Cisco Wireless AP Modes

This topic is to discuss the following lesson:

Hi Rene,

In monitor mode the AP detect the rough APs, also in rogue detector mode it’s detect rough devices, so can you give more detail about the different between two mode in detector matter, in other word what you mean by rough devices so I can see the different ? do you mean that it’s check for mac address that pre-defined somewhere and give us a notification about it ? I want the full picture of this so I can visualize the use cases of this rogue detector mode.

Hello Hussein

First of all it’s important to understand what the term rogue refers to. It doesn’t only refer to access points, but also to clients that have erroneously connected to those access points. There are two things that can be done to contain both the rogue AP and the rogue clients that have connected to them. The first has to do with the rogue clients, while the second has to do with the rogue AP itself.

  1. When a rogue client is detected, the legitimate access points can send a de-authentication packet to these clients that will disassociate them from the rogue AP, allowing them to re-associate with a legitimate AP.
  2. When a rogue AP is detected, a legitimate AP can connect to the rogue as a client and send Rogue Location Discovery Protocol (RLDP) packets, which is a method of rogue AP mitigation.

Now getting to your question, in monitor mode, an AP is simply used as a sensor. In other words, it only receives signals and processes them for the purpose of determining the condition of things over the air. Specifically, an AP will scan all configured channels every 12 seconds. In this mode, the AP is able to send de-authetnication packets to detected rogue clients, but no other mitigation activities are possible.

In Rogue Detector mode, 100% of the AP’s resources are dedicated to listening for and detecting rogues. But it doesn’t do this over the air, but over the wire. In this mode, the AP radio is turned off completely, and it listens for ARP packets only, on the wire. Such a device should be connected to all broadcast domains in the wireless network through a trunk link.

In any case, both of these modes feed the WLC information that can then be used by all of the APs in the network to send de-authentication packets to rogue clients, and RLDP packets to rogue APs.

More information and details about how this works can be found here:

I hope this has been helpful!

Laz

1 Like

Thanks Laz, it’s very useful summary of this cisco doc.

1 Like

Hello,

I am interested in the difference between Sniffer Mode and SE-Connect Mode. Both seem to have wireless sniffing properties.

Thanks.

Hello Cool

Sniffer mode is used to capture Layer 2 wireless frames and send them to a packet analyzer program such as Wireshark. In this mode, the AP will actively receive frames, and process them, and send them to the configured packet analyzer. There they can be saved into .pcap files (for Wireshark) for examination at a later time.

SE-Connect mode is different, in that it is used to perform spectrum analysis. The AP will “listen” to the RF band in the air and record the frequencies and wavelengths it “hears”. This is useful in discovering all of the sources of EM radiation within range, that may affect the performance of the wireless network. In this mode, no actual transmitted data is examined.

Strictly speaking, Sniffer mode functions in Layer 2 (Data Link) while SE-Connect functions in Layer 1 (Physical).

I hope this has been helpful! Stay healthy and safe!

Laz

Thank you, yes this makes perfect sense.

1 Like

Hello,

I’m reading the Official Cert Guide CCNA 200-301 by Wendell Odom as well as reading your content online. This section really confuses me because it’s divided into two parts.

There is a section where you mention Repeater mode, Workgroup Bridge, Outdoor Bridge and Mesh Network (and by the way, they are all referred to as ‘Non-Infrastructure mode’ in the book). However, the only similarity here is Bridge mode being similar to Outdoor Bridge mode and Mesh Network mode. Are they different names to mean the same thing or are they somehow different?

Furthermore, the Official Cert Guide states the following: “Many Cisco APs can operate in either autonomous or lightweight mode, depending on which code image is loaded and run. From the WLC, you can configure a lightweight AP to operate in one of the following special-purpose modes:” and then they go on explaining all the modes mentioned in the topic of this forum, but the book also separates the four listed modes mentioned above to an earlier chapter. And how come they only mention Lightweight APs and not Autonomous APs in being able to use these special-purpose modes?

After listing the modes, the chapter ends with this note:

“Remember that a lightweight AP is normally in local mode when it is providing BSSs and allowing client devices to associate to wireless LANs. When an AP is configured to operate in one of the other modes, local mode (and the BSSs) is disabled.” Does this mean that there are no BSSs in other modes apart from local mode?

Looking forward to hearing from you as I’ve been looking for answers for hours now.

Josh

Hello Joshua

I understand your confusion, and I believe this has to do with the use of the term “modes”. Unfortunately, it is used to describe multiple things.

First of all, an AP can either run as an autonomous AP or as a lightweight AP (notice I didn’t use the word mode?). The first means all the intelligence of its functionality is contained within the device itself, the second means that the intelligence runs in the wireless controller on the network or in the cloud. Whether you use lightweight or autonomous has to do with the deployment model you are using, and you can find out more about that here:

Now, each of these deployment methods have their own modes. An autonomous AP can also be considered an AP in a non-infrastructure deployment. In other words, it doesn’t function as part of the network infrastructure, all of its network functionality is contained within the device itself.
Those APs that run in autonomously can be configured to function in one of the “non-infrastructure modes” as listed in the book, as well as in this lesson:

(Now the book includes Mesh as a non-infrastructure mode, however, Rene describes it as another type of deployment model, which makes more sense to me.)

Finally, for those access points running in a lightweight deployment, they too can be configured to function in any one of the AP modes, as listed in this lesson:

So to sum up, there are two deployment models, autonomous and lightweight. Each has its own list of modes:

Autonomous (non-infrastructure):

  • Repeater
  • Workgroup Bridge
  • Outdoor Bridge

Lightweight

  • Local
  • Monitor
  • FlexConnect
  • Sniffer
  • Rogue Detector
  • Bridge/Mesh
  • Flex plus Bridge
  • SE-Connect

Mesh is a special case that the book considers non-infrastructure, while others (including Rene) consider it simply a third deployment model.

I hope this has been helpful!

Laz

1 Like

Thank you so much Laz, that’s an excellent explanation and answers nearly all of my questions!

I just have one clarification to make. I’m now trying to list the deployment models and modes that provide BSSs so let me know if I am incorrect:

Deployment models with BSS:

Autonomous AP
Mesh AP (Since a Mesh AP uses a BSS on one channel for client association while using another for the backhaul network of traffic between Mesh APs

Lightweight AP Modes with BSS:

Local Mode (Would you consider this to be both a deployment model and a mode?)

So a total of 3. Is that correct?

Josh

Hello Joshua

A BSS is used whenever clients connect to the access point to obtain connectivity. This is the case in the following modes:

  1. Repeater - since end-user clients connect to the repeater, then a BSS is used. In this case, the repeater is simply retransmitting the BSS from the AP it is repeating from, essentially extending it.
  2. Outdoor bridge - even though it doesn’t connect end users, it is still an AP to client architecture, where the clients are simply one (point to point) or more (point to multipoint) fixed stations. So even in this case, a BSS is used.
  3. Local - This is the most common mode, where users simply connect, so a BSS is used.
  4. Mesh - for the same reasons you mention in your post.

Local mode is simply another way to refer to the default mode of the lightweight deployment model, and not a deployment model itself.

I hope this has been helpful!

Laz

1 Like

Amazing, thank you so much!

1 Like

Does the rest of the mode except for the monitor mode emit SSID??
Can I use the wireless network in Rogue Detector, Sniffer, and Bridge mode?

Hello YongHun

The Monitor, Sniffer, and SE-connect modes don’t support wireless clients, and thus do not broadcast an SSID.

An AP in Rogue Detector mode can do both rogue detection and connect clients based on its configuration. In this mode, the AP divides its time between servicing clients and discovering and attempting to disable rogue APs. More info on this can be found here.

Bridge mode will broadcast an SSID, but may or may not be able to support wireless clients at the same time. If the AP has one radio, then it is used solely for the purpose of the bridge. If it has more than one radio, then one radio can be used for the bridge while the other can be configured to connect clients.

I hope this has been helpful!

Laz