Good day Matt, We have a combination of IAP-135 and IAP-125's , we are running a older firmware (yeah i know it needs updating something for next month or so)
Worst luck I couldnt work out how to modify local arp caches on the access points. I have just enabled "Deny inter user bridging" and that seems to have stopped the network from crashing when a client steals the router IP. (this solution may not be the best for some environments tho) Worst luck Apple is being very slow with a solution and even admitting there is a issue. But I just wanted to make sure i updated this thread so at least people in the future can find it when they google. If anyone else has any good ideas or solutions let me know. I am keen to try the latest firmware to see if that has any other features that might prevent this. Regards, Mike On Sat, Jun 8, 2019 at 5:59 AM Matt Freitag <mlfre...@mtu.edu> wrote: > For those of us with Aruba wireless, www boy, could you share some more > info about your setup/code version/configuration/specific APs/controller > model(s)/etc? > > Matt Freitag > Network Engineer > Michigan Tech IT > Michigan Technological University > > We can help. > mtu.edu/it > (906) 487-1111 > > > On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes < > mattli...@rivervalleyinternet.net> wrote: > >> Turn on client isolation on the access points? >> >> > On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <h...@slabnet.com> wrote: >> > >> > >> >> On Fri 2019-Jun-07 16:21:29 +1000, www boy <www...@gmail.com> wrote: >> >> >> >> I just joined nanog to allow me to respond to a thread that Simon >> posted in >> >> March. . >> >> (Not sure if this is how to respond) >> >> >> >> We have the exact same problem with Aruba Access points and with >> multiple >> >> MacBooks and a iMac. >> >> Where the device will spoof the default gateway and the effect is that >> vlan >> >> is not usable. >> >> >> >> I also have raised a case with Apple but so far no luck. >> >> >> >> What is the status of your issue? Any luck working out exactly what >> the >> >> cause is? >> > >> > We appeared to hit this with Cisco kit: >> > >> https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html >> > >> > They don't say *exactly* that the Apple devices are spoofing the >> gateway, but some behaviour in what they send out results in the proxy arp >> being performed by the APs to update the ARP entry for the gateway address >> to the clients': >> > >> >> * This is not a malicious attack, but triggered by an interaction >> between the macOS device while in sleeping mode, and specific broadcast >> traffic generated by newer Android devices >> >> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) >> services by default. Due to their address learning design, they will >> modify table entries based on this traffic leading to default gateway ARP >> entry modification >> > >> > The fix was to disable ARP caching on the APs so they don't proxy ARP >> but ARP replies pass directly between client devices. >> > >> > -- >> > Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com >> > pgp key: B178313E | also on Signal >> >
