Unified Wired & Wireless Access

Reply
Moderator
cjoseph
Posts: 12,251
Registered: ‎03-29-2007

Re: L3 rogue detection


FlorianKueck wrote:

There is no way to see it on the dashboard?

 

Where is the information how it wa discovered? I'n not shure if it is really a rogue ap or an interfering.

 

Rogue AP Info
-------------
Key           Value
---           -----
BSSID         00:11:XX:XX:XX
SSID          FRITZ!BoxFon WLAN 7170
Channel       12
Type          generic-ap
RAP Type      rogue
Status        up
Match Type    Eth-GW-Wired-Mac
Match MAC     00:a0:c5:XX:XX:XX
Match IP      0.0.0.0
Match AM      OAP-ZV0XX
Match Method  Exact-Match
Match Time    Tue Mar 27 09:09:50 2012


There is no way of seeing that level of detail on the dashboard, no.

 

RAP Type = Rogue means it is a rogue AP.

Match type - How it was discovered

Match mac - wired mac of that ap

Match ip - the ip address of the AP or controller that saw it on the wired network

Match AM - Wireless AP that saw it both on the wired and wireless

Match Method - Method used to classify that AP - Exact match means the wired and wireless mac are the same, and that is how it was classified

 

Colin Joseph
Aruba Customer Engineering
Contributor II
FlorianKueck
Posts: 50
Registered: ‎08-12-2011

Re: L3 rogue detection

Thanks a lot!

 

But i don't understand what this information wants to tell me:

 

Match Type    Eth-GW-Wired-Mac

 

 

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

 

Match MAC     00:a0:c5:XX:XX:XX

 

Moderator
cjoseph
Posts: 12,251
Registered: ‎03-29-2007

Re: L3 rogue detection


FlorianKueck wrote:

Thanks a lot!

 

But i don't understand what this information wants to tell me:

 

Match Type    Eth-GW-Wired-Mac

 

 

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

 

Match MAC     00:a0:c5:XX:XX:XX

 


That means a wired gateway was seen through an access point in the air.

 

Colin Joseph
Aruba Customer Engineering
Contributor II
FlorianKueck
Posts: 50
Registered: ‎08-12-2011

Re: L3 rogue detection


cjoseph wrote:

FlorianKueck wrote:

Thanks a lot!

 

But i don't understand what this information wants to tell me:

 

Match Type    Eth-GW-Wired-Mac

 

 

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

 

Match MAC     00:a0:c5:XX:XX:XX

 


That means a wired gateway was seen through an access point in the air.

 



and that means it is not an rogue ap, correct?

Moderator
cjoseph
Posts: 12,251
Registered: ‎03-29-2007

Re: L3 rogue detection

That means that it IS a rogue AP, because it sees wired traffic through it.

 

Colin Joseph
Aruba Customer Engineering
Contributor II
FlorianKueck
Posts: 50
Registered: ‎08-12-2011

Re: L3 rogue detection

my understanding of an rogue AP is, that the controllers is seeing the AP on the wired and also on the wireless side of  his network.

 

Moderator
cjoseph
Posts: 12,251
Registered: ‎03-29-2007

Re: L3 rogue detection

Please open a support case so that they can look at your topology and configuration.  They will be able to answer all of your specific questions.  

 

My answers do not take into account all of the variables of your specific deployment, and might not be applicable.

 

Colin Joseph
Aruba Customer Engineering
MVP
NightShade1
Posts: 2,461
Registered: ‎10-25-2011

Re: L3 rogue detection

[ Edited ]

Hello Cjoseph

i got a question regarding to this

I got a deployment on a client with the IPS

 

okay in that client there is a vlan in which they got all the APS and the wireless controller, thats the only thing in that vlan, nothing else.

 

now i got 2 APS as possible rogue

 

1 AP is a known AP they got inside their corporation

1 AP that they dont know  about it.

 

Now we have not YET activate or trunk ANY vlan to the APs OR the Wireless controller.(the only vlans that are trunked to the WC are the vlans for the SSIDS that are distributing the Aruba APs.

 

If i see the second AP they dont know about the SNR is really low  5 or 6  is the number and just 3 APs of all the aps can see it... and they all see it with low number 5, 6 or 7 on the SNR.

 

Now on the known AP  that  i we  all know there is inside the company, almost all the APS can see it...

and when i run

Suspect Rogue AP Info

---------------------

Key               Value

---               -----

BSSID             74:f0:6d:20:da:98

SSID              ssidoftheap

Channel           2

Type              generic-ap

RAP Type          suspected-rogue

Confidence Level  20%

Status            up

Match Type        AP-Wired-Mac

Match MAC         00:16:43:c4:d0:0e

Match IP          0.0.0.0

Match AM          AP_C4

Match Method      Exact-Match

Helper AP BSSID   00:00:00:00:00:00

Match Time        Mon Feb 27 10:56:09 201

 

on the wireless controller

i got 3 vlans configured on the WC

vlan 500 the vlan that the administration of the wireless controller is, 

vlan 501 internal access

vlan 502 guest access

 

They put the Known AP(which is not Aruba ap) on vlan 501 for some reason.

 

They are not trunking any vlan to those APs they just got it on access on the vlan 500

 

So how its possible for the AP_C4 to detect that from wired?

 

Even the other Unkown AP i was talking about up, also was detected as suspected rogue... buti manually changed it to interference.

 

Is there any way to clear the data on the dashboard on the security tab so it reclasify automatically everything AGAIN to see if it keep detecting those APs as rogue and even with Match Type   AP-Wired-Mac?

 

It just that its really odd... and i dont understand...the bigger issue is that i dont manage the network there and the ones that are working with me is the security department, which is not the networking deparment... and they dont have access to anything of this...

 The thing is that the mac address i mean this one Match MAC         00:16:43:c4:d0:0e is not on  

show wms wired-mac prop-eth-mac  

or on show wms system-wired-mac

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
baboyero
Posts: 72
Registered: ‎05-22-2011

Re: L3 rogue detection

Helo,

 

We are trying to setup L3 rogue detection. We currently have APs with ARM enabled but we don't have any dedicated air monitors. If we use L3 rogue detection, will the "hybrid" APs be able to detect rogue devices? If so, will that be on the wired and wireless medium? Also, following this link, it seems like we need to "trunk" VLANs to the APs so that they can receive broadcast frames, is this correct? When the AP receives these broadcast packets through the wired network, does it analyze the MAC address or does it forward the received wired frames to the controller for analysis? How can we implement this, is there any documentation out there that we can follow? Any help would be greatly appreciated. Thanks. 

MVP
NightShade1
Posts: 2,461
Registered: ‎10-25-2011

Re: L3 rogue detection

Hello

Look you have 2 options

1-Trunk the vlan to the APS

2-Trunk the vlans to the wireless controller and issue the command config t wms general learn-system-wired-macs enable

 

Hybrids APS can see it but remenber hybrids APS got 2 funtions

1-Give access to clients(which is hte principal funtion

2-Scan on other channels

 

the IPS/IDS without air Monitor just dont work well... if you dont have Air monitors then in my opinion you should not put IPS IDS...

 

Because for example if you got a rule that the valid clients cannot connect to other APS that are not valids then if you have no air monitor and you got hybrids APS... if you connect to a non valid AP when the AP is serving clients you will be able to connect.. you see? it just doesnt work....

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Do you mean