Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

How to configure rogue containment options in MAS with IAP? 

Nov 11, 2014 09:09 AM

Summary : configure rogue containment options in MAS with IAP

 

Introduction :

 

When a rogue AP is detected by IAP, the IAP sends out the MAC Addresses to MAS for blacklisting. If MAS receives traffic from the blacklisted MAC entries on its wired ports, it either error-disables the interface or creates a DROP entry for that mac-address. Earlier this was not a configurable option now we have enhanced this feature. 

 

Feature Notes :

 

 

*Enabled by default.
*Default auto-recovery-timer is 300 seconds
*Default action is :
Trunk Ports: Discard blacklisted MAC addresses and  log.
 Access Port: Shutdown port and PoE on detection of blacklisted mac-address
 
*If blacklisted mac is learned on untrusted interface, mac is discarded, instead of error disabling interface.
*No action is taken on interface that is configured to learn mac-addresses as STICKY.
*No aging for Blacklisted mac ie blaclisted mac-addresses are cleared only after IAP stops sending out the MAC Addresses to MAS for blacklisting.
 

 

 

Environment :

 

This article is applicable to Mobility access switches running code 7.4.0.0 and above with IAPs

 

Network Topology :

 

IAP and mobility access switches in the network 

 

Configuration Steps :

 

 

Enable/disable feature

 

(ArubaS1500-24P) (config) #ap-rogue-enforcement

 

(ArubaS1500-24P) (rogue-ap-enforcement) #enable ?

 

<cr>

 

 

 

(ArubaS1500-24P) (rogue-ap-enforcement) #enable

 

 

 

Modify action

 

(ArubaS1500-24P) (rogue-ap-enforcement) #action ?

 

default                 Trunk Ports: Discard blacklisted MAC addresses and log. Access Port: Shutdown port and PoE on         detection of blacklisted MAC address

 

log                     Trunk and Access Ports: Log blacklisted MAC

 

                        addresses

 

 

 

Change error-recovery timer

 

(ArubaS1500-24P) (config) #ap-rogue-enforcement

 

(ArubaS1500-24P) (rogue-ap-enforcement) #action default ?

 

auto-recovery-time      Time to recover port from shutdown in seconds.

 

                        Default: 300. Allowed Range: [0-65535]

 

<cr>

 

 

 

* With auto-recovery value of 0, interface will never auto-recover, and will required manual intervention.
 
Answer :
 
When a rogue AP is detected by IAP, the IAP sends out the MAC Addresses to MAS for blacklisting. If MAS receives traffic from the blacklisted MAC entries on its wired ports, it either error-disables the interface or creates a DROP entry for that mac-address. Earlier there was no user configurable option.
 
* Feature has been made configurable
* enable/disable rogue AP containment.
* Select the action to be taken on blacklisted mac-address.
* Modify recovery timer for error-disabled interfaces
 
Verification :
 
ArubaS1500-24P) #show ap-rogue-enforcement
 
rogue-ap-enforcement "default"
------------------------------
Parameter           Value
---------           -----
Enforce Rouge AP    Disabled
Action              default
Auto Recovery Time  300
 
 
Check blacklisted mac-address send by IAP
(ArubaS1500-24P) #show lldp neighbor interface  gigabitethernet 2/0/0 detail
 
Interface: gigabitethernet2/0/0, Number of neighbors: 1
------------------------------------------------------------
<Output Truncated>
Autoneg capability:
  10Base-T, HD: yes, FD: yes
  100Base-T, HD: yes, FD: yes
  1000Base-T, HD: yes, FD: yes
Media attached unit type: 1000BaseTFD - Four-pair Category 5 UTP, full duplex mode (30)
MAC:          44:6d:57:b4:2e:39: Blacklist
MAC:          60:d8:19:5b:d2:fd: Blacklist
MAC:          6c:f3:7f:c4:4c:72: Blacklist
802.3 Power:
 Port ID:      MAC 6c:f3:7f:c3:67:2a
 Port Description: eth0
 MDI Power:
        Supported:   No
        Enabled:     No
 <Output Truncated>
 
 Check interface error-disabled state
(ArubaS1500-24P) #show port-error-recovery
 
Layer-2 Interface Error Information
-----------------------------------
Interface  Error                        Error seen time            Recovery time
---------  -----                        ---------------            -------------
GE0/0/47   Blacklisted device detected  2014-07-23 17:08:45 (PST)  2014-07-23 17:18:44 (PST)
GE1/0/47   Blacklisted device detected  2014-07-23 17:08:41 (PST)  2014-07-23 17:18:40 (PST)
GE2/0/23   Blacklisted device detected  2014-07-23 17:08:43 (PST)  2014-07-23 17:18:42 (PST)
 
(ArubaS1500-24P) #
 
Bring Up error-disabled port
(ArubaS1500-24P) #clear port-error-recovery
 
Troubleshooting :
 
Log generated when blacklisted mac-address is detected on wired interface
 
Information is logged in security logs.
 (ArubaS1500-24P) (config) # logging level errors security
 
 (ArubaS1500-24P)# show log security 10 | include Blacklisted
Jul 24 06:59:31 :128009: <ERRS> |l2m| Blacklisted MAC seen on gigabitethernet2/0/23, shutting down the interface
Jul 24 06:59:31 :128010:  <ERRS> |l2m|  Blacklisted MAC 6c:f3:7f:c4:4c:72 on interface GE0/0/47
 
Related Links:
 
Enhancement of Rogue AP Containment feature already supported on MAS
(Article still not published)
 
https://na2.salesforce.com/articles/Troubleshooting/Rogue-AP-Enforcement-on-MAS-using-IAP?popup=true

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.