Meraki

Community

Rogue AP Air Marshal

JamesBraddok
Here to help
‎Jun 14 2023 3:27 AM
‎Jun 14 2023 3:27 AM

Rogue AP Air Marshal

Hello,

 
recently installed meraki AP , we noticed that a Rogue access point is detected in the Air Marshall section.
We can't understand why so many mac addresses are being brodcasted and especially why it is being seen on a specific vlan. The wired mac-address does not match any client on the network.
Has this ever happened to anyone?
 
Ap Rogue.PNG

 

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 14 2023 4:11 AM
‎Jun 14 2023 4:11 AM

A Rogue AP is any Access Point that does not belong to your Wireless infrastructure, that is, any neighboring AP can be a Rogue AP.
 
But that doesn't necessarily mean it's a malicious AP.
 
 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
JamesBraddok
Here to help
‎Jun 14 2023 8:10 AM
‎Jun 14 2023 8:10 AM

thanks for the reply, but we don't understand though why it is listed as "seen on the LAN".

0 Kudos
In response to JamesBraddok
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 14 2023 8:26 AM
‎Jun 14 2023 8:26 AM

Because probably someone plugged it on your switch.

 

Simply speaking, the AP queries the MAC of the AP identified as rogue and then it checks whether the MAC of the device is physically connected to your network or not.

 

I suggest you first, identify the target switch port by scanning the wired LAN to find a device with the rogue's MAC address.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sander
Here to help
‎Jun 16 2023 11:40 AM
‎Jun 16 2023 11:40 AM

Yes well it says it's a Aruba, so it looks like you have more than 1 Aruba AP active on your LAN (multiple BrC-MAC, seen of lots of channels). You share the LAN in the building?

0 Kudos
In response to Sander
JamesBraddok
Here to help
‎Jun 16 2023 4:10 PM
‎Jun 16 2023 4:10 PM

No the LAN is not shared.
The strange thing is that the manufacturer entry, it changes all the time, aruba, HP and other

0 Kudos
TBHPTL
A model citizen
‎Jun 16 2023 2:07 PM
‎Jun 16 2023 2:07 PM

It shows the wired MAC.  run that mac against your switch ports and go unplug it. It is still on according to what you are showing... Last seen 2 seconds ago... and its been there for at least 2 months. Perhaps some "well meaning" person who has a subscription to Network World did this ...

0 Kudos
In response to TBHPTL
JamesBraddok
Here to help
‎Jun 16 2023 4:08 PM
‎Jun 16 2023 4:08 PM

The MAC refers to one of the old AP not meraki, but it has already been unplagged a few days ago.

0 Kudos
Sander
Here to help
‎Jun 17 2023 1:36 AM
‎Jun 17 2023 1:36 AM

Otherwise do a visual check, on the AP reporting it at 40 dB, the interfering device must be very close to that one. Like a couple of meters probably. Could be anything like an AP, provider router, end-user 4G hotspot, some kind of smart device/tv.

Or download the free netspot on your laptop (assuming you do not have access to a professional survey tool like Ekahau), go to the area and walk around to see where that signal is the loudest, you must be able to find it.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.