Rogue AP Isolation
The Rogue AP Isolation feature detects and blocks any unauthorized APs in the network. You can either log or block the rogue device. If the action requested is to log the rogue device, the MAC address of the rogue device is logged in the system logs (RMON). If the action is to block the rogue device, the traffic to and from the MAC address of the rogue device is blocked. The MAC is also logged in the system log.
When an Aruba AP detects a rogue AP on the network, it sends out the MAC address of the AP as well as the MAC of the clients connected to the AP to the switch using the ArubaOS-Switch proprietary LLDP TLV protocol. The switch then adds a rule in its hardware table to block all the traffic originating from the rogue AP’s MAC address.
The rogue-ap-isolation
command
configures the rogue AP isolation for the switch and gives the option
to enable or disable the rogue AP isolation feature. The rogue-ap-isolation
action
command gives you the ability to block the traffic
to or from the rogue device or log the MAC of the rogue device. When
the action is set to block, the rogue MAC is logged as well. By default,
the action is set to block.
The rogue-ap-isolation whitelist
command
lets you add devices detected as possible rogue APs to the whitelist.
A maximum of 128 MAC addresses are supported for the whitelist.
The clear rogue-aps
command
clears the detected rogue AP device MAC address.
More information
rogue-ap-isolation |
rogue-ap-isolation action |
rogue-ap-isolation whitelist |
clear rogue-ap-isolation |
Limitations
You can add a maximum of 128 MAC addresses to the whitelist.
When a MAC is already authorized by any of the port security features such as LMA, WMA, or 802.1X, the MAC is logged but you cannot block it using the
rogue-ap-isolation
feature. A RMON event is logged to notify the user.When a MAC is already configured as an IP received MAC of a VLAN interface, the MAC is logged but you cannot block it by using the
rogue-ap-isolation
feature. A RMON event is logged to notify the user.When a MAC is already locked out via
lockout-mac
or locked down using thestatic-mac
configuration, the MAC is logged but you cannot block it using therogue-ap-isolation
feature. A RMON event is logged to notify the user.The number of rogue MACs supported on a switch is a function of the value of
max-vlans
at boot time. Since the resources are shared with thelockout-mac
feature, the scale is dependent on how many lockout addresses have been configured on the switch using thelockout-mac
feature.The following table lists the scale when there are no lockout addresses configured on the switch:
Max VLAN Supported MACs 0 < VLAN <= 8
200
8 < VLAN <= 16
100
16 < VLAN <= 256
64
256 < VLAN <= 1024
16
1024 < VLAN <= 2048
8
2048 < VLAN <= 4094
4
The switch will throw a RMON log and the rogue MAC will be ignored when the limit is reached.
NOTE: If the
max-vlans
value is changed to a different value, the scale of rogue MACs supported will not change until the next reboot.
Feature Interactions
MAC lockout and lockdown
The Rogue AP isolation feature uses the MAC lockout
feature to block MACs in hardware. Therefore, any MAC blocked with
the Rogue AP isolation feature cannot be added with the lockout-mac
or [static-mac] command
if the action type is set to block
.
For example:
switch# lockout-mac 247703-7a8950
Cannot add the entry for the MAC address 247703-7a8950 because it is already
blocked by rogue-ap-isolation.
switch# static-mac 247703-7a8950 vlan 1 interface 1
Cannot add the entry for the MAC address 247703-7a8950 because it is already
blocked by rogue-ap-isolation.
Similarly, any MAC that was added with the lockout-mac
or static-mac
command
and that is being detected as rogue will be logged, but not blocked
in hardware as it already is set to block. If the MAC is removed from lockout-mac
or static-mac
but
is still in the rogue device list, it will be blocked back in hardware
if the action type is block
.
LMA/WMA/802.1X/Port-Security
Any configuration using LMA, WMA, 802.1X, or Port-Security will not be blocked if the Rogue AP isolation feature is enabled. All these features act only when a packet with the said MAC is received on a port.
If rogue-ap-isolation
blocks
a MAC before it is configured to be authorized, packets from such
MACs will be dropped until one of the following happens:
Rogue action is changed to LOG.
Rogue-AP isolation feature is disabled.
The MAC is not detected as rogue anymore.
LLDP is disabled on the port (or globally).
Once a MAC has been authorized by one of these features, it will not be blocked by Rogue AP isolation. A RMON will be logged to indicate the failure to block.
The Rogue AP module will retry to block any such MACs periodically. In the event of the MAC no longer being authorized, Rogue AP isolation will block the MAC again. No RMON is logged to indicate this event.
L3 MAC
The Rogue AP isolation feature will not block a MAC configured as an IP receive MAC address on a VLAN interface. This event will be logged in RMON if such MACs are detected as rogue.
Conversely, any MAC already blocked by Rogue AP isolation will not be allowed to be configured as an IP receive MAC address of a VLAN interface.
For example:
switch# vlan 1 ip-recv-mac-address 247703-3effbb
Cannot add an entry for the MAC address 247703-3effbb because it is already
blocked by rogue-ap-isolation.
Using the Rogue AP Isolation feature
Check the feature state:
switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Disabled Rogue AP Action : Block Rogue MAC Address Neighbour MAC Address ----------------- ---------------------
Enable the feature:
switch# rogue-ap-isolation enable switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Enabled Rogue AP Action : Block Rogue MAC Address Neighbour MAC Address ----------------- ---------------------
Change the action type from block to log:
switch# rogue-ap-isolation action log switch# show rogue-ap-isolation Rogue AP Isolation Rogue AP Status : Enabled Rogue AP Action : Log Rogue MAC Address Neighbour MAC Address ----------------- ---------------------
List the current whitelist entries:
switch# show rogue-ap-isolation whitelist Rogue AP Whitelist Configuration Rogue AP MAC ------------------
Add a new whitelist entry:
switch# rogue-ap-isolation whitelist 005056-00326a switch# show rogue-ap-isolation whitelist Rogue AP Whitelist Configuration Rogue AP MAC ------------------ 00:50:56:00:32:6a
rogue-ap-isolation
syntax
rogue-ap-isolation {enable | disable}
Description
Configures the rogue AP isolation for the switch.
Parameters
enable
Enables the rogue AP isolation.
disable
Disables the rogue AP isolation.
More information
rogue-ap-isolation action |
rogue-ap-isolation whitelist |
clear rogue-ap-isolation |
rogue-ap-isolation action
syntax
rogue-ap-isolation action {log | block}
Description
Configures the action to take for the rogue AP packets. This function is disabled by default.
Parameters
action
Configure the action to take for rogue AP packets. By default, the rogue AP packets are blocked.
Options
log
Logs traffic to or from any rogue access points.
block
Blocks and logs traffic to or from any rogue access points.
More information
rogue-ap-isolation |
rogue-ap-isolation whitelist |
clear rogue-ap-isolation |
rogue-ap-isolation whitelist
syntax
[no] rogue-ap-isolation whitelist <MAC-ADDRESS>
Description
Configures the rogue AP Whitelist MAC addresses for the switch. Use this command to add to the whitelist the MAC addresses of approved access points or MAC addresses of clients connected to the rogue access points. These approved access points will not be added to the rogue AP list even if they are reported as rogue devices.
Parameters
MAC-ADDRESS
Specifies the MAC address of the device to be moved from the rogue AP list to the whitelist.
Options
no
Removes the MAC address individually by specifying the MAC.
Restrictions
You can add a maximum of 128 MAC addresses to the whitelist.
More information
rogue-ap-isolation |
rogue-ap-isolation action |
clear rogue-ap-isolation |
clear rogue-ap-isolation
syntax
clear rogue-ap-isolation { <MAC-ADDRESS> | all }
Description
Removes the MAC addresses from the rogue AP list.
Parameters
MAC-ADDRESS
Specifies the MAC address of the device to be moved from the rogue AP list.
all
Clears all MAC addresses from the rogue AP list.
Restrictions
The MAC addresses cleared using this option will be added back to the rogue list under the following cases:
The LLDP administrator status of the port on which the AP that reported the MAC is disabled and enabled back.
The data that is in the rogue AP TLV sent from the AP that informed the rogue MAC has changed.
To permanently ignore a MAC from being detected as rogue, add it to the whitelist.
More information
rogue-ap-isolation |
rogue-ap-isolation action |
rogue-ap-isolation whitelist |