Cisco Cisco 5520 Wireless Controller Referências técnicas
7
Rogue Management in a Unified Wireless Network using v7.4
Rogue Management Theory of Operation
This graphic is a depiction of the off-channel scanning algorithm for a monitor mode AP in the 2.4GHz
and 5Ghz frequency band.
and 5Ghz frequency band.
By default, Monitor mode dwell on 1.1 sec. for each channel. If user’ turn on (CLI: config ap
monitor-mode wips-optimized) WIPS-optimized Monitor mode, AP changes dwell time of each channel
on monitor mode from 1.1sec to 250msec. this will allow monitor AP to sweep channel quickly and the
time to cycle entire channel scan becomes much faster for rogue detection and containment.
monitor-mode wips-optimized) WIPS-optimized Monitor mode, AP changes dwell time of each channel
on monitor mode from 1.1sec to 250msec. this will allow monitor AP to sweep channel quickly and the
time to cycle entire channel scan becomes much faster for rogue detection and containment.
Local Mode and Monitor Mode Comparison
A local mode AP splits its cycles between serving WLAN clients and scanning channels for threats. As
a result, it takes a local mode AP longer to cycle through all the channels, and it spends less time
collecting data on any particular channel so that client operations are not disrupted. Consequently, rogue
and attack detection times are longer (3 to 60 minutes) and a smaller range of over-the-air attacks can be
detected than with a monitor mode AP. Furthermore, detection for bursty traffic, such as rogue clients,
is much less deterministic because the AP has to be on the channel of the traffic at the same time the
traffic is being transmitted or received. This becomes an exercise in probabilities. Local mode AP
operations Wireless threats management from local mode AP can be extended by enabling Enhanced
Local mode (ELM, WIPS-submode). ELM enables full adaptive WIPS signature detection while it
leaves AP to serve data mode most of time. ELM and Adaptive WIPS solution will be described in
separate WIPS Deployment Guide.
a result, it takes a local mode AP longer to cycle through all the channels, and it spends less time
collecting data on any particular channel so that client operations are not disrupted. Consequently, rogue
and attack detection times are longer (3 to 60 minutes) and a smaller range of over-the-air attacks can be
detected than with a monitor mode AP. Furthermore, detection for bursty traffic, such as rogue clients,
is much less deterministic because the AP has to be on the channel of the traffic at the same time the
traffic is being transmitted or received. This becomes an exercise in probabilities. Local mode AP
operations Wireless threats management from local mode AP can be extended by enabling Enhanced
Local mode (ELM, WIPS-submode). ELM enables full adaptive WIPS signature detection while it
leaves AP to serve data mode most of time. ELM and Adaptive WIPS solution will be described in
separate WIPS Deployment Guide.
A monitor mode AP spends all of its cycles scanning channels looking for rogues and over-the-air
attacks. A monitor mode AP can simultaneously be used for Adaptive wIPS, location (context-aware)
services, and other monitor mode services. When monitor mode APs are deployed, the benefits are lower
time-to-detection. When monitor mode APs are additionally configured with Adaptive wIPS, a broader
range of over-the-air threats and attacks can be detected.
attacks. A monitor mode AP can simultaneously be used for Adaptive wIPS, location (context-aware)
services, and other monitor mode services. When monitor mode APs are deployed, the benefits are lower
time-to-detection. When monitor mode APs are additionally configured with Adaptive wIPS, a broader
range of over-the-air threats and attacks can be detected.