It is controller based and I'm looking at rogue detection. I have a handful of suspected rogues, but all are at 20% confidence level. These all have "Eth-Wired-MAC-Table" or "AP-Wired-MAC-Table" as the match type. Is there a valid reason why my AP would see a frame with a source MAC coming out of an interferring/rogue AP. I assume there is since this one indicator only makes up for a 20% confidence level.
In some of these cases, however, the match-MAC is actually my router's MAC. Would there be a reason why my AP would see someone else's AP sending a frame with my router's MAC as the source if it wasn't connected to my wired network? Specifically, these rogues are of a neighboring business and seem to be legitimate access points on their own network.
Of the one rogue I have that is at 100% confidence, the reason is "Eth-GW-Wired-MAC-Table". This one is interesting though because I don't see the violating MAC address in the mac table on my router that's in the wired subnet that the AP connects to. I also don't see the mac in the AP enet-table or gateway table. Could there be a legitimate reason for this?
Do the rogue entries eventually age out if they're not seen again? If not, is there a way to clear and/or refresh this data?
Thanks!