Wireless Access

 View Only
Expand all | Collapse all

L3 rogue detection

This thread has been viewed 9 times
  • 1.  L3 rogue detection

    Posted Mar 02, 2012 08:07 PM

    Okay i got a few question regard to this

    1- I dont need an Air monitor ap to use this... i just can use it with any ap?

    2-You just need to trunk all vlans that i want to be checked to one AP?

    3-If  i just need to trunk it to just one AP, it is recomended to trunk it to at leas 2? just in case one goes down?

    4-If i just trunk all the vlans to one AP, let say im a big company and i got  A LOT of vlans... is not recommened to trunk all vlans to one AP? or this just doesnt matter?

     

     

    Any good practice using this is welcome if any of you can mention them.

     

     



  • 2.  RE: L3 rogue detection
    Best Answer

    Posted Mar 03, 2012 06:41 AM

    @NightShade1 wrote:

    Okay i got a few question regard to this

    1- I dont need an Air monitor ap to use this... i just can use it with any ap?

    2-You just need to trunk all vlans that i want to be checked to one AP?

    3-If  i just need to trunk it to just one AP, it is recomended to trunk it to at leas 2? just in case one goes down?

    4-If i just trunk all the vlans to one AP, let say im a big company and i got  A LOT of vlans... is not recommened to trunk all vlans to one AP? or this just doesnt matter?

     

     

    Any good practice using this is welcome if any of you can mention them.

     

     


    1.  You can use an AP for detection, but an Air Monitor is much more effective.

    2.  Yes.

    3.  Yes, but the controller will also collect macs on any VLAN that is trunked to (System-Wired-MAC).  That is  a better approach.  

    4.  Please see comment #3

     

     



  • 3.  RE: L3 rogue detection

    Posted Mar 03, 2012 12:02 PM

    Hello Cjoseph

    thanks for asnwering my tread

     

    So in this case i would be able to trunk all the vlans to the Wireless controller INSTEAD of any AP, and it will still collect the mac address?

     

    If that true then i ask you something

    1-On the switch that the WC is plugged i trunk all the vlans to the WC

    2-On the WC do i have to configure the vlans and also trunk back even if i dont use them? or its like the AP in which i had to do nothing? on the AP i just trunk the vlans to it and thats it... but i dont trunk anything back, could you please clarify me this one for me cjoseph

     

    Thanks

     

     



  • 4.  RE: L3 rogue detection

    Posted Mar 03, 2012 04:42 PM

    It just has to be trunked to the controller.  To turn on wired mac learning:

     

    #config t wms general learn-system-wired-macs enable

     To see what macs the controller has learned:

     

    show wms wired-mac system-wired-mac

     To know if it is even on or not:

    show wms general



  • 5.  RE: L3 rogue detection

    Posted Mar 03, 2012 05:01 PM

    Thank you very much cjoseph

     

    just one last quesiton

    If you had APs on air monitor and you could just turn on this

    Which one you would pick?  any of those are okay ? one is not better than the other or at least less recommended?

     



  • 6.  RE: L3 rogue detection

    Posted Mar 03, 2012 05:03 PM

    A combination is best.

     

    There is always one remote VLAN that you cannot physically trunk to the controller.  You would put an AP on that trunk.

     



  • 7.  RE: L3 rogue detection

    Posted Mar 03, 2012 05:05 PM

    This is true this is true.... i got one scenario exactly just like that.

     

    Thanks you very much cjoseph!!!

     



  • 8.  RE: L3 rogue detection

    Posted Mar 27, 2012 05:35 AM

    Are the learned mac address shown in the gui?

     

    My Controller detects a few rouge aps but i did not get the information about the wired mac.

    The controller marks an AP as rouge if it is seen on wireless an wired side of the network, correct?



  • 9.  RE: L3 rogue detection

    Posted Mar 27, 2012 05:38 AM

    "show wms rogue-ap <wireless mac of ap>" will say how it was discovered.

     



  • 10.  RE: L3 rogue detection

    Posted Mar 27, 2012 05:44 AM

    There is no way to see it on the dashboard?

     

    Where is the information how it wa discovered? I'n not shure if it is really a rogue ap or an interfering.

     

    Rogue AP Info
    -------------
    Key           Value
    ---           -----
    BSSID         00:11:XX:XX:XX
    SSID          FRITZ!BoxFon WLAN 7170
    Channel       12
    Type          generic-ap
    RAP Type      rogue
    Status        up
    Match Type    Eth-GW-Wired-Mac
    Match MAC     00:a0:c5:XX:XX:XX
    Match IP      0.0.0.0
    Match AM      OAP-ZV0XX
    Match Method  Exact-Match
    Match Time    Tue Mar 27 09:09:50 2012



  • 11.  RE: L3 rogue detection

    Posted Mar 27, 2012 05:47 AM

    @FlorianKueck wrote:

    There is no way to see it on the dashboard?

     

    Where is the information how it wa discovered? I'n not shure if it is really a rogue ap or an interfering.

     

    Rogue AP Info
    -------------
    Key           Value
    ---           -----
    BSSID         00:11:XX:XX:XX
    SSID          FRITZ!BoxFon WLAN 7170
    Channel       12
    Type          generic-ap
    RAP Type      rogue
    Status        up
    Match Type    Eth-GW-Wired-Mac
    Match MAC     00:a0:c5:XX:XX:XX
    Match IP      0.0.0.0
    Match AM      OAP-ZV0XX
    Match Method  Exact-Match
    Match Time    Tue Mar 27 09:09:50 2012


    There is no way of seeing that level of detail on the dashboard, no.

     

    RAP Type = Rogue means it is a rogue AP.

    Match type - How it was discovered

    Match mac - wired mac of that ap

    Match ip - the ip address of the AP or controller that saw it on the wired network

    Match AM - Wireless AP that saw it both on the wired and wireless

    Match Method - Method used to classify that AP - Exact match means the wired and wireless mac are the same, and that is how it was classified

     



  • 12.  RE: L3 rogue detection

    Posted Mar 27, 2012 06:02 AM

    Thanks a lot!

     

    But i don't understand what this information wants to tell me:

     

    Match Type    Eth-GW-Wired-Mac

     

     

    I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

     

    Match MAC     00:a0:c5:XX:XX:XX

     



  • 13.  RE: L3 rogue detection

    Posted Mar 27, 2012 06:21 AM

    @FlorianKueck wrote:

    Thanks a lot!

     

    But i don't understand what this information wants to tell me:

     

    Match Type    Eth-GW-Wired-Mac

     

     

    I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

     

    Match MAC     00:a0:c5:XX:XX:XX

     


    That means a wired gateway was seen through an access point in the air.

     



  • 14.  RE: L3 rogue detection

    Posted Mar 27, 2012 08:35 AM

    @cjoseph wrote:

    @FlorianKueck wrote:

    Thanks a lot!

     

    But i don't understand what this information wants to tell me:

     

    Match Type    Eth-GW-Wired-Mac

     

     

    I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

     

    Match MAC     00:a0:c5:XX:XX:XX

     


    That means a wired gateway was seen through an access point in the air.

     



    and that means it is not an rogue ap, correct?



  • 15.  RE: L3 rogue detection

    Posted Mar 27, 2012 08:40 AM

    That means that it IS a rogue AP, because it sees wired traffic through it.

     



  • 16.  RE: L3 rogue detection

    Posted Mar 27, 2012 08:43 AM

    my understanding of an rogue AP is, that the controllers is seeing the AP on the wired and also on the wireless side of  his network.

     



  • 17.  RE: L3 rogue detection

    Posted Mar 27, 2012 08:46 AM

    Please open a support case so that they can look at your topology and configuration.  They will be able to answer all of your specific questions.  

     

    My answers do not take into account all of the variables of your specific deployment, and might not be applicable.

     



  • 18.  RE: L3 rogue detection

    Posted Mar 28, 2012 01:59 PM

    Hello Cjoseph

    i got a question regarding to this

    I got a deployment on a client with the IPS

     

    okay in that client there is a vlan in which they got all the APS and the wireless controller, thats the only thing in that vlan, nothing else.

     

    now i got 2 APS as possible rogue

     

    1 AP is a known AP they got inside their corporation

    1 AP that they dont know  about it.

     

    Now we have not YET activate or trunk ANY vlan to the APs OR the Wireless controller.(the only vlans that are trunked to the WC are the vlans for the SSIDS that are distributing the Aruba APs.

     

    If i see the second AP they dont know about the SNR is really low  5 or 6  is the number and just 3 APs of all the aps can see it... and they all see it with low number 5, 6 or 7 on the SNR.

     

    Now on the known AP  that  i we  all know there is inside the company, almost all the APS can see it...

    and when i run

    Suspect Rogue AP Info

    ---------------------

    Key               Value

    ---               -----

    BSSID             74:f0:6d:20:da:98

    SSID              ssidoftheap

    Channel           2

    Type              generic-ap

    RAP Type          suspected-rogue

    Confidence Level  20%

    Status            up

    Match Type        AP-Wired-Mac

    Match MAC         00:16:43:c4:d0:0e

    Match IP          0.0.0.0

    Match AM          AP_C4

    Match Method      Exact-Match

    Helper AP BSSID   00:00:00:00:00:00

    Match Time        Mon Feb 27 10:56:09 201

     

    on the wireless controller

    i got 3 vlans configured on the WC

    vlan 500 the vlan that the administration of the wireless controller is, 

    vlan 501 internal access

    vlan 502 guest access

     

    They put the Known AP(which is not Aruba ap) on vlan 501 for some reason.

     

    They are not trunking any vlan to those APs they just got it on access on the vlan 500

     

    So how its possible for the AP_C4 to detect that from wired?

     

    Even the other Unkown AP i was talking about up, also was detected as suspected rogue... buti manually changed it to interference.

     

    Is there any way to clear the data on the dashboard on the security tab so it reclasify automatically everything AGAIN to see if it keep detecting those APs as rogue and even with Match Type   AP-Wired-Mac?

     

    It just that its really odd... and i dont understand...the bigger issue is that i dont manage the network there and the ones that are working with me is the security department, which is not the networking deparment... and they dont have access to anything of this...

     The thing is that the mac address i mean this one Match MAC         00:16:43:c4:d0:0e is not on  

    show wms wired-mac prop-eth-mac  

    or on show wms system-wired-mac

     



  • 19.  RE: L3 rogue detection

    Posted Oct 31, 2012 06:57 PM

    Helo,

     

    We are trying to setup L3 rogue detection. We currently have APs with ARM enabled but we don't have any dedicated air monitors. If we use L3 rogue detection, will the "hybrid" APs be able to detect rogue devices? If so, will that be on the wired and wireless medium? Also, following this link, it seems like we need to "trunk" VLANs to the APs so that they can receive broadcast frames, is this correct? When the AP receives these broadcast packets through the wired network, does it analyze the MAC address or does it forward the received wired frames to the controller for analysis? How can we implement this, is there any documentation out there that we can follow? Any help would be greatly appreciated. Thanks. 



  • 20.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:05 PM

    Hello

    Look you have 2 options

    1-Trunk the vlan to the APS

    2-Trunk the vlans to the wireless controller and issue the command config t wms general learn-system-wired-macs enable

     

    Hybrids APS can see it but remenber hybrids APS got 2 funtions

    1-Give access to clients(which is hte principal funtion

    2-Scan on other channels

     

    the IPS/IDS without air Monitor just dont work well... if you dont have Air monitors then in my opinion you should not put IPS IDS...

     

    Because for example if you got a rule that the valid clients cannot connect to other APS that are not valids then if you have no air monitor and you got hybrids APS... if you connect to a non valid AP when the AP is serving clients you will be able to connect.. you see? it just doesnt work....



  • 21.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:07 PM
      |   view attached

    Here is a document i got attached

    Attachment(s)

    pdf
    tb_air_monitors.pdf   988 KB 1 version


  • 22.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:31 PM

    If I trunk the VLAN to the AP, what configuration do I need to perform @ at the AP side? setting up a trunk in a cisco switch is well documented but not setting the aruba AP port to a trunk port. 



  • 23.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:45 PM

    No configuration necessary to the AP.  



  • 24.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:47 PM

    Also if you pick to turnk to the controller you NEED to create the vlans con the controller also and trunk it back...

    Otherwise it doesnt work.



  • 25.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:50 PM

    Thank you for the great explanation. Also, what would be the pros and cons for each? 



  • 26.  RE: L3 rogue detection

    Posted Oct 31, 2012 07:56 PM

    Like Collin said on previus post

     

    Quoting Collin:

    "A combination is best

    There is always one remote VLAN that you cannot physically trunk to the controller.  You would put an AP on that trunk."

     

    Cheers

    Carlos



  • 27.  RE: L3 rogue detection

    Posted Jan 29, 2013 09:26 AM

    what is the maximum number of vlans recommended using an aruba 600 controller for mac address learning and rogue ap detection?



  • 28.  RE: L3 rogue detection

    Posted Apr 23, 2014 09:23 AM

    Well 2048 is the maximum capacity in the mac address table for those controllers so take that in mind.

     

    Also here is a tutorial regarding this topic:

     

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Tutorial-How-to-detect-Rogue-APS-with-L3-Rogue-Detection/td-p/156722

     

    Cheers

    Carlos