A customer is concerned that their wireless network is detecting spurious threats from channels that are not being used by their wireless infrastructure. Which two technologies must they deploy? (Choose two.)
Monitor Mode:
In Monitor Mode, an access point (AP) scans all available channels to detect wireless activity, including threats such as rogue devices, interference, and attacks.
This mode allows the AP to monitor channels that are not actively used by the wireless infrastructure, ensuring comprehensive threat detection.
Rogue Detector Mode:
In Rogue Detector Mode, an AP is dedicated to detecting and identifying rogue devices on the network.
This mode works in conjunction with other APs in Monitor Mode to provide a complete picture of wireless threats, including those on unused channels.
.
Why Not the Other Options?
A. FlexConnect Mode:
FlexConnect Mode is used for branch office deployments and does not provide threat detection capabilities.
C. Sniffer Mode with No Submode:
Sniffer Mode is used for packet capture and analysis, not for continuous threat detection across all channels.
D. Local Mode with WIPS Submode:
While WIPS (Wireless Intrusion Prevention System) provides threat detection, it is typically limited to the channels used by the wireless infrastructure. It does not actively monitor unused channels unless combined with Monitor Mode
Rogue Detector—In this mode, the AP radio is turned off, and the AP listens to wired traffic only. The controller passes the APs configured as rogue detectors as well as lists of suspected rogue clients and AP MAC addresses. The rogue detector listens for ARP packets only, and can be connected to all broadcast domains through a trunk link if desired.
Its one of those questions that is poorly worded.
B. is wrong as WIPS sub mode is not listed
C. refers to MESH APs
D. is correct "In Enhanced Local mode (ELM), also called Local-WIPS mode, the AP still performs
client data servicing, but when scanning off-channel, the radio dwells on the channel
for an extended period of time, allowing enhanced attack detection. If you deploy
WIPS on some APs, you should prefer ELM to Local mode."
E. By process of elimination
The customer should deploy monitor mode (B) to passively capture and analyze wireless traffic on all channels, including those not being used by their wireless infrastructure. This will help them identify any spurious threats.
They should also deploy local mode with WIPS (Wireless Intrusion Prevention System) submode (D) to actively detect and prevent unauthorized wireless devices or threats in their wireless network.
These two technologies, monitor mode and local mode with WIPS submode, will help the customer effectively detect and mitigate spurious threats from channels that are not being used by their wireless infrastructure.
I'd say the provided answer is correct BD.
The AP in rogue detector mode would not scan channels:
Rogue Detector Access Point
Rogue Detector—In this mode, the AP radio is turned off, and the AP listens to wired traffic only. The controller passes the APs configured as rogue detectors as well as lists of suspected rogue clients and AP MAC addresses. The rogue detector listens for ARP packets only, and can be connected to all broadcast domains through a trunk link if desired.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-rogue-detect.html
I would say D and E.
Monitor mode would be the best option but then you would need to enable the WIPS submode (and that is not specified here). So the 2nd best option defined here would be "local mode with WIPS submode"
See a snippet of the cert guide
In Monitor mode with WIPS, the AP is fully dedicated to attack detection and miti-
gation. This is, of course, the most efficient mode, but the AP does not provide cli-
ent data service anymore. Note that your AP can be in regular Monitor mode (with
“None” as submode) and then only perform RRM-focused monitoring. You need to set
the monitor AP to WIPS submode in order to make it a full-time WIPS AP.
And then E is the only logical second answer.
D is wrong
Rogue Detector Access Point
Rogue Detector—In this mode, the AP radio is turned off, and the AP listens to wired traffic only. The controller passes the APs configured as rogue detectors as well as lists of suspected rogue clients and AP MAC addresses. The rogue detector listens for ARP packets only, and can be connected to all broadcast domains through a trunk link if desired.
I would say this is correct.
AP in rogue detector mode turns off the radio and only listens to wired traffic and the question is mentioning wireless channels.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rrahim
5 days, 23 hours agorrahim
5 days, 23 hours agoOcsicccnp
4 months, 2 weeks agolargestyle
1 year, 3 months ago[Removed]
1 year, 4 months agoGoldLeader
1 year, 7 months agoPauBau
1 year, 10 months agowirelessvibes
2 years, 4 months agostrengtis
2 years, 4 months agoSeba_o_s
1 year, 3 months agoC4l4v3r4
2 years, 5 months agocvndani
2 years, 5 months agocvndani
2 years, 5 months ago