Block Rogue APs with Cisco Mobility Express 526?

Unanswered Question
Oct 28th, 2009

I know larger Cisco Wireless LAN controllers have the ability to block Rogue APs. I have not seen this same feature in the 526. Is it possible to block APs that are not part of my wireless network.

There are 3 Cisco 521 APs and a Cisco 526 controller. There are APs in the buildings around the office building where the wirless is installed using the same channels as my APs. (1, 6 and 11)

What can I do to stop these rogue APs from interfering?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jeromehenry_2 Wed, 10/28/2009 - 15:06

Hi,

2 points:

- Rogue policies are available on the 526 just like on the Enterprise solution (Check under Security > Wireless Protection Policies > Rogue policies)... but it may depend on which version of the code you run. This feature is available from release 5.2.157.

- Rogues are supposed to be illegitimate APs in your network, not legitimate APs belonging to your neighbors. In most countries, containing legitimate neighbor APs is illegal... as you cannot contain these legitimates APs, RRM is your best friend to automatically place your APs on the channels less affected by neighboring APs...

Hope it helps

Jerome

damiangallo Wed, 10/28/2009 - 15:54

Jerome,

Thanks for the post. I noticed earlier in the controller under the RRM settings that the DCA channels were set to use only 1, 6, 11. I am assuming since there are 3 APs and there were three channels available that each AP used one of those channels. Those three channels also overlapped with the neighboring APs and therefore caused some issues.

Since then I have expended the DCA settings to include all the channels, but the APs in my office are still using 1,6, and 11. I did see some notifications that Rogue APs have been detected and were removed from base radio, but how can I be sure that RRM is working as it is supposed to?

I feel like the minute I turn my back the connection problems will start again. :)

I also noticed that I am running software version 4.2.61.8, which looks like it is an old version.

0 Wed Oct 28 17:35:56 2009 Rogue : 00:1f:33:c1:55:18 removed from Base Radio MAC : 00:1c:b0:05:36:60 Interface no:0(802.11b/g)

1 Wed Oct 28 17:15:55 2009 Rogue AP : 00:1f:33:c1:55:18 detected on Base Radio MAC : 00:1c:b0:05:36:60 Interface no:0(802.11b/g) with RSSI: -91 and SNR: -1

2 Wed Oct 28 16:44:57 2009 Rogue : 00:1f:33:c1:55:18 removed from Base Radio MAC : 00:1c:b0:05:36:60 Interface no:0(802.11b/g)

jeromehenry_2 Thu, 10/29/2009 - 12:15

You know,

DCA is enabled by default, and there are only 3 non-overlapping channels anyway. Your APs are better on channels 1,6 and 11, hearing the neighboring APs (and taking their signals into account to determine when to send and when to stay quiet) than on other channels, where they would still get the interference but without the ability to hear when to stay quiet. RRM is a complex algorithm. You can learn more about here in places like here http://www.youtube.com/watch?v=gwCxVwmHnRw

Then trust it... and test if you want. You will probably find that the RRM algorithm takes the best decisions and optimizes your network given its RF possibilities... that's what it has been built for, and I honestly see very few cases when you would want to override its decisions...

damiangallo Thu, 10/29/2009 - 12:29

Jerome,

I think this is now a wait and see game. Now there are more channels to use I think the problem I was having may be fixed, but until we use it for a while, we will not know.

Thanks for the video.

dmuralis Fri, 10/30/2009 - 18:03

Hi- I agree with Jerome. If your APs see packets from any other AP that are not part of the same RF group, they will report them as rogues.

Auto-rf is recommended to remain on since if there is too much interference in that channel, that will be taken into account by the controller for RRM algorithm amongst other things, and your AP channel will be changed should it be required.

Since you know that these ar your neighboring APs, you can mark them as Known External.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode