Rogue AP Containment

Question: How to Enable or Disable Rogue AP Containment on Mobility Access Switch?

 

 

Starting from ArubaOS 7.4, the Mobility Access Switch allows you to configure the rogue AP containment using the CLI. This was enabled by default and was not configurable in ArubaOS 7.3.x versions.
 

 

We can now enable or disable rogue AP containment and configure the action to be taken on the list of MAC addresses received from IAP that are detected as rogue. The default action is to shut down the access port and PoE on which it is detected and to discard the MAC address of the rogue AP and blacklist it if detected on a trunk port.


When an IAP detects an AP as rogue, it sends out the MAC Address of the AP to the Mobility Access Switch using the Aruba’s proprietary LLDP TLV protocol (MAC information TLV with action as Blacklist). The Mobility Access Switch allows you to enable or disable rogue AP containment and configure the action to be taken on the list of MAC addresses received from IAP.
 
You can enforce one of the following actions on the MAC addresses received from the IAP using the CLI: 
 
  • Default—If the MAC address is detected on a trunk port or on an untrusted access port, it is blacklisted and a message is logged into the syslog. If detected on a trusted access port, the port and the PoE are shutdown. You can optionally configure the auto recovery time for the port in seconds. Default value is 300 seconds and the allowed range is 0-65535 seconds.
  • Log—Discards the MAC address and logs it as blacklisted address.
This feature is enabled by default.

 

Important Points to Remember:

 

 

 

To enable the rogue AP containment, connect the IAPs to the LLDP enabled MAS ports.

 

 

 

The rogue AP containment functionality is supported only on trusted ports.

 

 

 

Configuring Rogue AP Enforcement

 

 

 

Execute the following CLI commands to enable the AP rogue containment:
 

 

(host) (config) #rogue-ap-containment

 

(host) (rogue-ap-containment) # enable

 

 

 

Use the following command to disable AP rogue enforcement
 

 

(host) (rogue-ap-containment) #no enable
 

 

Use the following command to set enforcement action on the MAC addresses received from the IAP
 

 

(host) (rogue-ap-containment) #action default <auto-recovery- time> | log
 
 
Sample Configuration

(host) (rogue-ap-containment) #enable
(host) (rogue-ap-containment) #action default auto-recovery-time 50

Verifying Rogue AP Enforcement

Use the following command to verify the rogue AP enforcement:

(host) (rogue-ap-containment) #show ap-rogue-enforcement
rogue-ap-containment "default"
------------------------------
Parameter Value
--------- -----
Enforce Rouge AP Enabled
Action default
Auto Recovery Time 50

 

Version history
Revision #:
1 of 1
Last update:
‎11-09-2014 01:04 AM
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.