Choose Monitor > Managed Elements > Network Devices, then select Device Type > Wireless Controllerto view all the wireless controllers. Click a Device name to view its details.

From Release 3.2 onwards, for the following Monitor pages under Device Details > System, by default the data is fetched from the Prime Infrastructure database. There is an option to refresh from device by clicking the Refresh from Device link in the upper right corner of the page. It also shows the date and time when the data was last refreshed on the Prime Infrastructure.

• Summary

• CDP Neighbors

• WLANs

From Release 3.2 onwards, for the following Monitor pages under Device Details > System, the data is fetched directly from the device.

• CLI Sessions

• DHCP Statistics

The Spanning Tree Protocol (STP) is a link management protocol. Cisco WLAN Solution implements the IEEE 802.1D standard for media access control bridges.

The spanning tree algorithm provides redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations. STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail.

The following controllers do not support Spanning Tree Protocol: WISM, 2500, 5500, 7500 and SMWLC.

Management Frame Protection (MFP) provides the authentication of 802.11 management frames. Management frames can be protected to detect adversaries who are invoking denial of service attacks, flooding the network with probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.

If one or more of the WLANs for the controller has MFP enabled, the controller sends each registered access point a unique key for each BSSID the access point uses for those WLANs. Management frames sent by the access point over the MFP enabled WLANs is signed with a Frame Protection Information Element (IE). Any attempt to alter the frame invalidates the message causing the receiving access point configured to detect MFP frames to report the discrepancy to the WLAN controller.

Rogue Access Points rules automatically classify rogue access points based on criteria such as authentication type, matching configured SSIDs, client count, and RSSI values. Prime Infrastructure applies the rogue access point classification rules to the controllers and respective access points.

These rules can limit a rogue appearance on maps based on RSSI level (weaker rogue access points are ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of time).

Rogue Access Points Rules also help reduce false alarms.

Rogue classes include the following types:

• Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been manually moved from the Friendly Access Points category.
• Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined friendly rules.
• Unclassified Rogue—A detected access point that does not match the malicious or friendly rules.

Choose Monitor > Managed Elements > Network Devices> Third Party Wireless Controllers to view the detailed information about the third party (non-Cisco) controllers that are managed by Prime Infrastructure.

Choose Monitor > Managed Elements > Network Devices > Switches and Hubsto view the following detailed information about the switches:

• Searching Switches

Use the Prime Infrastructure search feature to find specific switches or to create and save custom searches.

• Viewing the Switches

This section describes access to the controller access points summary details. Use the main date area to access the respective access point details.

Choose Monitor > Wireless Technologies> Access Point Radios to access this page.

Choose Monitor > Wireless Technologies > Access Point Radios or perform an access point search to view the summary of access points including the default information.

The following reports can be generated for Access Points. These reports cannot be customized.

• Load—Traffic Load is the total amount of bandwidth used for transmitting and receiving traffic. This enables WLAN managers to track network growth and plan network growth ahead of client demand.
• Dynamic Power Control—Generates a report with Dynamic Power Control information.
• Noise—Generates a report with Noise information. The Noise report displays a bar graph of noise (RSSI in dBm) for each channel for the selected access points.
• Interference—The Interference report displays a bar graph of interference (RSSI in dBm) for each channel:
  • High interference—40 to 0 dBm
  • Marginal interference—100 to -40 dBm
  • Low interference—110 to -100 dBm
• Coverage (RSSI)—The Coverage (RSSI) report displays a bar graph of client distribution by received signal strength showing the number of clients versus RSSI in dBm.
• Coverage (SNR)—The Access Points Coverage (SNR) report displays a bar graph of client distribution by signal-to-noise ratio showing the number of clients versus SNR.
• Up/Down Statistics—The Up/Down Statistics report displays a line graph of access point up time graphed against time. Time in days, hours and minutes since the last reboot.
• Network Airtime Fairness Statistics—Network Airtime Fairness Statistics is a tabular representation of Average Airtime used across different WLAN profiles in the selected interval of time.
• Voice Statistics—Generates a report for selected access points showing radio utilization by voice traffic. The Voice Statistics report displays the following radio utilization statistics by voice traffic:
  • Access Points Name
  • Radio
  • Calls in Progress
  • Roaming Calls in Progress
  • Bandwidth in Use

Voice Statistics reports are only applicable for CAC/WMM clients.

• Voice TSM Table—The Voice Traffic Stream Metrics Table is generated for the selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream.
• Voice TSM Reports—The Voice Traffic Stream Metrics Table report displays a graphical representation of the Voice Traffic Stream Metrics Table except that metrics from the clients that are averaged together on the graphs for the selected access point.
• 802.11 Counters—The 8o2.11 Counters report displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer.
• Access Points Profile Status—The Access Points Profile Status displays access point load, noise, interference, and coverage profile status.
• Air Quality vs. Time—The Radio Utilization Report displays the utilization trends of the access point radios based on the filtering criteria used when the report was generated. It helps to identify current network performance and capacity planning for future scalability needs. The Radio Utilization Report displays the air quality index of the wireless network during the configured time duration.
• Traffic Stream Metrics—The Traffic Stream Metrics Report is useful in determining the current and historical quality of service (QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays.
• Tx Power and Channel—The Tx Power and Channel report displays the channel plan assignment and transmit power level trends of devices based on the filtering criteria used when the report was generated. It can help identify unexpected behavior or issues with network performance.

The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum available transmit power varies according to the configured channel, individual country regulation, and access point capability. See the Product Guide or data sheet at for each specific model to determine the access point capability.

The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access point. Each subsequent power level (for example. 2, 3, 4, and so on.) represents approximately a 50% (or 3dBm) reduction in transmit power from the previous power level. The actual power reduction might vary slightly for different models of access points.

Based on the configured antenna gain, the configured channel, and the configured power level, the actual transmit power at the access point can be reduced so that the specific country regulations are not exceeded.

Irrespective of whether you choose Global or Custom assignment method, the actual conducted transmit power at the access point is verified such that country specific regulations are not exceeded.

The following command buttons are available to configure the transmission levels:

• Save—Save the current settings.
• Audit—Discover the present status of this access point.
• VoIP Calls Graph—VoIP Calls Graph analyzes wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. VoIP snooping must be enabled on the WLAN to be able to gather useful data from this report. This report displays information in a graph.
• VoIP Calls Table—VoIP Calls Table provides the same information as the VoIP Calls Graph report but in table form.
• Voice Statistics—Voice Statistics Report analyzes wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network. To be able to gather useful data from this report, make sure call admission control (CAC) is supported on voice clients.
• Worst Air Quality APs—Provides a high-level, easy-to- understand metric to facilitate understanding of where interference problems are impacting the network. Air Quality (AQ) is reported at a channel, floor, and system level and it supports AQ alerts, so that you can be automatically notified when AQ falls below a desired threshold.

The Access Points Details page enables you to view access point information for a single Access Point.

Choose Monitor > Wireless Technologies > Access Point Radios and click the access point name in the AP Name column to access this page. Depending on the type of access point, the following tabs are displayed:

• General Tab

The General tab fields differ between lightweight and autonomous access points.

For autonomous clients, Prime Infrastructure only collects client counts. The client counts in the Monitor page and reports have autonomous clients included. Client search, client traffic graphs, or other client reports (such as Unique Clients, Busiest Clients, Client Association) do not include clients from autonomous access points.

• Interfaces Tab
• CDP Neighbors Tab

This tab is visible only when CDP is enabled.

• Current Associated Clients Tab

This tab is visible only when there are clients associated to the Access Point (CAPWAP or Autonomous Access Point).

• SSID Tab

This tab is visible only when the access point is an Autonomous Access Point and there are SSIDs configured on the Access Point

• Clients Over Time Tab

This tab displays the following charts:

• Client Count on Access Point—Displays the total number of clients currently associated with an access point over time.
• Client Traffic on Access Point—Displays the traffic generated by the client connected in the Access Point distribution over time.

The information that appears in these charts is presented in a time-based graph. Time-based graphs have a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w, 4w, 3m, 6m, 1y, and Custom. When selected, the data for that time frame is retrieved and the corresponding graph is displayed.

Controllers continuously monitor all nearby access points and automatically discover and collect information on rogue access points and clients. When a controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network. Prime Infrastructure consolidates all of the controllers rogue access point data.

You can configure controllers to use RLDP on all access points or only on access points configured for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a crowded RF space, allowing monitoring without creating unnecessary interference and without affecting regular data access point functionality. If you configure a controller to use RLDP on all access points, the controller always chooses the monitor access point for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you can choose to either manually or automatically contain the detected rogue.

Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, Prime Infrastructure uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.

Classification and reporting of rogue access points occurs through the use of rogue states and user-defined classification rules that enable rogues to automatically move between states. You can create rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or Unclassified.

By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points (friendly, malicious, and unclassified) in the Alert state only. Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.

The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to 625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per radio (or six per radio for access points in monitor mode).

When the controller receives a rogue report from one of its managed access points, it responds as follows:

1. The controller verifies whether the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.
2. If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.
3. If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
4. The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.
5. If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.
6. The controller repeats the previous steps for all rogue access points.
7. If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would change the rogue state to Contained. If the rogue access point is not on the network, the controller marks the rogue state as Alert, and you can manually contain the rogue.
8. If desired, you can manually move the access point to a different classification type and rogue state.

As mentioned previously, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules, or you can manually move the unknown access point to a different classification type and rogue state.

The following table shows the allowable classification types and rogue states from and to which an unknown access point can be configured.

If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it.

Rogue access point radios are unauthorized access points detected by one or more Cisco 1000 series lightweight access points. To open the Rogue Access Point Alarms page, do one of the following:

• Search for rogue APs.
• Navigate to Dashboard > Wireless > Security. This page displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms.
• Click the AP number link in the Alarm Summary.

If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use it to view additional alarms.

Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, Prime Infrastructure uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.

When Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.

Alarm event details for each rogue access point are available in the Rogue Access Point Alarms list page.

To view alarm events for a rogue access point radio, select Monitor > Monitoring Tools > Alarms and Events, and click the arrow icon in a row to view Rogue Access Point Alarm Details page.

All Alarm Details page fields (except No. of Rogue Clients) are populated through polling and are updated every two hours. The number of rogue clients is a real-time number and is updated each time you access the Alarm Details page for a rogue access point alarm.

When a controller (version 7.4 or 7.5) sends custom rogue Access Point alarm, Prime Infrastructure shows it as unclassified rogue alarm. This is because Prime Infrastructure does not support custom rogue Access Point alarm.

When Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.

You can view a list of rogue clients in several ways:

• Perform a search for rogue clients using Prime Infrastructure feature.
• View the list of rogue clients for a specific rogue access point from the Alarm Details page for the applicable rogue access point. Click the Rogue MAC address for the applicable rogue client to view the Rogue Client details page.
• In the Alarms Details page of a rogue access point, choose Rogue Clients from the Select a command drop-down list.

The Rogue Clients page displays the Client MAC address, when it was last heard, its current status, its controller, and the associated rogue access point.

Rogue client statuses include: Contained (the controller contains the offending device so that its signals no longer interfere with authorized clients); Alert (the controller forwards an immediate alert to the system administrator for further action); and Threat (the rogue is a known threat). The higher the threat of the rogue access point, the higher the containment required.

Click the Client MAC Address for the rogue client to view the Rogue Client details page.

The Adhoc Rogue Alarms page displays alarm events for ad hoc rogues. To access the Adhoc Rogue Alarms page, do one of the following:

• Perform a search for ad hoc rogue alarms.
• Navigate to Dashboard > Wireless > Security. This page displays all the ad hoc rogues detected in the past hour and the past 24 hours. Click the ad hoc rogue number to view the ad hoc rogue alarms.

If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms.

When Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.

Alarm event details for each ad hoc rogue is available on the Adhoc Rogue Alarms page. Rogue access point radios are unauthorized access points detected by Cisco 1000 Series Lightweight APs.

To view alarm events for an ad hoc rogue radio, click the applicable Rogue MAC address in the Adhoc Rogue Alarms page.

When Prime Infrastructure polls, some data might change or get updated. Hence some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.

Alarms will not be triggered if a rogue is discovered using switch port tracing as switch port tracing does not update any of the rogue attributes such as severity, state, and so on.

Prime Infrastructure generates the flags as rogue access point traps and displays the known rogue access points by MAC address Cisco Unified Network Solution is monitoring it.

The operator displays a map showing the location of the access points closest to each rogue access point. These access points are classified as:

• Known or Acknowledged rogue access points (no further action)
• Alert rogue access points (watch for and notify when active)
• Contained rogue access points

This built-in detection, tagging, monitoring, and containment capability enables system administrators to take appropriate action:

• Locate rogue access points.
• Receive new rogue access point notifications, eliminating hallway scans.
• Monitor unknown rogue access points until they are eliminated or acknowledged.
• Determine the closest authorized access point, making directed scans faster and more effective.
• Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment can be done for individual rogue access points by MAC address or can be mandated for all rogue access points connected to the enterprise subnet.
• Tag rogue access points:
  • Acknowledge rogue access points when they are outside of the LAN and do not compromise the LAN or WLAN security
  • Accept rogue access points when they do not compromise the LAN or WLAN security
  • Tag rogue access points as unknown until they are eliminated or acknowledged

• Tag rogue access points as contained and discourage clients from associating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point.