06-11-2014 03:26 AM - edited 07-05-2021 12:59 AM
Hi
Can anyone explain the differences between AP Submode "base wips" and "none" when the AP main mode is local or flexconnect?
This relates to code 7.4 with Prime 2.0 and NO mse. We also have no wips licenses on Prime. I am trying to understand the pros\cons of enabling the base wips submode.
With the mode set to none we still see off-channel scanning for rogues. (We can tell this because we are configured for channels 1,6,11 but are detecting rogues on other channels e.g. 7). So what are the benefits of the basewips mode vs none? Is this just additional attack signature detection?
Thoughts and experiences with this mode appreciated.
Is this something you are enabling everywhere with no issues? Or is this something that needs special consideration before deployment?
As far as I can tell it doesnt increase the off-channel scan time. But not sure if there are other performance considerations?
Thanks in advance!
06-12-2014 03:13 AM
wIPS is basically advanced approach to wireless threat detection and performance management.
It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention.
With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both the wired and wireless networks and use that network intelligence to analyze attacks from many sources to more accurately pinpoint and proactively prevent attacks rather than waiting until damage or exposure has occurred.
The regular local mode or FlexConnect mode access point is extended with a subset of Wireless Intrusion Prevention System (wIPS) capabilities.
This feature enables you to deploy your access points to provide protection without needing a separate overlay network.
wIPS ELM has limited capability of detecting off-channel alarms. The access point periodically goes off-channel, and monitors the non-serving channels for a short duration, and triggers alarms if any attack is detected on the channel.
But the off-channel alarm detection is best effort and it takes longer time to detect attacks and trigger alarms,
which might cause the ELM AP intermittently detect an alarm and clear it because it is not visible. Access points in any of the above modes can periodically send alarms based on the policy profile to the wIPS service through the controller.
The wIPS service stores and processes the alarms and generates SNMP traps.
and AP submode none is just to disable the wIPS on the AP.
06-12-2014 08:03 AM
Thank you for your reply.
So there should be no additional performance penalty moving from "none" to BasewIPS mode?
I also noticed in the wIPS ELM deployment guide that it mentions additional licensing in Cisco Prime. Is this correct?
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113027-wips-00.html#local
ELM Licensing
ELM wIPS adds a new license to the ordering:
AIR-LM-WIPS-xx - Cisco ELM wIPS License
AIR-WIPS-AP-xx - Cisco Wireless wIPS License
I assume the additional licenses would be in addition to the standard lifecycle license you need for each AP?
If we don't have the ELM license what functionality do we lose from base wIPS?
Thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide