Wired Rogue detection

Unanswered Question
Apr 14th, 2009

At present there are 2 options for wired to LAN wireless rogue detection

1) Enable Rogue Location Discovery Protocol which can detect wired to LAN access points that have open authentication

2) Deploy dedicated rogue detector access points which compare the wired arp tables with the wireless arp tables on the WLC's.

You can see the problem with option 1 - the rogue AP can only be detected if open authentication is used.

You can also see the problem with option 2 in the cost of deploying dedicated APs.

Do you think in future releases of WCS that the rogue detector AP can be replaced by simply getting the ARP table from the wired infrastructure via SNMP.

Does anybody know if this is a roadmap item for the WCS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Tue, 04/14/2009 - 17:40

I have never deployed AP's in Rogue Detection mode but I do get alarms for Rogues.

I am curious to know why you want to deploy a dedicated AP as a Rogue AP Detector when by default, AP can detect and "prosecute" Rogues.

George Stefanick Tue, 04/14/2009 - 19:55

My experience has been the only way to detect a Rogue on the WIRED, is with an AP in Rogue Detection Mode. I found this out by accident in my lab ... I had a autonomous 1200 side by side for months and it seen it as a rouge on the wireless. When i turn my lwapp ap into rogue detector it quickly identified it on the wired.

mark.cronin Wed, 04/15/2009 - 00:27

OK - So if you have 40 access switches you will need 40 rogue detector APs.

This is a substantial cost.

I am hoping that in future releases of Cisco WCS they will be able to interrogate the access switches

for ARP traffic via SNMP rather than deploy the Rogue APs.

Do you think this will be possible?

mark.cronin Wed, 04/15/2009 - 00:21

With Rogue Location Discovery Protocol (RLDP) enabled you will only be able to detect if a Rogue AP is connected to your network if the authentication is OPEN.

If the Rogue AP has any authentication enabled then you will not be able to detect if the AP is connected to your network.

I think this is a big limitation of RLDP

George Stefanick Wed, 04/15/2009 - 07:28

so fill me in ... the arp would only be local to the access switch , thats why you would have one per switch? Can you fill in that gap for me?

mark.cronin Thu, 04/16/2009 - 00:36

In older campus wired LAN designs with Layer 3 collapsed core distribution and layer 2 access layer the dedicated rogue detector was viable as you could configure the port on the collapsed core distribution switch that it was connected to as a trunk and the rogue detector could monitor all of the VLANs for ARP information. With newer campus wired LAN designs with Layer 3 at the access layer there is a requirement to install a rogue detector on all access switches.

Actions

This Discussion

 

 

Trending Topics - Security & Network