Wired Rogue detection

Unanswered Question
Apr 14th, 2009
User Badges:

At present there are 2 options for wired to LAN wireless rogue detection


1) Enable Rogue Location Discovery Protocol which can detect wired to LAN access points that have open authentication


2) Deploy dedicated rogue detector access points which compare the wired arp tables with the wireless arp tables on the WLC's.


You can see the problem with option 1 - the rogue AP can only be detected if open authentication is used.


You can also see the problem with option 2 in the cost of deploying dedicated APs.


Do you think in future releases of WCS that the rogue detector AP can be replaced by simply getting the ARP table from the wired infrastructure via SNMP.


Does anybody know if this is a roadmap item for the WCS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Tue, 04/14/2009 - 17:40
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I have never deployed AP's in Rogue Detection mode but I do get alarms for Rogues.


I am curious to know why you want to deploy a dedicated AP as a Rogue AP Detector when by default, AP can detect and "prosecute" Rogues.

George Stefanick Tue, 04/14/2009 - 19:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

My experience has been the only way to detect a Rogue on the WIRED, is with an AP in Rogue Detection Mode. I found this out by accident in my lab ... I had a autonomous 1200 side by side for months and it seen it as a rouge on the wireless. When i turn my lwapp ap into rogue detector it quickly identified it on the wired.





mark.cronin Wed, 04/15/2009 - 00:27
User Badges:

OK - So if you have 40 access switches you will need 40 rogue detector APs.


This is a substantial cost.


I am hoping that in future releases of Cisco WCS they will be able to interrogate the access switches

for ARP traffic via SNMP rather than deploy the Rogue APs.


Do you think this will be possible?

mark.cronin Wed, 04/15/2009 - 00:21
User Badges:

With Rogue Location Discovery Protocol (RLDP) enabled you will only be able to detect if a Rogue AP is connected to your network if the authentication is OPEN.


If the Rogue AP has any authentication enabled then you will not be able to detect if the AP is connected to your network.


I think this is a big limitation of RLDP

George Stefanick Wed, 04/15/2009 - 07:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

so fill me in ... the arp would only be local to the access switch , thats why you would have one per switch? Can you fill in that gap for me?

mark.cronin Thu, 04/16/2009 - 00:36
User Badges:

In older campus wired LAN designs with Layer 3 collapsed core distribution and layer 2 access layer the dedicated rogue detector was viable as you could configure the port on the collapsed core distribution switch that it was connected to as a trunk and the rogue detector could monitor all of the VLANs for ARP information. With newer campus wired LAN designs with Layer 3 at the access layer there is a requirement to install a rogue detector on all access switches.

Actions

This Discussion

 

 

Trending Topics - Security & Network