Rogue Detector question

Unanswered Question
Oct 29th, 2007

I have 2 controllers 2106 both with the same mobility group, I have 3 APs in one controller and 3 APs on the other. I have just one rogue detector. Do I need a rogue detector on both or just in one controller?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
dennischolmes Tue, 10/30/2007 - 05:04

All of your APs will detect rogues. When in rogue dtector mode the AP is bascially a sensor and not an AP. All of your APs will have the ability to sense rogues. I will say this though, to accurately map the location of rogues in WCS, you will want at least 3 of your APs to hear the rogue.

mauramir Tue, 10/30/2007 - 06:56

Dennis, that's right all the APs can sese rogues APs and rogue clients, the rogue detector will check for ARP messages for those rogue clients. My question is if between controllers they share this rogue client list or if I need a rogue detector for each controller.


dennischolmes Tue, 10/30/2007 - 12:22

I suspect you will need one for each controller as they act independently in most cases. The management of WCS merges data from each controller to a single GUI.I will verify with the BU.

mark.cronin Thu, 03/12/2009 - 10:31


A question on this post.

When an AP is in "local" mode is it checking the "wired" network for arp broadcasts?

I thought only APs in Rogue Detector mode

checked the wired network for arp broadcasts


dennischolmes Thu, 03/12/2009 - 11:30

Rogue detection is not bound by any regulations and no legal adherence is required for its operation. However, rogue containment usually introduces legal issues that can put the infrastructure provider in an uncomfortable position if left to operate automatically. Cisco is extremely sensitive to such issues and provides these solutions. Each controller is configured with a RF Group name.Once a Lightweight AP registers with a controller, it embeds an authentication Information Element (IE) that is specific to the RF Group configured on the controller in all its beacons/probe response frames. When the Lightweight AP hears beacons/ probe response frames from an AP either without this IE or with wrong IE, then the Lightweight AP reports that AP as a rogue, records its BSSID in a rogue table, and sends the table to the controller. There are two methods, namely Rogue Location Discovery Protocol (RLDP) and passive operation. These two are described in detail in the link below.

As you can see from above all APs listen for rogues based on the above criteria but this is costly in resource overhead and is better solved by placing certain APs in rogue detection mode. This will become even more invaluable with the advent of the IDS/IPS solution.

mark.cronin Fri, 03/13/2009 - 02:25


Just to clarify a Cisco 1242 in local mode not only services client wireless access it also monitors its own wired connection just like a dedicated Rogue detector LWAP for Rogue wired arp traffic. (True/False)

Have you ever deployed dedicated Rogue detectors?

dennischolmes Fri, 03/13/2009 - 04:21

No, I am from the Airespace frame of mind. When we began selling this solution at Airespace several years ago we believed that the AP could be fully functional as both an AP and a rogue detector. I still believe that. It reduces cost to the customer and still provides ample protection in most cases. With the passing of time of course attacks became more sophisticated and the need for an even better system of IDS/IPS became evident. To fully secure the system for FIPS, PCI, etc the need for dedicated "sensors" became evident. Thus the use of APs as rogue detectors and sensors. I would suggest using the lowest cost AP as the sensor to save on overall project deployment. Funny thing is, Madge Networks figured this out years ago. Sitting in my closet along with the first 802.1x and management server based on LWAPP is a Madge WLAN Security Probe. I keep funny little things like that to show people just how far we have came these last 3 generations of wireless gear.

mark.cronin Fri, 03/13/2009 - 05:07


Appreciate your help with this!

Still unclear sorry - so an AP in local mode does or does not monitor the LAN/Wired interface for rogue arp traffic?

I am faced with the problem that our campus is based on layer 3 access layer so I would need to deploy a dedicated LWAP Rogue detector on each access switch (40+) or use a RSPAN configuration and tunnel all the layer 2 traffic back to a single LWAP rogue detector (not tested) - Do you know if the rogue detectors are used with the new Mobility Services engine IDS/IPS system? If it is I could sell the idea of deploying them as a future road map feature for this architecture.

dennischolmes Fri, 03/13/2009 - 05:36

It is as far as I know. We are suggesting one dedicated IPS/IDS AP per the following table.

2.4ghz 6mbs@ -86dbm one WIPS AP per 35000sqft walled. 85000sqft open area.

5ghz 6mbs@ -86 dbm one WIPS AP per 15000 sqft walled. 30000sqft open area.

This gives you better security in my opinion than does Airdefense and Moto.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode