Turn on client isolation on the access points?
> On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <[email protected]> wrote: > > >> On Fri 2019-Jun-07 16:21:29 +1000, www boy <[email protected]> wrote: >> >> I just joined nanog to allow me to respond to a thread that Simon posted in >> March. . >> (Not sure if this is how to respond) >> >> We have the exact same problem with Aruba Access points and with multiple >> MacBooks and a iMac. >> Where the device will spoof the default gateway and the effect is that vlan >> is not usable. >> >> I also have raised a case with Apple but so far no luck. >> >> What is the status of your issue? Any luck working out exactly what the >> cause is? > > We appeared to hit this with Cisco kit: > https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html > > They don't say *exactly* that the Apple devices are spoofing the gateway, but > some behaviour in what they send out results in the proxy arp being performed > by the APs to update the ARP entry for the gateway address to the clients': > >> * This is not a malicious attack, but triggered by an interaction between >> the macOS device while in sleeping mode, and specific broadcast traffic >> generated by newer Android devices >> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services >> by default. Due to their address learning design, they will modify table >> entries based on this traffic leading to default gateway ARP entry >> modification > > The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP > replies pass directly between client devices. > > -- > Hugo Slabbert | email, xmpp/jabber: [email protected] > pgp key: B178313E | also on Signal
