Basic Wired/Wireless device correlation of detection rogue in 3 steps.

Aruba Employee
Aruba Employee

Environment  :  Rogue AP detection in the network


1. AP traffic inspection(AP/controller):

AP builds up a list of the known wired gateway MAC Addresses.  The AP monitors the traffic coming out of the rogue devices.
 The AP will look at the source MAC address of the packets coming out of a rogue device.  If that source MAC address matches one of the known gateway macs than the device will be considered wired.  Any VLANS that may contain wired traffic need to be trunked to an AP for this detection method.  Starting in AOS 6.0 the VLANS only need to be trunked to a single AP or AM and the information will be shared.

2. MAC address comparison(AP/controller):

If the controller sees a wireless MAC address that is +- 1 of a known wired MAC address then it will be considered wireless.

3. MAC address comparison (RAPIDS):

RAPIDS leverages the switch polling that AMP performs.  The bridge forwarding table and ARP table will be polled from the controller.
The bridge forwarding table provides MAC address and switch port information.  The wired MAC addresses will be compared to everything that has been seen wirelessly.  If the wired/wireless MACS are within the bitmask offset configured on the RAPIDS Setup page than they will be linked together and considered the same device.  RAPIDS will be able to tell you the switch and the port that the MAC address has been seen on.  RAPIDS may also be able to provide the IP address if the polled switch supports the ARP tables.


Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 02:02 PM
Updated by: