Rogue AP Air Marshal

JamesBraddok
Here to help

Rogue AP Air Marshal

Hello,

 
recently installed meraki AP , we noticed that a Rogue access point is detected in the Air Marshall section.
We can't understand why so many mac addresses are being brodcasted and especially why it is being seen on a specific vlan. The wired mac-address does not match any client on the network.
Has this ever happened to anyone?
 
Ap Rogue.PNG

 

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

A Rogue AP is any Access Point that does not belong to your Wireless infrastructure, that is, any neighboring AP can be a Rogue AP.
 
But that doesn't necessarily mean it's a malicious AP.
 
 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JamesBraddok
Here to help

thanks for the reply, but we don't understand though why it is listed as "seen on the LAN".

alemabrahao
Kind of a big deal
Kind of a big deal

Because probably someone plugged it on your switch.

 

Simply speaking, the AP queries the MAC of the AP identified as rogue and then it checks whether the MAC of the device is physically connected to your network or not.

 

I suggest you first, identify the target switch port by scanning the wired LAN to find a device with the rogue's MAC address.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sander
Here to help

Yes well it says it's a Aruba, so it looks like you have more than 1 Aruba AP active on your LAN (multiple BrC-MAC, seen of lots of channels). You share the LAN in the building?

JamesBraddok
Here to help

No the LAN is not shared.
The strange thing is that the manufacturer entry, it changes all the time, aruba, HP and other

TBHPTL
A model citizen

It shows the wired MAC.  run that mac against your switch ports and go unplug it. It is still on according to what you are showing... Last seen 2 seconds ago... and its been there for at least 2 months. Perhaps some "well meaning" person who has a subscription to Network World did this ...

JamesBraddok
Here to help

The MAC refers to one of the old AP not meraki, but it has already been unplagged a few days ago.

Sander
Here to help

Otherwise do a visual check, on the AP reporting it at 40 dB, the interfering device must be very close to that one. Like a couple of meters probably. Could be anything like an AP, provider router, end-user 4G hotspot, some kind of smart device/tv.

Or download the free netspot on your laptop (assuming you do not have access to a professional survey tool like Ekahau), go to the area and walk around to see where that signal is the loudest, you must be able to find it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels