Cisco Wireless AP Rogue Detection

Cisco Access Points can perform rogue detection in three different operating modes:

  1. Local Mode - In local mode, the AP listens for rogue client beacons for 50 ms before switching back to its configured channel to resume serving clients. This active scanning, along with neighbor messages, helps distinguish between rogue APs and legitimate ones that are part of the network. It cycles through each channel, one at a time, for a specific time period. Network administrators can configure the channels to scan and the time period in which all stations are scanned.
  2. Monitor Mode - In this mode, the radios are in receive only mode, and the AP scans all configured channels every 12 seconds. While it can transmit de-authentication packets, it cannot establish a client connection to a suspected rogue AP to send RLDP packets. Monitor mode APs are capable of detecting rogues but lack the ability to engage with them directly.
  3. Rogue Detection Mode - In this mode, the AP’s radio is disabled, allowing it to focus solely on monitoring wired traffic. The controller provides the rogue detector AP with lists of suspected rogue clients and AP MAC addresses. The rogue detector listens exclusively for ARP packets and, if needed, can be connected to every broadcast domain by using a trunk link. This is based on Cisco's white paper titled "Rogue Detection under Unified Wireless Networks."

Note however that Rogue Detection mode is supported only on Cisco IOS-based Wave 1 APs.

For more details on how Local Mode and Monitor Mode compare when applied to rogue detection, take a look at this note: WAP Local Mode vs Monitor Mode for Rogue Detection.

https://networklessons.com/cisco/ccna-200-301/cisco-wireless-ap-modes

Links to this page: