cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
365
Views
10
Helpful
3
Replies

Drawbacks of using 4 APs to contain a rogue AP

yubago
Level 1
Level 1

What are the benefits/drawbacks of using 4 controller-based APs to contain a rogue AP vs using just one. If I understand it correctly a single AP can never be set to contain more than 3 rogues, and will never use more than 30% of its resources to do so. Also, you can set a maximum of 4 APs on "containment duty" against one rogue. I also believe that containment involves sending spoofed messages to the wireless clients which requires your APs to be within range of all the rogue clients.

So.. what do you guys think? Let me know if my conclusions regarding the process are incorrect!

Thanks!

3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

I wouldn't use that unless you know for sure it isn't another companies ap... they will see a DoS attack and you could get in trouble. If there is an ap in your network (building) then you should find it. If the ap is from surrounding buildings, you need to channel your ap's correctly to avoid interference.

-Scott
*** Please rate helpful posts ***

George Stefanick
VIP Alumni
VIP Alumni

Hi Yubaqo,

I lab this and i can share with you the result if you like... So when you hit contain a rouge the controller spoofs the rouge access points MAC address and floods deauthenications messages from MAC XXXXXXX to FFFFFFFFF...

So if you contain using one AP you are probably in good shape, cause even if a client could get on from 'out of range' i bet they will still receive a de'off from time to time..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

If you actually try this in the lab with a client set to do a continuous ping, you will see that containing with only one AP will still allow clients to connect. The plan here, as it was designed by Airespace, was to only contain radios that you KNOW are a threat. APs on your own wired network were detected by RF and then verified to be on the wired network with a protocol called RLDP. Once an AP was discovered via RLDP, the rogue was automatically contained by a 4 AP containment if 4 APs heard the rogue. An alert was then sent to the administrator and the rogue was mapped for location so that it could be collected. Containing APs that were neighboring was disuaded because of the FCC "Good Neighbor" policy. You needed to make sure the AP was an actual threat to the security of your network before taking action. This became Cisco's policy on all rogue devices and they disabled RLDP from the system. Now if you do a contain you see the Legal Disclaimer that Cisco has put into place. A 4 AP containment will use some resources of your APs but it should not be a long term fix. You should go and deal with the rogue device personally once it is contained and mapped. After dealing with it, set the appropriate rogue state and remove containment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: