Configure Controller and AP Settings

Configure Protocols for CLI Sessions

Many Prime Infrastructure wireless features, such as autonomous access point and controller command-line interface (CLI) templates and migration templates, require executing CLI commands on the autonomous access point or controller. These CLI commands can be entered by establishing Telnet or SSH sessions. The CLI session page allows you to select the session protocol.

In CLI templates, you are not required to answer the question responses (such as Yes or No answer to a command, Press enter to continue , and so on.). This is automatically performed by Prime Infrastructure.

Procedure

Step 1

Choose Administration > Settings > System Settings > Network and Device > CLI Session.

Step 2

Select the Controller Session Protocol (you can choose SSH or Telnet; SSH is the default).

Step 3

Select the Autonomous AP Session Protocol (you can choose SSH or Telnet; SSH is the default).

Step 4

The Run Autonomous AP Migration Analysis on discovery radio button is set to No by default. Choose Yes if you want to discover the autonomous APs as well as perform migration analysis

Step 5

Click Save.

Enable Unified AP Ping Reachability Settings on the Prime Infrastructure

Whenever a Unified AP is discovered in Cisco Prime Infrastructure, the Prime Infrastructure determines if the AP is ping capable or not and updates the ping capability status accordingly in the Prime Infrastructure database.

Various alarms are raised based on the following conditions:

  • If the Unified AP is disassociated and is in FlexConnect mode, then the Prime Infrastructure checks if the AP is reachable or not. If the AP is ping capable and ping reachable, then it raises a low severity alarm. If the AP is not ping capable or reachable, then it raises a high severity alarm.

  • If the Unified AP is disassociated and is not in FlexConnect mode, then the Prime Infrastructure raises a high severity alarm.

By default, the Unified AP ping reachability feature is enabled in Prime Infrastructure versions 3.3 onwards. However, it is disabled in verions 3.2 and earlier. To enable, follow these steps:

Procedure

Step 1

Choose Administration > Settings > System Settings > Network and Device > Unified AP Ping Reachability.

Step 2

Select the Allow Prime to learn about AP Reachability radio button to allow Cisco Prime Infrastructure to learn if the AP is reachable or not. A background task is triggered which pings each access point and stores the result in the Prime Infrastructure database.

Step 3

You are prompted with an alert saying that the background job is triggered to learn about ping reachability. Click OK to continue.

A background job is triggered and is run against all the associated APs in the Prime Infrastructure to learn about the AP capabilities. A new job is created in the Job Dashboard with this information.

Step 4

If you select All access points are ping reachable from Prime radio button, then the Administrator marks all the Unified APs as ping capable.

Step 5

Choose Administration > Dashboards > Job Dashboard > System Jobs > Status to view job status.

Step 6

To search job details, use Quick filter option and enter Learn Unified AP Ping Capability in the Name search field.

The result is displayed in the Status table. The table contains the following information:

  • Job Type

  • Status

  • Last Run Status

  • Last Start Time

  • Duration

  • Next Start Time

  • Click the Learn AP Ping Reachability link to view more details. The Learn AP Ping Reachability page displays the following information. Click Show All to view details about all job instances.

    • Recurrence

    • Interval

    • Run ID

    • Status

    • Duration

    • Start Time

    • Completion Time

Refresh Controllers After an Upgrade

The Controller Upgrade page allows you to auto-refresh after a controller upgrade so that it automatically restores the configuration whenever there is a change in the controller image.

Procedure

Step 1

Choose Administration > Settings > System Settings > Network and Device > Controller Upgrade .

Step 2

Select the Auto refresh After Upgrade check box to automatically restore the configuration whenever there is a change in the controller image.

Step 3

Select the Sync on Save Config Trap check box to trigger a Sync on the controller when the Prime Infrastructure receives a Save Config trap. When this check box is selected, you can choose either of the following options:

  • Retain the configuration in the Prime Infrastructure database

  • Use the configuration on the controller currently
Step 4

Click Save.

Track Switch Ports to Rogue APs

can automatically identify the network switch port to which each rogue access point is connected. Note that this feature relies on Automatic Switch Port Tracing, which requires a full Prime Infrastructure license to work.

Procedure

Step 1

Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Auto SPT. The Auto SPT page appears.

Step 2

Select the Enable Auto Switch Port Tracing check box to allow Prime Infrastructure to automatically trace the switch ports to which rogue access points are connected. Then specify the parameters for auto port tracing, including:

  • How long to wait between rogue AP-to-port traces (in minutes)

  • Whether to trace Found On Wire rogue APs

  • Which severities to include (Critical, Major, or Minor)

Step 3

Select the Enable Auto Containment check box to allow Prime Infrastructure to automatically contain rogue APs by severity. Then specify the parameters for auto containment, including:

  • Whether to exclude Found On Wire rogue APs detected by port tracing

  • Which severities to include in the containment (Critical, Major)

  • The containment level (up to 4 APs)

Step 4

Click OK.

Configure Switch Port Tracing

Currently, Prime Infrastructure provides rogue access point detection by retrieving information from the controller. The rogue access point table is populated with any detected BSSID addresses from any frames that are not present in the neighbor list. At the end of a specified interval, the contents of the rogue table are sent to the controller in a CAPWAP Rogue AP Report message. With this method, Prime Infrastructure gathers the information received from the controllers. This enhancement allows you to react to found wired rogue access points and prevent future attacks. The trace information is available only in Prime Infrastructure log and only for rogue access points, not rogue clients.

A rogue client connected to the rogue access point information is used to track the switch port to which the rogue access point is connected in the network. If you try to set tracing for a friendly or deleted rogue, a warning message appears.

For Switch Port Tracing to successfully trace the switch ports using v3, all of the OIDs should be included in the SNMP v3 view and VLAN content should be created for each VLAN in the SNMP v3 group. The Switch Port Trace page allows you to run a trace on detected rogue access points on the wire.

To correctly trace and contain rogue access points, you must correctly provide the following information:

  • Reporting APs — A rogue access point has to be reported by one or more managed access points.
  • AP CDP Neighbor— Access point CDP neighbor information is required to determine the seed switches.
  • Switch IP address and SNMP credentials— All switches to be traced must have a management IP address and must have SNMP management enabled. You can add network address based entries instead of only adding individual switches. The correct “write” community string must be specified to enable/disable switch ports. For tracing, “read” community strings are sufficient. Network addresses using /32 subnet masks are not supported in global SNMP credentials configuration. For more guidance, see “Frequently Asked Questions on Rogues and Switch Port Tracing” in Related Topics.
  • Switch port configuration— Trunking switch ports must be correctly configured. Switch port security must be disabled.
  • Switch Port Tracing is supported only on Cisco Ethernet switches and the following Catalyst switches: 2960, 3560, 3560-E, 3750-E, 3850, 4500 series.
  • Switch VLAN settings must be configured accurately. Prime Infrastructure gets switch IP addresses using Cisco Discovery Protocol neighbor information. It then uses VLAN information in the switch to read the switch CAM table entries. If the VLAN information in the switch is not configured properly, Prime Infrastructure will not be able to read the CAM table entries, which results in not being able to trace rogue APs in the switch.
  • CDP protocol must be enabled on all switches.
  • An Ethernet connection must exist between the rogue access point and the Cisco switch.
  • There must be traffic between the rogue access point and the Ethernet switch, for reliable detection of rogue Ethernet Switch Port information, when the difference in the Ethernet mac address is more or less than two.
  • The rogue access point must be connected to a switch within the max hop limit.
  • If SNMPv3 is chosen, use the context option and create one for each VLAN, in addition to the one for the main group (which is required for non-VLAN-based MIBs).

Note
For effective use of Vendor OUI match to eliminate false positive matches, the switch ports must have their location information configured. The switch ports that are not configured will remain for OUI match after elimination by location.

Configuring SNMP credentials

To view the switch port trace details, follow these steps:

Procedure

Step 1

Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > SPT Configuration.

Step 2

Configure the following basic settings:

  • MAC address +1/-1 search—Select the check box to enable.

This search involves the MAC address +1/-1 convention where the wired-side MAC address of the rogue access point is obtained by adding or subtracting the radio MAC address by one.

  • Rogue client MAC address search—Select the check box to enable.

When a rogue access point client exists, the MAC address of the client is added to the searchable MAC address list.

  • Vendor (OUI) search— Select the check box to enable. OUI refers to Organizational Unique Identifier search which searches the first three bytes in a MAC address.
  • Exclude switch trunk ports— Select the check box to exclude switch trunk ports from the switch port trace.
Note 
When more than one port is traced for a given MAC address, additional checks are performed to improve accuracy. These checks include the: trunk port, non-AP CDP neighbors present on the port, and whether or not the MAC address is the only one on this port.
  • Exclude device list— Select the check box to exclude additional devices from the trace. Enter into the device list text box each device that you want to exclude from the switch port trace. Separate device names with a comma.
  • Max hop count— Enter the maximum number of hops for this trace. Keep in mind that the greater the hop count, the longer the switch port trace takes to perform.
Note 
This hop count value is not applicable for Auto SPT.
  • Exclude vendor list— Enter in the vendor list text box any vendors that you want to exclude from the switch port trace. Separate vendor names with commas. The vendor list is not case sensitive.
Step 3

Configure the following advanced settings:

  • TraceRogueAP task max thread— Switch port tracing uses multiple threads to trace rogue access points. This field indicates the maximum number of rogue access points that can be traced on parallel threads.
  • TraceRogueAP max queue size— Switch port tracing maintains a queue to trace rogue access points. Whenever you select a rogue access point for tracing, it is queued for processing. This field indicates the maximum number of entries that you can store in the queue.

  • SwitchTask max thread— Switch port tracing uses multiple threads to query switch devices. This field indicates the maximum number of switch devices that you can query on parallel threads.

The default value for these parameters should be good for normal operations. These parameters directly impact the performance of switch port tracing and Prime Infrastructure. Unless required, we do not recommend that you alter these parameters.
  • Select CDP device capabilities— Select the check box to enable.
Prime Infrastructure uses CDP to discover neighbors during tracing. When the neighbors are verified, Prime Infrastructure uses the CDP capabilities field to determine whether or not the neighbor device is a valid switch. If the neighbor device is not a valid switch, it is not traced.
Step 4

Click Save to confirm changes made. Click Reset to return the page to the original settings. Click Factory Reset to return settings to the factory defaults.

View the switch port trace details

To view the switch port trace details, follow these steps:

Procedure

Step 1

Add switches with full licenses using the Configuration > Network > Network Devices page.

Step 2

Enable Auto switch port tracing in Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Auto SPT page.

Step 3

Schedule to run wired client status Major Polling background task in Administration > Dashboards > Job Dashboard page.

Step 4

Click the Trace switch port icon in Rogue AP detail page. New pop up will show details of switch port traced. Click the detail status to check trace status such as started/Found, and so on.


Note
Manual SPT will work, even if you do not add any switch to Prime Infrastructure. But you should configure the SNMP credentials correctly in Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Manual SPT page. “Private” is the default credential, and will be used during manual Switch Port Tracing if you do not configure it.
  • If a switch is added to Prime Infrastructure by selecting Configuration > Network > Network Devices, the SNMP credentials entered for the switch will override any switch SNMP credentials entered here, and will be used for switch port tracing. You can change the switch SNMP credentials in the Configuration > Network > Network Devices page. Prime Infrastructure will not require any license for adding switch with SPT and will not display wired clients connected to the switches. The Monitor > Managed Elements > Network Devices > Device Groups > Device Type > Switches and Hubs page will not display the switch details added with SPT.
  • Prime Infrastructure requires full license for adding switch. The Monitor > Managed Elements > Network Devices > Device Groups > Device Type > Switches and Hubs page will display the switch details added with full license. Prime Infrastructure will also display wired clients connected to switches. Location of switches is tracked with MSE.

Establish Switch Port Tracing

Procedure

Step 1

Choose Dashboard > Wireless > Security.

Step 2

In the Malicious Rogue APs, Unclassified Rogue APs, Friendly Rogue APs, Custom Rogue APs, and Adhoc Rogues dashlets: Click the number links showing how many rogues have been identified in the Last Hour, last 24 Hours, or Total Active. The Alarms window opens, showing alarms for the suspected rogues.

Step 3

Choose the rogue for which you want to set up switch port tracking by selecting the check box next to it.

Step 4

Expand the applicable alarm and manually select the Trace Switch Port button under the Switch Port Tracing subsection of the alarm details.

When one or more searchable MAC addresses are available, Prime Infrastructure uses CDP to discover any switches connected up to two hops away from the detecting access point. The MIBs of each CDP discovered switch is examined to see if it contains any of the target MAC addresses. If any of the MAC addresses are found, the corresponding port number is returned and reported as the rogue switch port.

See Switch Port Tracing Details for additional information on the Switch Port Tracing Details dialog box.

Configure SNMP Credentials for Rogue AP Tracing

The SNMP Credentials page allows you to specify credentials to use for tracing rogue access points. Use this option when you cannot find a specific entry using a number-based entry. When a switch credential is not added to Cisco Prime Infrastructure, you can use SNMP credentials on this page to connect to the switch.

Procedure

Step 1

ChooseAdministration > Settings > System Settings, then choose Network and Device > Switch Port Trace (SPT) > Manual SPT . The Manual SPT page appears.

Step 2

View or edit the details for a current SNMP credential entry by clicking the Network Address link for that entry.

For details on this task, see “Configure Global SNMP Settings” and “View SNMP Credential Details” in related topics.

Note that the default entry is for network 0.0.0.0, which indicates the entire network. SNMP credentials are defined per network, so only network addresses are allowed. The SNMP credentials defined for network 0.0.0.0 is the SNMP credential default. It is used when no specific SNMP credential is defined. You should update the pre-populated SNMP credential with your own SNMP information.

Step 3

To add a new SNMP entry, choose Select a command > Add SNMP Entries > Go (see “Add SNMP Credentials”).

Switch Port Tracing Details

In the Switch Port Tracing Details dialog box, you can enable or disable switch ports, trace switch ports, and view detail status of the access point switch trace.

For more information on Switch Port Tracing, see the following related topics:

In the Switch Port tracing Details dialog box, do one of the following:

  • Click Enable/Disable Switch Port(s)— Enables or disables any selected ports.
  • Click Trace Switch Port(s)— Runs another switch port trace.
  • Click Show Detail Status— Displays details regarding the switch port traces for this access point.
  • Click Close.

Switch Port Tracing Troubleshooting

Switch Port Tracing (SPT) works on a best-effort basis. SPT depends on the following information to correctly trace and contain rogue APs:

  • Reporting access points— A rogue access point must be reported by one or more managed access points.
  • Access point CDP neighbor— Access point Cisco Discovery Protocol (CDP) neighbor information is required to determine the seed switches.
  • Switch IP address and SNMP credentials
    • All the switches that need to be traced should have a management IP address and SNMP management enabled.
    • With the new SNMP credential changes, instead of adding the individual switches to Prime Infrastructure, network address based entries can be added.
    • The new SNMP credential feature has a default entry 0.0.0.0 with default community string as private for both read/write.
    • The correct write community string has to be specified to enable/disable switch ports. For tracing, a read community string should be sufficient.
  • Switch port configuration
    • Switch ports that are trunking should be correctly configured as trunk ports.
    • Switch port security should be disabled.
  • Switch Port Tracing is supported only on Cisco Ethernet switches and the following Catalyst switches: 2960, 3560, 3560-E, 3650, 3750-E, 3750-X, 3850, 4500 and 6500 series.
  • Switch VLAN settings should be properly configured.
  • CDP protocol should be enabled for all the switches.
  • An Ethernet connection should exist between the rogue access point and the Cisco switch.
  • There should be some traffic between the rogue access point and the Ethernet switch.
  • The rogue access point should be connected to a switch within the max hop limit. Default hop is 2. Max hop is 10.
  • If SNMPv3 is used, then make sure you use the context option and create one for each VLAN in addition to the one for the main group (which is required for non-VLAN based MIBs).

Frequently Asked Questions on Rogues and Switch Port Tracing

The following related topics answer a variety of questions about Prime Infrastructure rogue AP detection and switch port tracing (SPT).

How Do You Configure Auto SPT?

Follow the steps below to configure automatic SPT:

Procedure
Step 1

Use Configuration > Network > Network Devices > Add Device to add switches with a License Level of Full.

Step 2

Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Auto SPT and select Enable Auto Switch Port Tracing. Click OK.

Step 3

Select Administration > Settings > Background Tasks > Wired Client Status. Make sure this task is enabled and that it is scheduled to run at least twice a day.

How Does Auto SPT Differ From Manual SPT?

Manual SPT runs against individual rogue AP alarms. You must trigger it by clicking on the Trace Switch Port icon on the details page for a rogue AP alarm.

Auto SPT runs on batches of alarms, automatically, on the schedule defined for the Wired Client Status background task.

Note that manual SPT triggering depends on CDP being enabled on the access points and switches with appropriate SNMP community strings. For more information on manual SPT and how it works, see the WCS Switch Port Trace Demonstration link in related topics.

Auto and manual SPT also differ in the way they handle licensing and the switch “license level”, which can be set to either “Full” or “Switch Port Trace Only” when adding the switch. These three cases demonstrate the differences:

  • Adding switches with “Full” license level: Prime Infrastructure consumes a license for every added switch with a full license level. All the wired clients connected to switches can be seen by selecting Monitor > Managed Elements > Network Devices > Device Type > Switches and Hubs. You can also use MSE to track switch locations. A “Full” license level is mandatory for Auto SPT to be functional.
  • Adding no Switches: Manual SPT will still work even without adding any switches. But you must remember to configure SNMP credentials appropriately for all switches, using Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Manual SPT.
  • Adding switches with “Switch Port Trace Only” license level: If you add a switch to Prime Infrastructure using Configuration > Network > Network Devices > Add Device, but select a Switch Port Trace Only license level, the SNMP credentials you enter when adding the switch will override the SNMP credentials entered using Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Manual SPT. The entered credentials will be used for switch port tracing. This is the main difference between not adding switches and adding switches with a license level of “Switch Port Tracing Only”. Prime Infrastructure will not consume any licenses for switches with an SPT-only license level, will not show these switches under Monitor > Managed Elements > Network Devices > Device Type > Switches and Hubs, and will not show wired clients connected to these switches.

For more information, See WCS Switch Port Trace Demonstration.

Where Can I See SPT Results (Manual and Auto)?

Procedure
Step 1

Display details for the Rogue AP alarm in which you are interested. For example:

  1. Click the Alarm Summary icon at the top of any Prime Infrastructure page. A list of alarm categories appears.

  2. Click the Rogue AP link in the list. Prime Infrastructure displays the list of rogue AP alarms.

  3. Expand the rogue AP alarm you want. The details page for that alarm appears.

Step 2

In the Switch Port Tracing pane, click the Trace Switch Port icon. The Switch Port Trace window shows the details of the traced switch port.

If no SPT has been performed, click Trace Switch Port(s) to start tracing. Click the Show Detail Status button to get details on the status of the trace as it progresses.

Why Does Auto SPT Take Longer to Find Wired Rogues?

Auto SPT takes relatively longer to find wired rogues than does manual SPT for the following reasons:

  1. Auto SPT depends on the wired client discovery process, which happens only when the Wired Client Status major polling background task runs. By default, the major poll for this background task is scheduled to run only after every two minor polls, or once every four hours.
  2. Even though the wired rogue AP is connected to a switch, Prime Infrastructure will discover a wired port only when the wired rogue AP is in the “associated” state. Prime Infrastructure always checks whether a wired client’s status is associated or disassociated. If the wired client status is disassociated, Prime Infrastructure shows this as no port connected.
  3. Rogue tracing is done in batches. The time taken to find a particular wired rogue depends on the batch in which Prime Infrastructure processes it. If a particular rogue was processed in the previous batch, it takes more time to trace it.
  4. The time taken to discover any wired rogue depends upon the number of rogue alarms present in Prime Infrastructure and the interval between Wired Client Status major polls.

How Can I Detect Wired Rogues on Trunk Ports?

You can detect wired rogues on trunk ports by following the steps below.

Note that if you are trying to detect rogues on trunk ports for Cisco 2950 switches, you must first install the updated 2950 support in Prime Infrastructure Device Pack 5.0.

Procedure
Step 1

Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > SPT Configuration.

Step 2

Uncheck the Exclude switch trunk ports check box, then click Save.

Step 3

Choose Administration > Settings > System Settings > Client and User > Client.

Step 4

Check the Discover wired clients on trunk ports check box, then click Save.

Switches will start detecting wired clients on trunk ports starting with the next execution of a major poll by the Wired Client Status background task.

How Do You Configure Switch Port Location?

Follow the steps below to configure Switch Port Location:

Procedure
Step 1

Use Configuration > Network > Network Devices > Switches and Hubs.

Step 2

Click a Device Name. By default, Configuration tab opens.

Step 3

Click Switch Port Location in the top right corner.

Step 4

Select the check box(es) of one or more ports to configure location, and from choose Configure Location from the drop-down list, then click Go.

Step 5

In the Map Location group, you can configure the following:

  • From the Campus/Site drop-down list, choose the campus map for the switch or switch port.
  • From the Building drop-down list, choose the building map location for the switch or switch port.
  • From the Floor drop-down list, choose the floor map.
  • If you have already saved a file with the Campus/Site, Building, and Floor details, click Import Civic. This imports civic information for the MSE using Prime Infrastructure. Enter the name of the text file or browse for the filename, and click Import.
Step 6

In the ELIN and Civic Location group box, you can configure the following:

  • Enter the Emergency Location Identifier Number (ELIN) in the ELIN text box. ELIN is a number that can be used by the local public safety answering point (PSAP) to look up the geographic location of the caller in a master database known as the automatic location information (ALI) database. The ELIN also allows the PSAP to contact the emergency caller directly in the event the phone call is disconnected.
  • Complete the required fields on the Civic Address and Advanced tabs.
  • If you have the ELIN and Civic location information saved in a file, you can import it by clicking Import Switch Location.
Step 7

Click Save.

How Can I Use the Auto SPT “Eliminate By Location” Feature?

“Eliminate by location” is one of the algorithms Prime Infrastructure uses to detect wired rogues. It uses the rogue AP location information to search for the associated switch ports. It helps to reduce false positives during Auto SPT processing, using the floor ID of the detecting APs, and increases accuracy in tracking wired rogues.

When “Eliminate by location” is enabled, the Wired Client Status background task discovers all the wired clients from managed switches. The next time auto SPT runs, switch ports will be filtered based on the “eliminate by location” algorithm.

Follow these steps to enable “eliminate by location”:

Procedure
Step 1

Integrate Cisco Mobility Service Engine (MSE) with Prime Infrastructure.

Step 2

Ensure that MSE is in sync with the defined floor area where the detecting APs are placed. MSE should be able to track the rogues.

Step 3

Add all switches to Prime Infrastructure.

Step 4

After all switches are added to PI and are in the managed state, all switch ports need to be configured for the algorithm to work. If all switches are not configured with switch ports, then the false positive results occur. You can configure from the Configuration > Network > Network Devices > Switches and Hubs > click on a Device Name > click Switch Port Location in the top right corner.

Step 5

Place the detecting access points on the map and make sure that the Cisco MSE is synchronized and rogues APs are detected on the floor.

Eliminate By Location algorithm takes the floor ID of detecting APs and eliminates all others. If some switch ports are not configured, then the value of those ports will be set to Zero and will be considered. Hence the results may contain false positives, which contains the exact floor ID and floor ID which has the value zero.

Step 6

Configure switch port locations to ensure that all ports are assigned to the correct floor area.

What is the Difference Between “Major Polling” and “Minor Polling”?

The Wired Client Status background task that triggers auto SPT Definitions are as follows:

Major Polling: During a major poll, Prime Infrastructure triggers client discovery on all wired device ports by syncing all of the essential client information with the database. In Prime Infrastructure 2.2, the frequency of this poll was reduced from twice a day. It is now fully configurable.

Minor Polling: During a minor poll, Prime Infrastructure triggers client discovery only on device interfaces and ports which became active recently. Prime Infrastructure uses interface uptime data to detect when a port or interface is recently added or removed by any client.