Thanks a lot!

But i don't understand what this information wants to tell me:

Match Type    Eth-GW-Wired-Mac

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

Match MAC     00:a0:c5:XX:XX:XX

---

FlorianKueck wrote:

Thanks a lot!

 

But i don't understand what this information wants to tell me:

 

Match Type    Eth-GW-Wired-Mac

 

 

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

 

Match MAC     00:a0:c5:XX:XX:XX

 

---

That means a wired gateway was seen through an access point in the air.

That means that it IS a rogue AP, because it sees wired traffic through it.

my understanding of an rogue AP is, that the controllers is seeing the AP on the wired and also on the wireless side of  his network.

Please open a support case so that they can look at your topology and configuration.  They will be able to answer all of your specific questions.  

My answers do not take into account all of the variables of your specific deployment, and might not be applicable.

Hello Cjoseph

i got a question regarding to this

I got a deployment on a client with the IPS

okay in that client there is a vlan in which they got all the APS and the wireless controller, thats the only thing in that vlan, nothing else.

now i got 2 APS as possible rogue

1 AP is a known AP they got inside their corporation

1 AP that they dont know  about it.

Now we have not YET activate or trunk ANY vlan to the APs OR the Wireless controller.(the only vlans that are trunked to the WC are the vlans for the SSIDS that are distributing the Aruba APs.

If i see the second AP they dont know about the SNR is really low  5 or 6  is the number and just 3 APs of all the aps can see it... and they all see it with low number 5, 6 or 7 on the SNR.

Now on the known AP  that  i we  all know there is inside the company, almost all the APS can see it...

and when i run

Suspect Rogue AP Info

---------------------

Key               Value

---               -----

BSSID             74:f0:6d:20:da:98

SSID              ssidoftheap

Channel           2

Type              generic-ap

RAP Type          suspected-rogue

Confidence Level  20%

Status            up

Match Type        AP-Wired-Mac

Match MAC         00:16:43:c4:d0:0e

Match IP          0.0.0.0

Match AM          AP_C4

Match Method      Exact-Match

Helper AP BSSID   00:00:00:00:00:00

Match Time        Mon Feb 27 10:56:09 201

on the wireless controller

i got 3 vlans configured on the WC

vlan 500 the vlan that the administration of the wireless controller is, 

vlan 501 internal access

vlan 502 guest access

They put the Known AP(which is not Aruba ap) on vlan 501 for some reason.

They are not trunking any vlan to those APs they just got it on access on the vlan 500

So how its possible for the AP_C4 to detect that from wired?

Even the other Unkown AP i was talking about up, also was detected as suspected rogue... buti manually changed it to interference.

Is there any way to clear the data on the dashboard on the security tab so it reclasify automatically everything AGAIN to see if it keep detecting those APs as rogue and even with Match Type   AP-Wired-Mac?

It just that its really odd... and i dont understand...the bigger issue is that i dont manage the network there and the ones that are working with me is the security department, which is not the networking deparment... and they dont have access to anything of this...

 The thing is that the mac address i mean this one Match MAC         00:16:43:c4:d0:0e is not on  

show wms wired-mac prop-eth-mac  

or on show wms system-wired-mac

Helo,

We are trying to setup L3 rogue detection. We currently have APs with ARM enabled but we don't have any dedicated air monitors. If we use L3 rogue detection, will the "hybrid" APs be able to detect rogue devices? If so, will that be on the wired and wireless medium? Also, following this link, it seems like we need to "trunk" VLANs to the APs so that they can receive broadcast frames, is this correct? When the AP receives these broadcast packets through the wired network, does it analyze the MAC address or does it forward the received wired frames to the controller for analysis? How can we implement this, is there any documentation out there that we can follow? Any help would be greatly appreciated. Thanks. 

Hello

Look you have 2 options

1-Trunk the vlan to the APS

2-Trunk the vlans to the wireless controller and issue the command config t wms general learn-system-wired-macs enable

Hybrids APS can see it but remenber hybrids APS got 2 funtions

1-Give access to clients(which is hte principal funtion

2-Scan on other channels

the IPS/IDS without air Monitor just dont work well... if you dont have Air monitors then in my opinion you should not put IPS IDS...

Because for example if you got a rule that the valid clients cannot connect to other APS that are not valids then if you have no air monitor and you got hybrids APS... if you connect to a non valid AP when the AP is serving clients you will be able to connect.. you see? it just doesnt work....