Wireless Access

 View Only
last person joined: 14 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

How to demonstrate Rogue AP containment

This thread has been viewed 13 times
  • 1.  How to demonstrate Rogue AP containment

    Posted 26 days ago
    Dear Experts, 

    If i want to demo/poc rogue ap containment using physical controller, what is the easiest way to to demonstrate it in a lab.

    ------------------------------
    owais
    ------------------------------


  • 2.  RE: How to demonstrate Rogue AP containment

    EMPLOYEE
    Posted 25 days ago
    If you have a spare Instant AP, use that to create a 'rogue AP' by creating an SSID (can be WPA2-PSK) and connect a client to it, while the Instant AP is connected to the same wired network as your controller APs/or the controller. The AP VLAN should be the most reliable VLAN to connect the rogue AP. Another type of AP may work as well, as long as it's a bridging AP (so not a consumer router which performs NAT and does DHCP).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: How to demonstrate Rogue AP containment

    Posted 25 days ago
    Dear Herman,

    Customer told me they will be using tp link to check rogue ap containment. Can we still do it?





  • 4.  RE: How to demonstrate Rogue AP containment

    EMPLOYEE
    Posted 25 days ago
    If that can do bridge mode and you can connect it to the same wired as your Aruba APs... then yes. Note that the Aruba definition of a Rogue AP is an AP that is not part of your network, but connected to the same wired network. It will only trigger if traffic is seen 'in the air' to another AP and also on the wired network.

    While not rogue AP, you could also demonstrate protect-valid-sta, which triggers when one of your clients first is connected to your own network, and then moves to an SSID broadcasted by another AP (could even be the personal hotspot on your phone).

    May be good to discuss with your local Aruba SE what would be the best to demonstrate to your customer. It also depends on the requirement (and the definition of rogue AP) of your customer.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: How to demonstrate Rogue AP containment

    Posted 25 days ago

    Dear Herman,

     

    Understood. One last thing, we don't consider wireless router a rogue AP if its not working in bridge mode right? Why is that?

     

    Best Regards

    Owais Iqbal

    CCIE | ACDX 

    Technical Consultant - Aruba Networks

    Mob/Whatsapp: +92-321-2960496

     






  • 6.  RE: How to demonstrate Rogue AP containment

    EMPLOYEE
    Posted 25 days ago
    That is because if the traffic is routed/natted, the MAC address used 'in the air' is different on the wire, so it's not possible to make the correlation. Another reason is that such routers offer DHCP services, and as soon as you connect to the wired network it will start handing out IP adresses and breaking functionality.

    The router-AP will probably show up as interfering; and you can do protect-valid-sta.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: How to demonstrate Rogue AP containment

    MVP
    Posted 24 days ago
    Unless things have changed, you cannot use an Instant AP as a rogue. As soon as it sees the instant AP virtual controller it associates itself. I found this issue when i had an instant AP running and wanter to setup another one as a Remote AP. I could not do that while the original Instant AP network was active.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 8.  RE: How to demonstrate Rogue AP containment

    Posted 24 days ago
    No this is a controller setup so no issues i guess