It checks the MAC table if the MAC detected by the AP is on the wired network.
A Cisco Meraki AP accomplishes containment by sending deauthentication packets with the spoofed MAC address of the rogue access point (the BSSID of the rogue wireless network). The deauthentication packets force any clients that are connected to the rogue access point to disconnect. If a client attempts to connect to the rogue network, they will be immediately forced off by the Air Marshal. The image below shows a Cisco Meraki AP performing containment on a rogue SSID.
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal
Hello. I have noticed you are very quick at responding but I don't think you really read the question but rather just the subject line. So most of your answers don't directly address the question.
My question was how is the Meraki AP able to detect the AP Wired Mac address? If I have 2 different APs on different VLANs configured as Access Ports. How does 1 AP see the Wired MAC of another AP?
I think you who didn't understand my friend, re-read the answer, and the documentation. 😉
So do you mind elaborating then? I don't see anywhere on documentation that explains how AP finds out the wired MAC. I see how it compares between Wired MAC & BSSID to classify as a Rogue.
Below is a specific scenario I am trying to understand
My question was how is the Meraki AP able to detect the AP Wired Mac address? If I have 2 different APs on different VLANs configured as Access Ports. How does 1 AP see the Wired MAC of another AP?
It is part of the documentation.
I think you want to know this:
When we detect an SSID being broadcast, we compare it to other known MAC addresses on the LAN. The criteria for a match are as follows:
You can see this under Rogue_SSIDs . There is also a calculation example.
Thanks @Greenberet, finally someone who reads the documentation. 😄
lol you were partially right. @Ryan_Miles provided the section I missed on the documentation. But still, you were wayyy off on your answer. Apple & oranges.
There is a note about using a trunk port connected to the AP to detect rogues on all/other VLANs
@Ryan_Miles This is exactly what I was looking for. Thank you. It does make sense now.
However, currently, I have Meraki as a Trunk port with native vlan for Mgmt IP. All VLANs are allowed. I also have other Cisco APs on the environment. Meraki APs can see the BSSID but cannot see the Cisco APs wired mac. Any idea?
They are connected on the same switch for different VLANs. But since Meraki is on a trunk port it should have been able to see all the Wired MACs.
Do the wired MAC and BSSID MAC meet these requirements?
When we detect an SSID being broadcast, we compare it to other known MAC addresses on the LAN. The criteria for a match are as follows:
If it does then you may want to work with Meraki Support to see why it's not being detected.
@Ryan_Miles So the issue is I see the "wired Mac" section empty on Meraki event alerts. So it can't even match it. Yea, I will probably open a support case to understand more and what I am missing.