Network Management

Hi,

 

In the AirWave User Guide, it is mentioned that for Rogue AP detection on a Cisco WLAN infrastructure, the AirWave Management Platform (AMP) interacts with the Cisco WLSE.
But Cisco WLSE is a product for which end-of-life has been announced.
Does this means for Cisco WLAN infrastructure with WLC, WCS and MSE, the Rogue APs detected by WLC or the IDS attacks detected by MSE will not be available to the Airwave components (AMP, Airwave Management console).

 

Thanks,
Tuhin

Someone please correct me if I'm wrong, it's been a while since I've seen a WLSE.  I believe the WLSE was needed only if you had Cisco Autonomous APs (IOS APs).  For LWAPP APs, AirWave gets rogue data directly from the WLC controllers.  So as long as your WLC is up and running, AirWave should continue to process your rogue data.

Hi Rob, Thanks for the reply. We have many Cisco WLAN infrastructure with the Cisco APs working in hybrid mode (the same data serving AP does scanning in a time-sliced way). The objective is to provide a centralized capability for Rogue AP detection and reporting. Can I have a confirmation that Airwave Management Platform will be able to retrieve the rogue detection data from WLC. The latest Airwave User Guide clearly mentions that WLSE would be required for AMP to fetch the rogue AP data, Thanks, Tuhin

I'll be away from the lab attending Airheads.  Let me see if someone else is available to test and confirm.

Hi Rob,

 

              Is there any update if Airwave will be able to directly fetch the Rogue AP data from Cisco WLC.  If yes, what interface is used by Airwave to interface with the Cisco WLC for fetching the Rogue AP data.

 

Thanks,

Tuhin

Hey Tuhin,

 

One of the other QA engineers is looking into this.  So far, they've confirmed rogue data is gotten from the Cisco WLC, but I'm waiting for confirmation that the data reflects both wired and wireless.  My hunch is that it's only wireless data that we get from SNMP, which would mean you'd have to add the edge switches to AMP to get the wired correlation (if your definition of a rogue has the requirement that it's something found on both wired and wireless).  I'll update once I have more information.

Update:

 

Having a Cisco WLC, AMP will only get wireless rogues using 'Wireless AP Scan' technique.  For wired correlation, you will need to add the edge switches (for bridge forwarding and CDP neighbor tables).

Hi Rob,

              Thanks a lot for the confirmation.

              In our deployment the Cisco WLC sits at the data center and manages Cisco APs situated at remote location configured in H-REAP mode.

Below is the sample deployment.

    Data Center            |              Remote Location
                                      |
Cisco WLC ------------|---------Router----Switch-------AP
   |                                 |
AMP

There will be multiple remote locations managed from a single WLC.

In the above deployment if the WLC, Switch and AP are configured in a single device group, it seems the AMP located at the data center will be able to do the wired correlation by retrieving data from remotely located switch.


As in our case the Cisco WLC will be serving multiple venues, can the same WLC be put in multiple groups.


Also I have another question, Cisco WLC by itself indentifies the Rogue APs and forward SNMP Traps to the registered listeners. Is this interface used for Airwave to list down the Rogue APs detected by WLC. Or Airwave is only dependent on the Wireless AP Scan data from WLC.

Thanks,
Tuhin

SNMP traps from the WLC may help provide additional correlation, but from my experience - most customers with WLCs rely on the WLC for just the wireless data, and then use switches for all wired data.  Though it doesn't hurt to set AMP as a destination for SNMP traps, but AMP will use it's own rules to classify the state of rogues (see RAPIDS -> rules, note that the rules are run from the top down, and RAPIDS ceases progressing through the rules once a valid rule is met).