Re: Detection of Rogue Access Points

[james machado <hvgeekwtrvl () gmail com>]

On Thu, Oct 18, 2012 at 7:00 AM, Jonathan Rogers <quantumfoam () gmail com> wrote:
> I like the idea of looking at the ARP table periodically, but this presents
> some possible issues for us. The edge routers at our remote sites are Cisco
> 1841 devices, typically with either an MPLS T1 or a Public T1 (connected
> via an IAD owned by Centurylink; router to router, so dumb). Aside from
> manually logging in to those individual routers (all 140 or so of them) and
> checking them on a schedule, can anyone think of a good way to capture that
> information automatically? If I had to I could probably come up with a
> script to log in to them and scrape the info then process it but...eww.

quite a few people have leveraged RANCID
(http://www.shrubbery.net/rancid/) for doing stuff like this.

it is made to pull configs from routers on a cycle and produces text
files that can be worked with.  you can use the tools that are there
to pull specific information, such as arp tables, and then process the
resultant files with your scripting language of choice.  check the
mail list for examples of this kind of thing.


> Another possible option (although costly) is installing a Ruckus device at
> each location; we have a Ruckus infrastructure at our HDQ and it works
> great (almost too good, it's super sensitive) at picking up rogues. A
> Ruckus WAP could talk to our ZoneDirector appliance and do that for us at
> each site, I think, but it may be difficult to justify the cost.
>
> --JR

james