Hi there. I am trying to find out exactly how rogue detection works on the airespace product but am having no luck. I understand that I need a dedicated AP for this, but I get confused when I hear that the AP doesnt need to be within RF range of the rogue AP. Can someone fill me in? Thanks!
You don't need a dedicated AP for rogue detection. Standard "local" APs detect rogues during their normal air sampling cycles. "Monitor" APs will do this also. That covers basic "detection".
The second part of rogue detection is determining if the rogue is on or off your network. There are 2 ways you can do this. RLDP and a "Rogue Detector" AP.
Rogue Location Discovery Protocol (RLDP) takes either a local or monitor AP and use that to associate to the rogue and try to send a packet back to the WLC. If the packet comes back, then the rogue is on the network. I don't recommend you use RLDP if your APs are also providing data service because the AP has to go through the association process to the rogue and while it's doing that, it isn't servicing data. Secondly, it's pretty easy to defeat by using _any_ kind of security, even WEP, with the rogue.
The "Rogue Detector" AP has its radios off and is looking at traffic it observes on the wire and correlating that to what's seen over the air. It gets a list of candidate rogue clients from the WLC. If it observes traffic on the wired network from the MAC of one of the rogue clients, it notifies the WLC and the WLC then knows that the rogue AP is connected to the network.
To get the rogue detector to work, it needs to be connected to a trunk port that allows all of the potential VLANs a rogue AP and rogue clients could be connected to. The rogue client also needs to be passing traffic on the network.
This is a LOT of great information thank you Jake! Im starting to understand it now. It also explains why WCS was reporting a rogue when I didnt have any APs in Rogue detection mode.
So am I accurate in saying that if you do have an AP dedicated to Rogue AP detection it doesnt need to be within RF reach of the rogue? (as you say, the radios are off)
One question about RLDP however. Apparently this install is using it since it found a rogue AP. Does that mean that the rogue it found was not using WEP of any kind? RLDP will ONLY find rogue AP's that arent using security?
Bottom line, is my customer has a huge facility thats about 1000 feet square. There are many offices within this space so no 1 ap will possibly reach end to end. To detect rogues over this entire area, I only need one AP in rogue detection mode? And it will tell me when it finds one and will alert me accordingly?
Thank you very much for your time explaining this, it is very helpful!
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...