Home > Wireless LAN > Monitoring and Reporting > Air Marshal Rogue SSIDs

Air Marshal Rogue SSIDs

Table of contents

Cisco Meraki Access Points have a feature known as Air Marshal that allows administrators to quickly and easily identify threats and maintain a secure wireless network. This feature can be monitored and configured on the Wireless Monitor > Air Marshal page. More information on this feature can be found here.



When a Beacon Frame for an SSID is detected by a Access Point in Air Marshal mode, it is classified as either a 'Rogue SSID' or as an 'Other SSID'. To determine if an SSID is originating locally, we look at the MAC address of local devices, and the BSSID of the broadcasted SSID. When a wireless access point of any brand generates a beacon packet, it uses a BSSID, which is virtual physical address. More information on this behavior can be found here.


Note: A “hidden SSID” on the Air Marshal page is an SSID name that is not included in the beacons and probe responses for a particular BSSID. These can usually be ignored during common network operation, and are unlikely to result in noticeable RF interference.

When we detect an SSID being broadcast, we compare it to other known MAC addresses on the LAN. The criteria for a match are as follows:


  • If a wired MAC and the broadcasted BSSID MAC match on the 3rd and 4th bytes of the MAC (starting with the 0th byte on the left, ending on the 5th byte on the right)
  • AND if the rest of the bytes differ by 5 bits or less (except for the 4 least significant [rightmost] bits of the 5th byte, which are masked out), it is classified as a Rogue SSID.


This comparison is done with an Xor of the MAC address in binary notation. Below is an example of a wired MAC compared to the Broadcasted MAC in the SSID. This example was detected by AirMarshal:


When the MAC addresses are written out in binary, you can see that very few of the bits are different. When performing an Xor, you see that only 3 significant bits in the calculation are different between the two MAC addresses.

In another easier example, in the below image, both of these are classified as a rogue SSID for the reason 'Seen on LAN'. In the first entry, there is a match on the 03:37 portion of the address. Since the rest of the bytes differ by only 1 bit, it is classified as coming from a device on the LAN. In the second entry, they match exactly, and the SSID is classified in the same way.

Air Marshal will detect rogues on all VLANs if the Meraki AP is connected to a upstream trunk port given that all VLANs are allowed. 



With the ability to locate Rogue SSIDs, administrators are better equipped to prevent unauthorized access points from operating on their local network. After detection, an administrator is able to take action, either containing the SSID using Air Marshal, or using the gathered information to find the offending device and remove it from the network. 

You must to post a comment.
Last modified
08:30, 29 Aug 2017



This page has no classifications.

Article ID

ID: 2099

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community