Cisco Catalyst Center Rogue Management and aWIPS Application Quick Start Guide, Release 3.2.x

Monitor network rogue threats

Updated: May 5, 2026

Want to summarize with AI?

Overview

Provides instructions for monitoring network rogue threats in Catalyst Center by selecting specific sites and time ranges. Details how to utilize the Threats table to filter, customize, and analyze comprehensive information regarding rogue APs and aWIPS attacks across your network infrastructure.

Procedure

In the Site menu, click Global.

The Site Selector slide-in pane opens.

Enter a site name in the Search Hierarchy search bar or expand Global to select a site.
Note
- Sites with more than 254 subsites are disabled by default.
- Site hierarchies without floors are not listed in the Site Selector slide-in pane.

Click the time range setting ( ) at the top-right corner to specify the time range of the data that you want to see in the Threats table:

From the drop-down menu, select a time range: 3 hours, 24 hours, 7 days, or Custom.

If you select the Custom time range, specify the Start Date and time, and the End Date and time.
Click Apply.

Use the Threats table to view detailed information about the threats in your network:


Threats Table
Item	Description
Filter	Click the icon in the search bar to see the data filter in the table based on this criteria: Threat Level, Threat MAC Address, Type, Detecting AP, Detecting AP Site, RSSI (dBm), SSID, and Containment Status. RSSI, SSID, and Clients do not display for aWIPS.
Threat Table	Displays this information about threats in a table format: Threat Level: Displays color-coded classified threat levels. Catalyst Center classifies threats into these categories: High Threat Potential Threat Informational Mac Address: Displays the MAC address of a rogue AP. Type: Displays threat types. State: Displays the state of a rogue AP or aWIPS attacks. Source/Target: Shows whether the MAC address is the source of an aWIPS attack or the target of an aWIPS attack. This column is not applicable for rogue data. Connection: Displays whether the rogue AP is located on the wired network or wireless network. This column shows the aWIPS attacks on the wireless network. Detecting AP: Displays the name of the AP that is currently detecting a rogue AP. If multiple APs detect a rogue, the detecting AP displays the highest signal strength. This column is applicable for both rogue AP and aWIPS attacks. Detecting AP Site: Displays the site location of the detecting AP. This column is applicable for both rogue AP and aWIPS attacks. RSSI (dBm): Displays the RSSI value reported by the detecting AP. RSSI (dBm) is only applicable for rogue APs. SSID: Displays the service set identifier that a rogue AP is broadcasting. SSID is only applicable for rogue APs. Clients: Displays the number of rogue clients associated with an AP. This column is only applicable for rogue APs. Note The client count that displays in the Threats table differs from the client count that displays in the Threats 360 degrees window. This happens if the data that is processed in a Catalyst Center release earlier than 2.3.2 is migrated to Catalyst Center 2.3.2 or later. Catalyst Center 2.3.2 or later displays the correct client count for the newly processed data if the time range that is selected has the new data. Containment Status: Displays the possible values (Contained, Pending, Open, and Partial) of a rogue AP. For autocontained rogue APs, the status displays as Contained (Auto), Pending (Auto), Open (Auto), and Partial (Auto). Wireless containment status is only applicable for rogue APs. Last Reported: Displays the date, month, year, and time at which a rogue AP or aWIPS attack was last reported. Vendor: Displays the rogue AP vendor information. This column is not applicable for aWIPS attacks.
	Customize the data that you want to see in the table: In the Table Appearance tab, set the table density and striping. In the Edit Table Columns tab, check the check boxes for the data that you want to see. Click Apply.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.