Meraki

Community

How does Meraki AP detects Wired MAC address of a Rogue AP?

RLNG
Getting noticed
‎Oct 3 2023 12:53 PM
‎Oct 3 2023 12:53 PM

How does Meraki AP detects Wired MAC address of a Rogue AP?

Question on Air Marhsal--> "Rogue SSID" --> Seen on LAN
 
I get that the BSSID is broadcasted over the air, but I'm curious about how Meraki APs are able to see the wired MAC of the AP to find out of this AP is connected on the same LAN? 
Labels:
0 Kudos
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 3 2023 12:58 PM
‎Oct 3 2023 12:58 PM

It checks the MAC table if the MAC detected by the AP is on the wired network.


A Cisco Meraki AP accomplishes containment by sending deauthentication packets with the spoofed MAC address of the rogue access point (the BSSID of the rogue wireless network). The deauthentication packets force any clients that are connected to the rogue access point to disconnect. If a client attempts to connect to the rogue network, they will be immediately forced off by the Air Marshal. The image below shows a Cisco Meraki AP performing containment on a rogue SSID.

 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Oct 3 2023 1:02 PM
‎Oct 3 2023 1:02 PM

Hello. I have noticed you are very quick at responding but I don't think you really read the question but rather just the subject line. So most of your answers don't directly address the question. 

My question was how is the Meraki AP able to detect the AP Wired Mac address? If I have 2 different APs on different VLANs configured as Access Ports. How does 1 AP see the Wired MAC of another AP?

In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 3 2023 1:07 PM
‎Oct 3 2023 1:07 PM

I think you who didn't understand my friend, re-read the answer, and the documentation. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Oct 3 2023 1:19 PM
‎Oct 3 2023 1:19 PM

So do you mind elaborating then? I don't see anywhere on documentation that explains how AP finds out the wired MAC. I see how it compares between Wired MAC & BSSID to classify as a Rogue. 

 

Below is a specific scenario I am trying to understand

 

My question was how is the Meraki AP able to detect the AP Wired Mac address? If I have 2 different APs on different VLANs configured as Access Ports. How does 1 AP see the Wired MAC of another AP?

0 Kudos
In response to RLNG
Greenberet
Head in the Cloud
‎Oct 3 2023 3:03 PM
‎Oct 3 2023 3:03 PM

It is part of the documentation.

I think you want to know this:

 

When we detect an SSID being broadcast, we compare it to other known MAC addresses on the LAN. The criteria for a match are as follows:

  • If a wired MAC and the broadcasted BSSID MAC match on the 3rd and 4th bytes of the MAC (starting with the 0th byte on the left, ending on the 5th byte on the right)
  • AND if the rest of the bytes differ by 5 bits or less (except for the 4 least significant [rightmost] bits of the 5th byte, which are masked out), it is classified as a Rogue SSID.

You can see this under Rogue_SSIDs . There is also a calculation example.

0 Kudos
In response to Greenberet
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 3 2023 3:45 PM
‎Oct 3 2023 3:45 PM

Thanks @Greenberet, finally someone who reads the documentation. 😄

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Oct 4 2023 4:29 PM
‎Oct 4 2023 4:29 PM

lol you were partially right. @Ryan_Miles provided the section I missed on the documentation. But still, you were wayyy off on your answer. Apple & oranges. 

0 Kudos
In response to RLNG
Ryan_Miles
Meraki Employee
Meraki Employee
‎Oct 3 2023 3:52 PM
‎Oct 3 2023 3:52 PM

There is a note about using a trunk port connected to the AP to detect rogues on all/other VLANs

 

LINK

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
RLNG
Getting noticed
‎Oct 4 2023 4:27 PM
‎Oct 4 2023 4:27 PM

@Ryan_Miles This is exactly what I was looking for. Thank you. It does make sense now. 

 

However, currently, I have Meraki as a Trunk port with native vlan for Mgmt IP. All VLANs are allowed. I also have other Cisco APs on the environment. Meraki APs can see the BSSID but cannot see the Cisco APs wired mac. Any idea?

They are connected on the same switch for different VLANs. But since Meraki is on a trunk port it should have been able to see all the Wired MACs.

0 Kudos
In response to RLNG
Ryan_Miles
Meraki Employee
Meraki Employee
‎Oct 4 2023 4:36 PM
‎Oct 4 2023 4:36 PM

Do the wired MAC and BSSID MAC meet these requirements?

 

When we detect an SSID being broadcast, we compare it to other known MAC addresses on the LAN. The criteria for a match are as follows:

 

  • If a wired MAC and the broadcasted BSSID MAC match on the 3rd and 4th bytes of the MAC (starting with the 0th byte on the left, ending on the 5th byte on the right)
  • AND if the rest of the bytes differ by 5 bits or less (except for the 4 least significant [rightmost] bits of the 5th byte, which are masked out), it is classified as a Rogue SSID.

If it does then you may want to work with Meraki Support to see why it's not being detected. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
RLNG
Getting noticed
‎Oct 4 2023 8:03 PM
‎Oct 4 2023 8:03 PM

@Ryan_Miles So the issue is I see the "wired Mac" section empty on Meraki event alerts. So it can't even match it. Yea, I will probably open a support case to understand more and what I am missing. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.