Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
3
Replies

rogue detection on airespace

mx
Level 1
Level 1

‎03-30-2006 05:53 AM - edited ‎07-04-2021 11:52 AM

Hi there. I am trying to find out exactly how rogue detection works on the airespace product but am having no luck. I understand that I need a dedicated AP for this, but I get confused when I hear that the AP doesnt need to be within RF range of the rogue AP. Can someone fill me in? Thanks!

bob

Labels:
0 Helpful
3 Replies 3

jakew
Level 1
Level 1

‎03-30-2006 06:52 AM

You don't need a dedicated AP for rogue detection. Standard "local" APs detect rogues during their normal air sampling cycles. "Monitor" APs will do this also. That covers basic "detection".

The second part of rogue detection is determining if the rogue is on or off your network. There are 2 ways you can do this. RLDP and a "Rogue Detector" AP.

Rogue Location Discovery Protocol (RLDP) takes either a local or monitor AP and use that to associate to the rogue and try to send a packet back to the WLC. If the packet comes back, then the rogue is on the network. I don't recommend you use RLDP if your APs are also providing data service because the AP has to go through the association process to the rogue and while it's doing that, it isn't servicing data. Secondly, it's pretty easy to defeat by using _any_ kind of security, even WEP, with the rogue.

The "Rogue Detector" AP has its radios off and is looking at traffic it observes on the wire and correlating that to what's seen over the air. It gets a list of candidate rogue clients from the WLC. If it observes traffic on the wired network from the MAC of one of the rogue clients, it notifies the WLC and the WLC then knows that the rogue AP is connected to the network.

To get the rogue detector to work, it needs to be connected to a trunk port that allows all of the potential VLANs a rogue AP and rogue clients could be connected to. The rogue client also needs to be passing traffic on the network.

HTH,

Jake

0 Helpful

mx
Level 1
Level 1
In response to jakew

‎03-30-2006 07:35 AM

This is a LOT of great information thank you Jake! Im starting to understand it now. It also explains why WCS was reporting a rogue when I didnt have any APs in Rogue detection mode.

So am I accurate in saying that if you do have an AP dedicated to Rogue AP detection it doesnt need to be within RF reach of the rogue? (as you say, the radios are off)

One question about RLDP however. Apparently this install is using it since it found a rogue AP. Does that mean that the rogue it found was not using WEP of any kind? RLDP will ONLY find rogue AP's that arent using security?

Bottom line, is my customer has a huge facility thats about 1000 feet square. There are many offices within this space so no 1 ap will possibly reach end to end. To detect rogues over this entire area, I only need one AP in rogue detection mode? And it will tell me when it finds one and will alert me accordingly?

Thank you very much for your time explaining this, it is very helpful!

bob

0 Helpful

wififofum
Level 4
Level 4
In response to jakew

‎06-19-2006 07:19 PM

Jake,

Is it possible to view the RLDP association process on the Rogue AP (i.e. if its a Cisco AP), and is it possible to capture the RLDP traffic with a Sniffer spanning the Rogue AP switchport?

Does RLDP attempt to associate to every Rogue AP within earshot, and does this affect the RLDP Rogue AP detection process?

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card