on a separate L2 VC as a rogue, and it's NOT being manually classified as a rogue, then you would need to find out how the rogue determination is being made (am wondering if it's doing a mac address range match). But if it's not and it's seeing wired and wireless, then something/someone is bridging the two VLANs. 

 

The L3 rogue detection rule uses wired+wireless mac adjacency by 8 slots. 

Jerrod Howard
Sr. Technical Marketing Engineer
Occasional Contributor I

Re: Multi-Swarm IDS Classify

you would need to find out how the rogue determination is being made (am wondering if it's doing a mac address range match)

How would I go about finding how it's being determined? Would L3_Mobility (we have it enabled) play a role in this at all?

Re: Multi-Swarm IDS Classify

For IAP, you would log in to the IAP VC and run 'show ids rogue-ap <macaddr>'. Here's an example from mine:

 

##########

Instant-d0:6a# show ids rogue-ap ac:a3:1e:53:c2:e2

 

Rogue AP Info

-------------

Key           Value

---           -----

BSSID         ac:a3:1e:53:c2:e2

SSID          zulu

Channel       6

Type          generic-ap

RAP Type      rogue

Status        up

Match Type    Eth-GW-Wired-Mac

Match MAC     70:10:6f:8c:8e:00

Match IP      192.168.150.254

Match AM      Instant-d0:6a

Match Method  Exact-Match

Match Time    Tue Feb 14 18:47:05 2017

 

Match caused by Gateway MAC 70:10:6f:8c:8e:00 seen by (AP name): Instant-d0:6a

Instant-d0:6a#

##########

 

I wouldn't think L3 mobility would have anything to do with it, but let's see what your output is first, for one of your rogues that is an adjacent IAP...

Jerrod Howard
Sr. Technical Marketing Engineer
Occasional Contributor I

Re: Multi-Swarm IDS Classify

Below is an example of a rogue device on another VC:

 

----

AP-108# show ids rogue-ap 84:d4:7e:eb:8c:73

Rogue AP Info
-------------
Key Value
--- -----
BSSID 84:d4:7e:eb:8c:73
SSID OURSITE-CORP
Channel 64
Type generic-ap
RAP Type rogue
Status up
Match Type Eth-GW-Wired-Mac
Match MAC 20:4e:71:3c:00:40
Match IP 10.85.200.1
Match AM AP-233
Match Method Exact-Match
Match Time Sat Feb 18 07:33:20 2017

Match caused by Gateway MAC 20:4e:71:3c:00:40 seen by (AP name): AP-233
AP-108#

Re: Multi-Swarm IDS Classify

So it's seeing the wired mac of a rogue AP with a wireless frame over the air. Something is likely bridged somewhere/somehow. You would need to run down the macaddrs on each side to see where they show up/if (noting that if it's a temporary bridge, etc that it may not show up all the time). 

Jerrod Howard
Sr. Technical Marketing Engineer
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: