Friday, August 20, 2021

Meraki Rouge AP detection question?

After having read this blog post: https://meraki.cisco.com/blog/2017/09/rogue-access-point/

I have got my head around it somewhat but still have some questions and some clarity needed on the subject, this is what I've summarised so far:

When Meraki AP's try and detect a rogue AP, they look for traffic that is “seen” on the LAN meaning that other legitimate AP's have received a broadcast frame from it via the Meraki AP VLAN and is broadcasting SSIDs that are visible to the APs that make up the corporate wireless infrastructure.

In order for a Meraki AP to classify an SSID and AP as rogue, the MAC addresses of frames on the wired side of the corporate APs are listened for in the enterprise VLAN the Meraki AP's are on. If the wired MAC and the broadcast BSSID MAC of the SSID from an AP match on the 3rd and 4th bytes of the MAC addresses and the rest of the bytes differ by 5 bits or less, then the AP is classified as rogue. This comparison is achieved by applying an XOR (comparing MAC addresses in binary) to both the wired MAC address and the BBSID MAC address from the AP.

After I read that, I think to myself, okay I get it, but why? I ask myself to. Why 5 bits or less? I would've thought the more bits (meaning the more different a MAC address) would've been more positive? Why is this criteria when matched, classed as a rogue AP? Might seem stupid to ask but again, it's something that I'm currently thinking about after reading it.

(typically wired and wireless MAC addresses are contiguous) not to sure what this means when mentioned on the article?

Thanks for all the clarity and help here everyone.



No comments:

Post a Comment