Rogue AP Containment

Aruba Employee

Question: How to Enable or Disable Rogue AP Containment on Mobility Access Switch?

 

 

Starting from ArubaOS 7.4, the Mobility Access Switch allows you to configure the rogue AP containment using the CLI. This was enabled by default and was not configurable in ArubaOS 7.3.x versions.
 

 

We can now enable or disable rogue AP containment and configure the action to be taken on the list of MAC addresses received from IAP that are detected as rogue. The default action is to shut down the access port and PoE on which it is detected and to discard the MAC address of the rogue AP and blacklist it if detected on a trunk port.


When an IAP detects an AP as rogue, it sends out the MAC Address of the AP to the Mobility Access Switch using the Aruba’s proprietary LLDP TLV protocol (MAC information TLV with action as Blacklist). The Mobility Access Switch allows you to enable or disable rogue AP containment and configure the action to be taken on the list of MAC addresses received from IAP.
 
You can enforce one of the following actions on the MAC addresses received from the IAP using the CLI: 
 
  • Default—If the MAC address is detected on a trunk port or on an untrusted access port, it is blacklisted and a message is logged into the syslog. If detected on a trusted access port, the port and the PoE are shutdown. You can optionally configure the auto recovery time for the port in seconds. Default value is 300 seconds and the allowed range is 0-65535 seconds.
  • Log—Discards the MAC address and logs it as blacklisted address.
This feature is enabled by default.

 

Important Points to Remember:

 

 

 

To enable the rogue AP containment, connect the IAPs to the LLDP enabled MAS ports.

 

 

 

The rogue AP containment functionality is supported only on trusted ports.

 

 

 

Configuring Rogue AP Enforcement

 

 

 

Execute the following CLI commands to enable the AP rogue containment:
 

 

(host) (config) #rogue-ap-containment

 

(host) (rogue-ap-containment) # enable

 

 

 

Use the following command to disable AP rogue enforcement
 

 

(host) (rogue-ap-containment) #no enable
 

 

Use the following command to set enforcement action on the MAC addresses received from the IAP
 

 

(host) (rogue-ap-containment) #action default <auto-recovery- time> | log
 
 
Sample Configuration

(host) (rogue-ap-containment) #enable
(host) (rogue-ap-containment) #action default auto-recovery-time 50

Verifying Rogue AP Enforcement

Use the following command to verify the rogue AP enforcement:

(host) (rogue-ap-containment) #show ap-rogue-enforcement
rogue-ap-containment "default"
------------------------------
Parameter Value
--------- -----
Enforce Rouge AP Enabled
Action default
Auto Recovery Time 50

 

Version history
Revision #:
1 of 1
Last update:
‎11-09-2014 01:04 AM
 
Labels (1)
Contributors
Comments
thom2544

Hi - I am trying to test this with Aruba OS switches in a large distributed environment.  Controllers are a cluster of (4) 7240 with a 7210 master at (2) datacenters. AP's are across 70 buildings (layer 3 at each building) so an Aruba OS switch in a wiring closet would be two layer 3 switches away from the 7240's at the data center. I've connected an Aruba 225 and an Avaya AP into the edge 2530 switch, have rogue containment blocking enabled, but do not see the Avaya as a rogue. 

 

When I capture traffic I do not see any LLDP packets from the controllers. So my assumption is that those are contained by the boradcast domain of the 7240 mgmt vlan?

 

Thx!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: