TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Creating and Managing RF Snooping Filter Profiles

When active scan is enabled in a Radio profile, the radios with the profile actively scan other channels in addition to the data channel that is currently in use. Active scan operates on enabled radios and disabled radios. In fact, using a radio in sentry mode as a dedicated scanner provides better rogue detection because the radio can spend more time scanning on each channel.

When a radio is scanning other channels, active snoop filters on the radio also snoop traffic on the other channels. To prevent monitoring of data from other channels, use the channel option when you configure the filter, to specify the channel on which you want to snoop.

Managing Snooping Filter Profiles

From the Manage RF Snooping page, you can:

Create a new RF Snooping profile by clicking Add. For directions, see Creating an RF Snooping Filter Profile.
Modify an existing RF Snooping profile by selecting it and clicking Edit.
Assign a RF Snooping profile to access points by selecting the profile and clicking Assign. For directions, see Assigning RF Snooping Filter Profiles to Access Points.
Edit an existing RF Snooping profile by selecting it and clicking Edit Assign.
Delete a RF Snooping profile by selecting site name and clicking Delete.
Tip: You cannot delete a profile that is in use. To see the current state of a profile, select the site name and click Details.
Clone a RF Snooping profile by selecting a profile and clicking Clone.

Table 1 describes the information provided about RF Snooping profiles on the Manage Switching Profiles page. This page lists all RF Snooping profile defined for your network, regardless of the scope you selected in the network view.

Table 1: RF Snooping Profile Information

Field	Description
Snoop Filter Name	Profile name up to 15 alphanumeric characters.
Enabled	A snooping filter can be disabled or enabled.
Owner	Login of user who created the Snoop Filter Profile.
Description	Description for the snoop filter.
Assignment State	Displays the assignment state of the profile. A profile can be: Unassigned—When the profile is not assigned to any object. Deployed—When the profile is assigned and is deployed from Deploy mode. Pending Deployment—When the profile is assigned, but not yet deployed in the network.
Creation Time	Date and time when the profile was created.
Last Updated Time	Date and time when the profile was last modified.
User Name	The username of the user who created or modified the profile.

Creating an RF Snooping Filter Profile

To add an RF Snooping Filter Profile, follow these steps:

Under Views, select one of these options: Logical View, Location View, Device View or Custom Group View.
Tip: Do not select Dashboard View, Datacenter View, or Topology View.
Click in the Network Director banner.
In the Tasks pane, expand Wireless, expand Profiles, and then click RF Snooping.
The Manage RF Snooping Profile page appears, displaying the list of currently configured RF Snooping profiles.
Click Add.
The Create RF Snooping Profile page opens.
Provide the RF Snooping settings listed in Specifying RF Snooping Settings.
Click Done.
The new RF Snooping profile is added to the list on the Manage RF Snooping Profile page.

Specifying RF Snooping Settings

Specify the RF Snooping settings described in Table 2.

Table 2: RF Snooping Settings

Field	Description
Snoop Filter Name	Type a snooping filter name up to 15 characters long.
Description	Provide a description of the snooping filter profile.
Enable	Turn the Snooping profile on and off by adding a check mark to enable it or removing the check mark to disable it.
Snoop Observer You can either select an existing snooping observer or you can create a new snooping observer. If the snooping filter meets these conditions, the observer must also be in the same subnet. Filter is running on a distributed access point. Access point used a DHCP server in a local subnet to configure the IP information, and the access point did not receive a default router (gateway) address as a result, Without a default router, the access point cannot find the observer. Tip: Do not specify an observer associated with the access point with an assigned snooping filter. This configuration causes an endless cycle of snooping traffic.
Task: Select an existing snooping observer	Click Select. The Select Snooping Observer window opens. Place a check mark next to one of the snoop observers listed in the Select Snooping Observer window. Click Select in the Select Snooping Observer window. The selection window closes and the selected observer now appears in the Observer Name field.
Task: Create a new snooping observer	Click Create. The Create Snooping Observer window opens. Provide the following settings: Name for the snooping observer 1-15 characters long. Target IP Address of the snoop observer. Optionally enable Snap Length Limit and provide a snap length in bytes. Snap length specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. Juniper Networks recommends specifying a snap length of 100 bytes or less. Optionally, enable Frame Gap Limit and provide a frame gap value in milliseconds. Frame gap refers to the minimum time period allowed between transmission of packets. Select a Mode for the snoop observer: tzsp: When an 802.11 packet matches all conditions in a filter, the access point encapsulates the packet in a Tazmen Sniffer Protocol (TZSP) packet and sends the packet to the observer host IP addresses specified by the filter. TZSP uses UDP port 37008 for transport. batched tzsp: Every captured packet matching a configured filter will be encapsulated in a TZSP header and snoop record header and marshaled in a buffer maintained on a per snoop observer basis, for later transmission. The marshaled snoop packets will be copied to a UDP datagram and sent to the observer as soon as the buffer size exceeds the UDP datagram data field size. Click Done in the Create Snoop Observer window. The window closes and the created observer now appears in the Observer Name field.
Snooping Conditions The snooping conditions specify the match criteria for packets. Conditions in the list are appended. Therefore, to be copied and sent to an observer, a packet must match all snooping conditions. You can specify up to eight of the following conditions in a filter, in any order or combination: Frame Type Channel BSSID Transmitter Type Source MAC Address Destination MAC Address MAC Host MAC Pair Direction
Task: Add a Snooping Condition A snooping condition consists of three parts, a Type, an Operation, and a Direction. The end result resembles an equation. To create a condition, Click Add under Snooping Conditions. The Create Snooping Condition window opens with three conditions, a Type, an Operation, and a third attribute. You can create eight of the following combinations:
Type	Operation	Third Attribute
Frame Type	Equals or Not Equals	Frame Types: Management, Control, Data, Beacon, or Probe
Direction	Equals or Not Equals	Direction: Receive or Transmit
Channel	Equals or Not Equals	Channel: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
BSSID	Equals or Not Equals	When the operation type is Glob the fields OUID and Vendor Name are available. Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts. OUID—Indicate a vendor’s OUID code.
Transmitter Type	Equals or Not Equals	Transmitter Type: Member AP
Source MAC,	Equals—EQ Not Equals—NEQ Less than—LE Greater than—GE Wild card pattern— Glob	When the operation type is Glob the fields OUID and Vendor Name are available. Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts. OUID—Indicate a vendor’s OUID code.
Destination MAC	Equals—EQ Not Equals—NEQ Less than—LE Greater than—GE Wild card pattern— GLOB	When the operation type is Glob the fields OUID and Vendor Name are available. Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts. OUID—Indicate a vendor’s OUID code.
MAC Host	Equals—EQ Not Equals—NEQ Less than—LE Greater than—GE Wild card pattern— GLOB	When the operation type is Glob the fields OUID and Vendor Name are available. Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts. OUID—Indicate a vendor’s OUID code.
MAC Pair	Type two MAC addresses
Task: Edit a Snooping Condition
Task: Edit a Snooping Condition	Select an existing snooping condition from the list of Snooping Conditions on the Create RF Snooping Filter Profile page. Click Edit. The Edit Snooping Condition window opens with the Type, Operation, and Direction of the condition displayed. Make any needed changes to the condition and then click Done. The Edit Snooping Condition window closes and the condition is updated in the Snooping Condition list.
Task: Delete a Snooping Condition
Task: Delete a Snooping Condition	Select an existing snooping condition from the list of Snoop Conditions on the Create RF Snooping Filter Profile page. Click Delete. The condition disappears from the Snoop Condition list.

Note: The AP running a snooping filter forwards snooped packets directly to the observer. This is a one-way communication, from the AP to the observer. If the observer is not present, the access point still sends the snooped packets, which uses bandwidth. If the observer is present but is not listening to TZSP traffic, the observer continuously sends ICMP error indications back to the access point. These ICMP messages can affect network and access point performance.

What To Do Next

Assign the Snooping Filter Profile to an access point following the directions in Assigning RF Snooping Filter Profiles to Access Points. You can also map a Radio profile to a snooping profile—see Creating and Managing a Radio Profile.