How to configure Rogue AP containment Feature on MAS 7.4 Code

Aruba Employee
  • Enhancement of Rogue AP Containment feature already supported on MAS.
  • When a rogue AP is detected by IAP, the IAP sends out the MAC Addresses to MAS for blacklisting
  • If MAS receives traffic from the blacklisted MAC entries on its wired ports, it either error-disables the interface or creates a DROP entry for that mac-address.
  • There was no user configurable option.

 
Feature has been made configurable

  1. enable/disable rogue AP containment.
  2. Select the action to be taken on blacklisted mac-address.
  3. Modify recovery timer for error-disabled interfaces.

 

  • Enable/disable feature

(ArubaS1500-24P) (config) #ap-rogue-enforcement
(ArubaS1500-24P) (rogue-ap-enforcement) #enable ?
<cr>
(ArubaS1500-24P) (rogue-ap-enforcement) #enable
(ArubaS1500-24P) (rogue-ap-enforcement) #
 

  • Modify action

(ArubaS1500-24P) (rogue-ap-enforcement) #action ?
default                 Trunk Ports: Discard blacklisted MAC addresses and log. Access Port: Shutdown port and PoE on detection of blacklisted MAC address
 

  • Change error-recovery timer

(ArubaS1500-24P) (config) #ap-rogue-enforcement
(ArubaS1500-24P) (rogue-ap-enforcement) #action default ?
auto-recovery-time      Time to recover port from shutdown in seconds.
                        Default: 300. Allowed Range: [0-65535]
<cr>
(ArubaS1500-24P) (rogue-ap-enforcement) #
* With auto-recovery value of 0, interface will never auto-recover, and will required manual intervention.
 
(ArubaS1500-24P) #show ap-rogue-enforcement
rogue-ap-enforcement "default"
------------------------------
Parameter           Value
---------           -----
Enforce Rouge AP    Disabled
Action              default
Auto Recovery Time  300
(ArubaS1500-24P) #
 
 

  • Check blacklisted mac-address send by IAP

(ArubaS1500-24P) #show lldp neighbor interface  gigabitethernet 2/0/0 detail
 
Interface: gigabitethernet2/0/0, Number of neighbors: 1
------------------------------------------------------------
<Output Truncated>
Autoneg capability:
  10Base-T, HD: yes, FD: yes
  100Base-T, HD: yes, FD: yes
  1000Base-T, HD: yes, FD: yes
Media attached unit type: 1000BaseTFD - Four-pair Category 5 UTP, full duplex mode (30)
MAC:          44:6d:57:b4:2e:39: Blacklist
MAC:          60:d8:19:5b:d2:fd: Blacklist
MAC:          6c:f3:7f:c4:4c:72: Blacklist
802.3 Power:
 Port ID:      MAC 6c:f3:7f:c3:67:2a
 Port Description: eth0
 MDI Power:
        Supported:   No
        Enabled:     No
 <Output Truncated>
 
 

  • Check interface error-disabled state

(ArubaS1500-24P) #show port-error-recovery
 
Layer-2 Interface Error Information
-----------------------------------
Interface  Error                        Error seen time            Recovery time
---------  -----                        ---------------            -------------
GE0/0/47   Blacklisted device detected  2014-07-23 17:08:45 (PST)  2014-07-23 17:18:44 (PST)
GE1/0/47   Blacklisted device detected  2014-07-23 17:08:41 (PST)  2014-07-23 17:18:40 (PST)
GE2/0/23   Blacklisted device detected  2014-07-23 17:08:43 (PST)  2014-07-23 17:18:42 (PST)
 
(ArubaS1500-24P) #

  • Bring Up error-disabled port

(ArubaS1500-24P) #clear port-error-recovery
 
 

  • Log generated when blacklisted mac-address is detected on wired interface
  • Information is logged in security logs.

 (ArubaS1500-24P) (config) # logging level errors security
 
 (ArubaS1500-24P)# show log security 10 | include Blacklisted
Jul 24 06:59:31 :128009: <ERRS> |l2m| Blacklisted MAC seen on gigabitethernet2/0/23, shutting down the interface
Jul 24 06:59:31 :128010:  <ERRS> |l2m|  Blacklisted MAC 6c:f3:7f:c4:4c:72 on interface GE0/0/47
 
 
Notes
----------
 

  1. Enabled by default.
  2. Default auto-recovery-timer is 300 seconds
  3. Default action is :
    • Trunk Ports: Discard blacklisted MAC addresses and  log.
    •  Access Port: Shutdown port and PoE on detection of blacklisted mac-address
  4. If blacklisted mac is learned on untrusted interface, mac is discarded, instead of error disabling interface.
  5. No action is taken on interface that is configured to learn mac-addresses as STICKY.
  6. No aging for Blacklisted mac ie blacklisted mac-addresses are cleared only after IAP stops sending out the MAC Addresses to MAS for blacklisting.
Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 02:07 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: