Rogue AP Isolation

The Rogue AP Isolation feature detects and blocks any unauthorized APs in the network. You can either log or block the rogue device. If the action requested is to log the rogue device, the MAC address of the rogue device is logged in the system logs (RMON). If the action is to block the rogue device, the traffic to and from the MAC address of the rogue device is blocked. The MAC is also logged in the system log.

When an Aruba AP detects a rogue AP on the network, it sends out the MAC address of the AP as well as the MAC of the clients connected to the AP to the switch using the ArubaOS-Switch proprietary LLDP TLV protocol. The switch then adds a rule in its hardware table to block all the traffic originating from the rogue AP’s MAC address.

The rogue-ap-isolation command configures the rogue AP isolation for the switch and gives the option to enable or disable the rogue AP isolation feature. The rogue-ap-isolation action command gives you the ability to block the traffic to or from the rogue device or log the MAC of the rogue device. When the action is set to block, the rogue MAC is logged as well. By default, the action is set to block.

The rogue-ap-isolation whitelist command lets you add devices detected as possible rogue APs to the whitelist. A maximum of 128 MAC addresses are supported for the whitelist.

The clear rogue-aps command clears the detected rogue AP device MAC address.

More information

rogue-ap-isolation
rogue-ap-isolation action
rogue-ap-isolation whitelist
clear rogue-ap-isolation

Limitations

  • You can add a maximum of 128 MAC addresses to the whitelist.

  • When a MAC is already authorized by any of the port security features such as LMA, WMA, or 802.1X, the MAC is logged but you cannot block it using the rogue-ap-isolation feature. A RMON event is logged to notify the user.

  • When a MAC is already configured as an IP received MAC of a VLAN interface, the MAC is logged but you cannot block it by using the rogue-ap-isolation feature. A RMON event is logged to notify the user.

  • When a MAC is already locked out via lockout-mac or locked down using the static-mac configuration, the MAC is logged but you cannot block it using the rogue-ap-isolation feature. A RMON event is logged to notify the user.

  • The number of rogue MACs supported on a switch is a function of the value of max-vlans at boot time. Since the resources are shared with the lockout-mac feature, the scale is dependent on how many lockout addresses have been configured on the switch using the lockout-mac feature.

    The following table lists the scale when there are no lockout addresses configured on the switch:

    Max VLAN Supported MACs

    0 < VLAN <= 8

    200

    8 < VLAN <= 16

    100

    16 < VLAN <= 256

    64

    256 < VLAN <= 1024

    16

    1024 < VLAN <= 2048

    8

    2048 < VLAN <= 4094

    4

    The switch will throw a RMON log and the rogue MAC will be ignored when the limit is reached.


    [NOTE: ]

    NOTE: If the max-vlans value is changed to a different value, the scale of rogue MACs supported will not change until the next reboot.


Feature Interactions

MAC lockout and lockdown

The Rogue AP isolation feature uses the MAC lockout feature to block MACs in hardware. Therefore, any MAC blocked with the Rogue AP isolation feature cannot be added with the lockout-mac or [static-mac] command if the action type is set to block

For example:

switch# lockout-mac 247703-7a8950 
Cannot add the entry for the MAC address 247703-7a8950 because it is already 
blocked by rogue-ap-isolation. 
switch# static-mac 247703-7a8950 vlan 1 interface 1 
Cannot add the entry for the MAC address 247703-7a8950 because it is already 
blocked by rogue-ap-isolation. 

Similarly, any MAC that was added with the lockout-mac or static-mac command and that is being detected as rogue will be logged, but not blocked in hardware as it already is set to block. If the MAC is removed from lockout-mac or static-mac but is still in the rogue device list, it will be blocked back in hardware if the action type is block.

LMA/WMA/802.1X/Port-Security

Any configuration using LMA, WMA, 802.1X, or Port-Security will not be blocked if the Rogue AP isolation feature is enabled. All these features act only when a packet with the said MAC is received on a port.

If rogue-ap-isolation blocks a MAC before it is configured to be authorized, packets from such MACs will be dropped until one of the following happens:

  • Rogue action is changed to LOG.

  • Rogue-AP isolation feature is disabled.

  • The MAC is not detected as rogue anymore.

  • LLDP is disabled on the port (or globally).

Once a MAC has been authorized by one of these features, it will not be blocked by Rogue AP isolation. A RMON will be logged to indicate the failure to block.

The Rogue AP module will retry to block any such MACs periodically. In the event of the MAC no longer being authorized, Rogue AP isolation will block the MAC again. No RMON is logged to indicate this event. 

L3 MAC

The Rogue AP isolation feature will not block a MAC configured as an IP receive MAC address on a VLAN interface. This event will be logged in RMON if such MACs are detected as rogue.

Conversely, any MAC already blocked by Rogue AP isolation will not be allowed to be configured as an IP receive MAC address of a VLAN interface.

For example:

switch# vlan 1 ip-recv-mac-address 247703-3effbb 
Cannot add an entry for the MAC address 247703-3effbb because it is already
blocked by rogue-ap-isolation. 

Using the Rogue AP Isolation feature

  1. Check the feature state:

    switch# show rogue-ap-isolation
    
     Rogue AP Isolation
    
      Rogue AP Status : Disabled
      Rogue AP Action : Block
    
      Rogue MAC Address Neighbour MAC Address
      ----------------- ---------------------
  2. Enable the feature:

    switch# rogue-ap-isolation enable
    switch# show rogue-ap-isolation
    
     Rogue AP Isolation
    
      Rogue AP Status : Enabled
      Rogue AP Action : Block
    
      Rogue MAC Address Neighbour MAC Address
      ----------------- ---------------------
  3. Change the action type from block to log:

    switch# rogue-ap-isolation action log
    switch# show rogue-ap-isolation
    
     Rogue AP Isolation
    
      Rogue AP Status : Enabled
      Rogue AP Action : Log
    
      Rogue MAC Address Neighbour MAC Address
      ----------------- ---------------------
  4. List the current whitelist entries:

    switch# show rogue-ap-isolation whitelist
    
    Rogue AP Whitelist Configuration
    
     Rogue AP MAC
     ------------------
  5. Add a new whitelist entry:

    switch# rogue-ap-isolation whitelist 005056-00326a
    switch# show rogue-ap-isolation whitelist
    
    Rogue AP Whitelist Configuration
    
     Rogue AP MAC
     ------------------
     00:50:56:00:32:6a

rogue-ap-isolation

syntax

rogue-ap-isolation {enable | disable}

Description

Configures the rogue AP isolation for the switch.

Parameters

enable

Enables the rogue AP isolation.

disable

Disables the rogue AP isolation.

More information

rogue-ap-isolation action
rogue-ap-isolation whitelist
clear rogue-ap-isolation

rogue-ap-isolation action

syntax

rogue-ap-isolation action {log | block}

Description

Configures the action to take for the rogue AP packets. This function is disabled by default.

Parameters

action

Configure the action to take for rogue AP packets. By default, the rogue AP packets are blocked.

Options

log

Logs traffic to or from any rogue access points.

block

Blocks and logs traffic to or from any rogue access points.

More information

rogue-ap-isolation
rogue-ap-isolation whitelist
clear rogue-ap-isolation

rogue-ap-isolation whitelist

syntax

[no] rogue-ap-isolation whitelist <MAC-ADDRESS>

Description

Configures the rogue AP Whitelist MAC addresses for the switch. Use this command to add to the whitelist the MAC addresses of approved access points or MAC addresses of clients connected to the rogue access points. These approved access points will not be added to the rogue AP list even if they are reported as rogue devices.

Parameters

MAC-ADDRESS

Specifies the MAC address of the device to be moved from the rogue AP list to the whitelist.

Options

no

Removes the MAC address individually by specifying the MAC.

Restrictions

You can add a maximum of 128 MAC addresses to the whitelist.

More information

rogue-ap-isolation
rogue-ap-isolation action
clear rogue-ap-isolation

clear rogue-ap-isolation

syntax

clear rogue-ap-isolation { <MAC-ADDRESS> | all }

Description

Removes the MAC addresses from the rogue AP list.

Parameters

MAC-ADDRESS

Specifies the MAC address of the device to be moved from the rogue AP list.

all

Clears all MAC addresses from the rogue AP list.

Restrictions

The MAC addresses cleared using this option will be added back to the rogue list under the following cases:

  1. The LLDP administrator status of the port on which the AP that reported the MAC is disabled and enabled back.

  2. The data that is in the rogue AP TLV sent from the AP that informed the rogue MAC has changed.

  3. To permanently ignore a MAC from being detected as rogue, add it to the whitelist.

More information

rogue-ap-isolation
rogue-ap-isolation action
rogue-ap-isolation whitelist