cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7909
Views
20
Helpful
4
Replies

Rogue Rules and Rogue AP alert in Prime

benediktdiehl
Level 1
Level 1

Hi Supportcommunity,

 

i have done a lot of research according this topic but i was unfortunately unable to find an helpful post.
If i missed something I am sorry about.

I got the following issue my customer complains about Rogue AP Alerts in Cisco Prime.

There are always many of them.
I already configured the Rogue Rules at the WLC´s security tab as follows.

Here are the rules in detail.

1st rule

2nd rule

3rd rule

Could you please help me to understand what I did wrong.
I dont understand why there are still so many Rogue warnings although I configure it to not alert.

 

Thanks for your support

With kind regards

Benedikt

 

4 Replies 4

Dhiresh Yadav
Cisco Employee
Cisco Employee

Hi ,

 

I am not going in to the rogue rules. Can you please go to > Management>SNMP>Trap control>Security> Rogue. Disable this setting and see if that stop trap to PI.

 

 

Regards

Dhiresh

**Please rate helpful posts**

ERAJAB
Level 1
Level 1

Rogue detection is a way of being aware of other APs in your surroundings, I would not advise on turning the SNMP traps off totally. On the other hand the customer cant really blame you because there are other APs around their network? In 99,9% of all networks there will be....

However, if you want to tidy up among the rogue alarms, the rules can be used. 
What your rules are saying is "Anyone except me using my SSIDs? - mark it as a Bad Guy" (OK).
Then it gets a bit weird to me, lets do a short one on Signal strength:

- 30 dBm = Less than one meter from the AP at max European output level 20 dBm EIRP

-40 dBm = Ten times weaker, some 2-4m from AP. All distances are roughly speaking...

-50 dBm = 1/100 weaker, less than 10m from AP

-60 dBm = 1/1000 weaker, some 16m from AP, a "normal" and strong signal

-70 dBm = 1/10000, within 30m from AP, not great, but lower end of "normal" span

-80 dBm = hardly useable signal, might be able to connect @ 1-2 Mbps, not much more

-90 dBm = almost no clients can use this weak levels

-100 dBm = background noise.

 

You delete rule says that "Any other AP located less than a meter from mine (-30 dBm) should be marked as Malicious and deleted". Lower this to, say -70 dBm and see what happens.

Also note that the order of the rules can be important. It runs from top down, and as far as I remember the last one that matched determines if it is Friendly or Malicious. Play around with the levels first, then if necessary the order of the rules, and get back...

 

**Please rate helpful posts**

Addition to my own post (smile):

 

In a real network I would do:

"Managed SSID" - Mark as Malicious and alarm (someone is claiming to be my network!)

"RSSI >-95 dBm - Mark as Friendly (ex -70 to -95 probably outside our premises)

"RSSI >-70 dBm) - Mark as Malicious and alarm (An unknown AP in our premises!)

Watch rule order, this overwrites the "Friendly" marker if RSSI over -70dBm

 

In 8.0 an up you can also match on partial SSIDs, so matching the most common ISP SSIDs as "friendly" also helps...

 

**Please rate helpful posts**

 

Thanks, this was extremely helpful!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: