07-28-2016 01:26 PM - edited 07-28-2016 01:27 PM
Are there commands to get details on rogue matches and suspected rogues? For example, if the match type is "AP-Wired-MAC-Table", is there a way to see the wired mac of the rogue/suspected-rogue that it saw on the wired network? I don't have airwave, so I'm looking to track down the ports these APs are plugged into via wired MAC tables.
Any other tips on tracking down rogues and/or investigating suspected rogues?
07-28-2016 01:39 PM
Wait, I might still be confused:
So I have a suspected rogue (20%) and there is an SSID listed that's not mine. The match type is "Eth-Wired-Mac". I check my MAC table and I notice that the "Match MAC" is the MAC of my router.
Is the "Match MAC" representing the MAC of the suspected rogue? So in this case, it's a false positive and I can ignore it? Or is the "Match MAC" representing something else, like the gateway that the clients on the rogue are hitting?
07-28-2016 03:38 PM - edited 07-28-2016 03:49 PM
I found this:
--AP-Wired-MAC: Source MAC transmitted from AP matched a source MAC transmitted by a valid AP.--
So does this mean that the rogue BSSID has sent frames with the source MAC of my router at some point? Is there a legitimate likelyhook of this being a false positive?
**Also - is there a method for tracking down rogues without airwave?
07-28-2016 08:40 PM
What is the WLAN (Aruba Instant or Controller-based)? Both should have some kind of record or alert for rogue detected. It's not a common false positive, no, but what you cited is a match rule for a rogue, so it is worth investigating.
Sr. Techical Marketing Engineer
07-29-2016 09:29 AM
It is controller based and I'm looking at rogue detection. I have a handful of suspected rogues, but all are at 20% confidence level. These all have "Eth-Wired-MAC-Table" or "AP-Wired-MAC-Table" as the match type. Is there a valid reason why my AP would see a frame with a source MAC coming out of an interferring/rogue AP. I assume there is since this one indicator only makes up for a 20% confidence level.
In some of these cases, however, the match-MAC is actually my router's MAC. Would there be a reason why my AP would see someone else's AP sending a frame with my router's MAC as the source if it wasn't connected to my wired network? Specifically, these rogues are of a neighboring business and seem to be legitimate access points on their own network.
Of the one rogue I have that is at 100% confidence, the reason is "Eth-GW-Wired-MAC-Table". This one is interesting though because I don't see the violating MAC address in the mac table on my router that's in the wired subnet that the AP connects to. I also don't see the mac in the AP enet-table or gateway table. Could there be a legitimate reason for this?
Do the rogue entries eventually age out if they're not seen again? If not, is there a way to clear and/or refresh this data?
07-29-2016 10:38 AM
Rogue entries don't usually age out unless the WMS DB is flushed out, or the rogue itself is cleared. The only reason I can think of that your router MAC would leak out is if there was (even temporarily) a rogue, or someone bridged a wired connection out their wireless device (laptop, etc).
You should be able to delete with
clear wms ap <bssid_of_rogue>
Sr. Techical Marketing Engineer
07-29-2016 12:14 PM
Thanks. I cleared it some of the old ones out.
I still have some entries from today, however, and I can't seem to track down the match-MAC on my wired network anywhere. Is it possible for a "rogue" to be spotted due to anything other than:
a.) My client bridges networks.
b.) The rogue is plugged into my network?
Most of my rogues are in remote data centers where we have APs and it seems like the rogues are all virtual APs from the same organization and all seem to have open and/or guest networks. If my client connects to my network, then to one of these guest networks, could that trigger a suspected rogue? Or would the client have to bridge wired/wireless networks?
I don't see the match-mac for this entry on the AP or router though, so that's weird too.