The contain-mode command sets the containment mode against rogue or interference devices.
The undo contain-mode command deletes the containment mode against rogue or interference devices.
By default, no containment mode against rogue or interference devices is set.
contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile profile-name ] | adhoc }
undo contain-mode { open-ap | spoof-ssid-ap | client [ protect ] | adhoc }
Parameter |
Description |
Value |
|---|---|---|
open-ap |
Sets the containment mode against open-authentication rogue or interference APs. |
- |
spoof-ssid-ap |
Sets the containment mode against rogue or interference APs using spoofing SSIDs. |
- |
client |
Sets the containment mode against unauthorized STAs or interference STAs. |
- |
protect sta-whitelist-profile profile-name |
Protects STAs based on the STA whitelist. Authorized STAs in the whitelist are protected from connecting to rogue or interference APs. |
- |
adhoc |
Sets the containment mode against Ad-hoc devices. |
- |
Rogue or interference devices pose serious security threats to enterprise networks.
After the containment mode is set against rogue or interference APs, the monitor AP uses the identity of the rogue or interference AP to broadcast deauthentication frames to forcibly disconnect STAs. To prevent the STAs from connecting to the rogue or interference AP again, the monitor AP will periodically and continuously send deauthentication frames.
After the containment mode is set against rogue STAs, interference STAs or Ad-hoc devices, the monitor AP uses the MAC address of a rogue device to continuously send unicast deauthentication frames.
# Counter rogue and interference APs with spoofing SSIDs.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] ap-group name office [HUAWEI-wlan-ap-group-office] radio 0 [HUAWEI-wlan-group-radio-office/0] wids contain enable [HUAWEI-wlan-group-radio-office/0] quit [HUAWEI-wlan-ap-group-office] quit [HUAWEI-wlan-view] wids-profile name huawei [HUAWEI-wlan-wids-prof-huawei] contain-mode spoof-ssid-ap