Configuring Device Containment

Context

After the AC identifies a rogue or interference device, you can configure the APs to contain the rogue or interference device. After the containment mode is set, the APs periodically send control frames to disconnect authorized users from the rogue or interference device or disconnect unauthorized users.

Currently, the AC supports rogue or interference device containment against rogue or interference APs using spoofing SSIDs and open-authentication rogue or interference APs. The monitor AP uses the MAC address of a rogue or interference AP using a spoofing SSID or an open-authentication rogue or interference AP to broadcast deauthentication frames to counter the rogue or interference AP, preventing STAs from connecting to the rogue or interference AP again. After the containment mode is set against rogue or interference STAs or Ad-hoc devices, the monitor AP uses the MAC address of a rogue or interference device to continuously send unicast deauthentication frames.

Rogue or interference devices can be contained automatically or manually. Rogue or interference devices can be specified to be contained manually. Other rogue or interference devices are contained automatically.

You can run the wids manual-contain command in the WLAN view to manually contain a specified rogue or interference device in a complicated environment.

Procedure

Run system-view
The system view is displayed.
Run wlan
The WLAN view is displayed.
Enable rogue or interference device containment on radios in an AP group or on a specified AP radio.
You can enable rogue or interference device containment in the AP group radio view or AP radio view. The configuration in the AP group radio view takes effect on all AP radios in an AP group and that in the AP radio view takes effect only on a specified AP radio. The configuration in the AP radio view has a higher priority than that in the AP group radio view.
- Enable rogue or interference device containment on radios in an AP group.
  1. Run the ap-group name group-name command to enter the AP group view.
  2. Run the radio radio-id command to enter the radio view.
  3. Run the wids contain enable command to enable rogue or interference device containment.
    
    By default, rogue or interference device containment is disabled on radios in an AP group.
  4. Run the quit command to return to the AP group view.
- Enable rogue or interference device containment on a specified AP radio.
  1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
  2. Run the radio radio-id command to enter the radio view.
  3. Run the wids contain enable command to enable rogue or interference device containment.
    
    By default, rogue or interference device containment is disabled on an AP radio.
  4. Run the quit command to return to the AP view.
Run quit
Return to the WLAN view.
Run wids-profile name profile-name
The WIDS profile view is displayed.
Run contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile profile-name ] | adhoc }
The rogue or interference device containment mode is configured for APs.

By default, no containment mode against rogue or interference devices is set.
Run contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile profile-name ] | adhoc }
The rogue or interference device containment mode is configured for APs.

By default, no containment mode against rogue or interference devices is set.
(Optional) Run contain { min-rssi min-rssi | min-sta-num min-sta-num }
Containment of rogue and interfering devices based on the RSSI and number of STAs associated with the devices is enabled.

By default, containment of rogue and interfering devices based on the RSSI and number of associated STAs on the devices is disabled.