This topic is to discuss the following lesson:
Hi Rene,
In monitor mode the AP detect the rough APs, also in rogue detector mode itās detect rough devices, so can you give more detail about the different between two mode in detector matter, in other word what you mean by rough devices so I can see the different ? do you mean that itās check for mac address that pre-defined somewhere and give us a notification about it ? I want the full picture of this so I can visualize the use cases of this rogue detector mode.
Hello Hussein
First of all itās important to understand what the term rogue refers to. It doesnāt only refer to access points, but also to clients that have erroneously connected to those access points. There are two things that can be done to contain both the rogue AP and the rogue clients that have connected to them. The first has to do with the rogue clients, while the second has to do with the rogue AP itself.
- When a rogue client is detected, the legitimate access points can send a de-authentication packet to these clients that will disassociate them from the rogue AP, allowing them to re-associate with a legitimate AP.
- When a rogue AP is detected, a legitimate AP can connect to the rogue as a client and send Rogue Location Discovery Protocol (RLDP) packets, which is a method of rogue AP mitigation.
Now getting to your question, in monitor mode, an AP is simply used as a sensor. In other words, it only receives signals and processes them for the purpose of determining the condition of things over the air. Specifically, an AP will scan all configured channels every 12 seconds. In this mode, the AP is able to send de-authetnication packets to detected rogue clients, but no other mitigation activities are possible.
In Rogue Detector mode, 100% of the APās resources are dedicated to listening for and detecting rogues. But it doesnāt do this over the air, but over the wire. In this mode, the AP radio is turned off completely, and it listens for ARP packets only, on the wire. Such a device should be connected to all broadcast domains in the wireless network through a trunk link.
In any case, both of these modes feed the WLC information that can then be used by all of the APs in the network to send de-authentication packets to rogue clients, and RLDP packets to rogue APs.
More information and details about how this works can be found here:
I hope this has been helpful!
Laz
2 Likes
Thanks Laz, itās very useful summary of this cisco doc.
2 Likes
Hello,
I am interested in the difference between Sniffer Mode and SE-Connect Mode. Both seem to have wireless sniffing properties.
Thanks.
Hello Cool
Sniffer mode is used to capture Layer 2 wireless frames and send them to a packet analyzer program such as Wireshark. In this mode, the AP will actively receive frames, and process them, and send them to the configured packet analyzer. There they can be saved into .pcap files (for Wireshark) for examination at a later time.
SE-Connect mode is different, in that it is used to perform spectrum analysis. The AP will ālistenā to the RF band in the air and record the frequencies and wavelengths it āhearsā. This is useful in discovering all of the sources of EM radiation within range, that may affect the performance of the wireless network. In this mode, no actual transmitted data is examined.
Strictly speaking, Sniffer mode functions in Layer 2 (Data Link) while SE-Connect functions in Layer 1 (Physical).
I hope this has been helpful! Stay healthy and safe!
Laz
2 Likes
Thank you, yes this makes perfect sense.
1 Like
Hello,
Iām reading the Official Cert Guide CCNA 200-301 by Wendell Odom as well as reading your content online. This section really confuses me because itās divided into two parts.
There is a section where you mention Repeater mode, Workgroup Bridge, Outdoor Bridge and Mesh Network (and by the way, they are all referred to as āNon-Infrastructure modeā in the book). However, the only similarity here is Bridge mode being similar to Outdoor Bridge mode and Mesh Network mode. Are they different names to mean the same thing or are they somehow different?
Furthermore, the Official Cert Guide states the following: āMany Cisco APs can operate in either autonomous or lightweight mode, depending on which code image is loaded and run. From the WLC, you can configure a lightweight AP to operate in one of the following special-purpose modes:ā and then they go on explaining all the modes mentioned in the topic of this forum, but the book also separates the four listed modes mentioned above to an earlier chapter. And how come they only mention Lightweight APs and not Autonomous APs in being able to use these special-purpose modes?
After listing the modes, the chapter ends with this note:
āRemember that a lightweight AP is normally in local mode when it is providing BSSs and allowing client devices to associate to wireless LANs. When an AP is configured to operate in one of the other modes, local mode (and the BSSs) is disabled.ā Does this mean that there are no BSSs in other modes apart from local mode?
Looking forward to hearing from you as Iāve been looking for answers for hours now.
Josh
Hello Joshua
I understand your confusion, and I believe this has to do with the use of the term āmodesā. Unfortunately, it is used to describe multiple things.
First of all, an AP can either run as an autonomous AP or as a lightweight AP (notice I didnāt use the word mode?). The first means all the intelligence of its functionality is contained within the device itself, the second means that the intelligence runs in the wireless controller on the network or in the cloud. Whether you use lightweight or autonomous has to do with the deployment model you are using, and you can find out more about that here:
Now, each of these deployment methods have their own modes. An autonomous AP can also be considered an AP in a non-infrastructure deployment. In other words, it doesnāt function as part of the network infrastructure, all of its network functionality is contained within the device itself.
Those APs that run in autonomously can be configured to function in one of the ānon-infrastructure modesā as listed in the book, as well as in this lesson:
(Now the book includes Mesh as a non-infrastructure mode, however, Rene describes it as another type of deployment model, which makes more sense to me.)
Finally, for those access points running in a lightweight deployment, they too can be configured to function in any one of the AP modes, as listed in this lesson:
So to sum up, there are two deployment models, autonomous and lightweight. Each has its own list of modes:
Autonomous (non-infrastructure):
- Repeater
- Workgroup Bridge
- Outdoor Bridge
Lightweight
- Local
- Monitor
- FlexConnect
- Sniffer
- Rogue Detector
- Bridge/Mesh
- Flex plus Bridge
- SE-Connect
Mesh is a special case that the book considers non-infrastructure, while others (including Rene) consider it simply a third deployment model.
I hope this has been helpful!
Laz
2 Likes
Thank you so much Laz, thatās an excellent explanation and answers nearly all of my questions!
I just have one clarification to make. Iām now trying to list the deployment models and modes that provide BSSs so let me know if I am incorrect:
Deployment models with BSS:
Autonomous AP
Mesh AP (Since a Mesh AP uses a BSS on one channel for client association while using another for the backhaul network of traffic between Mesh APs
Lightweight AP Modes with BSS:
Local Mode (Would you consider this to be both a deployment model and a mode?)
So a total of 3. Is that correct?
Josh
Hello Joshua
A BSS is used whenever clients connect to the access point to obtain connectivity. This is the case in the following modes:
- Repeater - since end-user clients connect to the repeater, then a BSS is used. In this case, the repeater is simply retransmitting the BSS from the AP it is repeating from, essentially extending it.
- Outdoor bridge - even though it doesnāt connect end users, it is still an AP to client architecture, where the clients are simply one (point to point) or more (point to multipoint) fixed stations. So even in this case, a BSS is used.
- Local - This is the most common mode, where users simply connect, so a BSS is used.
- Mesh - for the same reasons you mention in your post.
Local mode is simply another way to refer to the default mode of the lightweight deployment model, and not a deployment model itself.
I hope this has been helpful!
Laz
2 Likes
Amazing, thank you so much!
1 Like
Does the rest of the mode except for the monitor mode emit SSID??
Can I use the wireless network in Rogue Detector, Sniffer, and Bridge mode?
Hello YongHun
The Monitor, Sniffer, and SE-connect modes donāt support wireless clients, and thus do not broadcast an SSID.
An AP in Rogue Detector mode can do both rogue detection and connect clients based on its configuration. In this mode, the AP divides its time between servicing clients and discovering and attempting to disable rogue APs. More info on this can be found here.
Bridge mode will broadcast an SSID, but may or may not be able to support wireless clients at the same time. If the AP has one radio, then it is used solely for the purpose of the bridge. If it has more than one radio, then one radio can be used for the bridge while the other can be configured to connect clients.
I hope this has been helpful!
Laz
for an L-AP in Flex-Connect mode is considered to be set a trunk between the SW and the L-AP?
I presume so, in case it will serve multiple SSIDs ?!?!
Thank you.
Hello Sorin
Yes, you could configure an AP in FlexConnect mode to be connected to the switch via a trunk. This is standard practice in order to be able to serve multiple SSIDs as you mention.
I hope this has been helpful!
Laz
2 Likes
Hello Laz
Thank you for the reply.
My curiosity is if a Light-AP has to have a Trunk to be allowed in FlexConnect mode? Or a Trunk is simply optional and only if it serves multiple SSIDās?
Hello Sorin
First of all, just a clarification. An Access Point can be in either Light-AP mode or FlexConnect mode, it cannot be both.
When you configure an AP to function in FlexConnect mode, you can either use an access port connection or a trunk port connection. It is not mandatory to use a trunk unless, as you say, it is serving multiple SSIDs. More info on this can be found here:
The same is true about a local mode AP. You can either use an access port or a trunk port. But in both local and FlexConnect cases, if a trunk is used, the access point needs IP connectivity on the native VLAN.
I hope this has been helpful!
Laz
1 Like
Hello Laz,
and thank you!
I think I have to dig deeper cause I canāt get my head around these AP modes, Trunks, and Tunnels.
As I understood (until now) a Light-AP can be set to work in one of these modes [local, FlexConnect, Bridgeā¦]. but not that the Light-AP is actually another mode.
Anyway, I have to dig more.
Thanks again for your reply.
1 Like
Hi Rene,
actually I have deployed WLC as virtual Machine and the only mode you Can configure is FlexConnect. and I configured SSID Vlan Mapping using the WLC and then I routed the traffic to FW. the wireless traffic (DATA ) will not go to WLC through CAPWAP tunnel. so there is no Encapsulation for Data traffic . APs only added vlan Tag to the Frame based on the SSID-Vlan Mapping.