Enables automatic profile association.
disable
Disables automatic profile association.
Options
no
Removes the device type association and disables the feature for the device type. By default, this feature is
disabled.
Restrictions
Only one device type is supported, aruba-ap, and it is used to identify all the Aruba access points.
Rogue AP Isolation
The Rogue AP Isolation feature detects and blocks any unauthorized APs in the network. You can either log or
block the rogue device. If the action requested is to log the rogue device, the MAC address of the rogue device is
logged in the system logs (RMON). If the action is to block the rogue device, the traffic to and from the MAC
address of the rogue device is blocked. The MAC is also logged in the system log.
When an Aruba AP detects a rogue AP on the network, it sends out the MAC address of the AP as well as the
MAC of the clients connected to the AP to the switch using the ArubaOS-Switch proprietary LLDP TLV protocol.
The switch then adds a rule in its hardware table to block all the traffic originating from the rogue AP’s MAC
address.
The rogue-ap-isolation command configures the rogue AP isolation for the switch and gives the option to
enable or disable the rogue AP isolation feature. The rogue-ap-isolation action command gives you the
ability to block the traffic to or from the rogue device or log the MAC of the rogue device. When the action is set to
block, the rogue MAC is logged as well. By default, the action is set to block.
The rogue-ap-isolation whitelist command lets you add devices detected as possible rogue APs to the
whitelist. A maximum of 128 MAC addresses are supported for the whitelist.
The clear rogue-aps command clears the detected rogue AP device MAC address.
Limitations
• You can add a maximum of 128 MAC addresses to the whitelist.
• When a MAC is already authorized by any of the port security features such as LMA, WMA, or 802.1X, the
MAC is logged but you cannot block it using the rogue-ap-isolation feature. A RMON event is logged to
notify the user.
• When a MAC is already configured as an IP received MAC of a VLAN interface, the MAC is logged but you
cannot block it by using the rogue-ap-isolation feature. A RMON event is logged to notify the user.
• When a MAC is already locked out via lockout-mac or locked down using the static-mac configuration,
the MAC is logged but you cannot block it using the rogue-ap-isolation feature. A RMON event is logged
to notify the user.
• The number of rogue MACs supported on a switch is a function of the value of max-vlans at boot time. Since
the resources are shared with the lockout-mac feature, the scale is dependent on how many lockout
addresses have been configured on the switch using the lockout-mac feature. The following table lists the
scale when there are no lockout addresses configured on the switch:
Chapter 11 Auto configuration upon Aruba AP detection 247
To Next Page
Loading...
