For those of us with Aruba wireless, www boy, could you share some more info about your setup/code version/configuration/specific APs/controller model(s)/etc?
Matt Freitag Network Engineer Michigan Tech IT Michigan Technological University We can help. mtu.edu/it (906) 487-1111 On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes < mattli...@rivervalleyinternet.net> wrote: > Turn on client isolation on the access points? > > > On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <h...@slabnet.com> wrote: > > > > > >> On Fri 2019-Jun-07 16:21:29 +1000, www boy <www...@gmail.com> wrote: > >> > >> I just joined nanog to allow me to respond to a thread that Simon > posted in > >> March. . > >> (Not sure if this is how to respond) > >> > >> We have the exact same problem with Aruba Access points and with > multiple > >> MacBooks and a iMac. > >> Where the device will spoof the default gateway and the effect is that > vlan > >> is not usable. > >> > >> I also have raised a case with Apple but so far no luck. > >> > >> What is the status of your issue? Any luck working out exactly what the > >> cause is? > > > > We appeared to hit this with Cisco kit: > > > https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html > > > > They don't say *exactly* that the Apple devices are spoofing the > gateway, but some behaviour in what they send out results in the proxy arp > being performed by the APs to update the ARP entry for the gateway address > to the clients': > > > >> * This is not a malicious attack, but triggered by an interaction > between the macOS device while in sleeping mode, and specific broadcast > traffic generated by newer Android devices > >> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) > services by default. Due to their address learning design, they will > modify table entries based on this traffic leading to default gateway ARP > entry modification > > > > The fix was to disable ARP caching on the APs so they don't proxy ARP > but ARP replies pass directly between client devices. > > > > -- > > Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com > > pgp key: B178313E | also on Signal >
