Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

mx
New Member

rogue detection on airespace

Hi there. I am trying to find out exactly how rogue detection works on the airespace product but am having no luck. I understand that I need a dedicated AP for this, but I get confused when I hear that the AP doesnt need to be within RF range of the rogue AP. Can someone fill me in? Thanks!

bob

3 REPLIES
Bronze

Re: rogue detection on airespace

You don't need a dedicated AP for rogue detection. Standard "local" APs detect rogues during their normal air sampling cycles. "Monitor" APs will do this also. That covers basic "detection".

The second part of rogue detection is determining if the rogue is on or off your network. There are 2 ways you can do this. RLDP and a "Rogue Detector" AP.

Rogue Location Discovery Protocol (RLDP) takes either a local or monitor AP and use that to associate to the rogue and try to send a packet back to the WLC. If the packet comes back, then the rogue is on the network. I don't recommend you use RLDP if your APs are also providing data service because the AP has to go through the association process to the rogue and while it's doing that, it isn't servicing data. Secondly, it's pretty easy to defeat by using _any_ kind of security, even WEP, with the rogue.

The "Rogue Detector" AP has its radios off and is looking at traffic it observes on the wire and correlating that to what's seen over the air. It gets a list of candidate rogue clients from the WLC. If it observes traffic on the wired network from the MAC of one of the rogue clients, it notifies the WLC and the WLC then knows that the rogue AP is connected to the network.

To get the rogue detector to work, it needs to be connected to a trunk port that allows all of the potential VLANs a rogue AP and rogue clients could be connected to. The rogue client also needs to be passing traffic on the network.

HTH,

Jake

mx
New Member

Re: rogue detection on airespace

This is a LOT of great information thank you Jake! Im starting to understand it now. It also explains why WCS was reporting a rogue when I didnt have any APs in Rogue detection mode.

So am I accurate in saying that if you do have an AP dedicated to Rogue AP detection it doesnt need to be within RF reach of the rogue? (as you say, the radios are off)

One question about RLDP however. Apparently this install is using it since it found a rogue AP. Does that mean that the rogue it found was not using WEP of any kind? RLDP will ONLY find rogue AP's that arent using security?

Bottom line, is my customer has a huge facility thats about 1000 feet square. There are many offices within this space so no 1 ap will possibly reach end to end. To detect rogues over this entire area, I only need one AP in rogue detection mode? And it will tell me when it finds one and will alert me accordingly?

Thank you very much for your time explaining this, it is very helpful!

bob

Bronze

Re: rogue detection on airespace

Jake,

Is it possible to view the RLDP association process on the Rogue AP (i.e. if its a Cisco AP), and is it possible to capture the RLDP traffic with a Sniffer spanning the Rogue AP switchport?

Does RLDP attempt to associate to every Rogue AP within earshot, and does this affect the RLDP Rogue AP detection process?

Thanks!

136
Views
0
Helpful
3
Replies
CreatePlease login to create content