Meraki Community

Clickster · ‎Mar 28 2022

When I'm looking at the Malicious Broadcasts tab, I see the AP that saw the broadcasts, then there is a field for MAC. Is that the MAC of the AP or the MAC of the device that the malicious broadcasts originated from?

I'm asking because I would assume the latter, but the MACs that are showing up are the MACs for the APs that says they saw the broadcasts.

In other words, the row says "Seen By" AP1 (whose MAC is AA:BB:CC:DD:EE:FF:11) and "MAC" AA:BB:CC:DD:EE:FF:11.

These are broadcast deauth packets.

RaphaelL · ‎Mar 28 2022

Hi,

Do you have AirMarshal and containment enabled ?

So you are saying that one of your AP is present in the ''Malicious broadcasts'' page on your network ?

Clickster · ‎Mar 28 2022

There are 6 APs in the building. All 6 show up at one time or another as the "seen by" AP. In every case, the MAC listed under the "MAC" column is the MAC of the AP in question.
I sometimes, but not always, will see an AP spoof whose time stamp and AP match up with the malicious broadcast.

I'm not sure if this is what you're asking regarding whether Air Marshal is enabled and containing. At the moment I have it set to block clients from connecting to rogue SSIDs.
There is a single listing under rogue SSIDs but I think it's a general listing with the SSID as "hidden" and the broadcast MAC as XXX (and 378 others).