Good day Matt,

We have a combination of IAP-135 and IAP-125's , we are running a older firmware (yeah i know it needs updating something for next month or so)

Worst luck I couldnt work out how to modify local arp caches on the access points.

I have just enabled "Deny inter user bridging" and that seems to have stopped the network from crashing when a client steals the router IP.   (this solution may not be the best for some environments tho)
Worst luck Apple is being very slow with a solution and even admitting there is a issue.

But I just wanted to make sure i updated this thread so at least people in the future can find it when they google.

If anyone else has any good ideas or solutions let me know.   I am keen to try the latest firmware to see if that has any other features that might prevent this. 

Regards,
Mike

On Sat, Jun 8, 2019 at 5:59 AM Matt Freitag <mlfreita@mtu.edu> wrote:
For those of us with Aruba wireless, www boy, could you share some more info about your setup/code version/configuration/specific APs/controller model(s)/etc?

Matt Freitag
Network Engineer
Michigan Tech IT
Michigan Technological University

We can help.
mtu.edu/it
(906) 487-1111



On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes <mattlists@rivervalleyinternet.net> wrote:
Turn on client isolation on the access points?

> On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
>
>
>> On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy@gmail.com> wrote:
>>
>> I just joined nanog to allow me to respond to a thread that Simon posted in
>> March. .
>> (Not sure if this is how to respond)
>>
>> We have the exact same problem with Aruba Access points and with multiple
>> MacBooks and a iMac.
>> Where the device will spoof the default gateway and the effect is that vlan
>> is not usable.
>>
>> I also have raised a case with Apple but so far no luck.
>>
>> What is the status of your issue?  Any luck working out exactly what the
>> cause is?
>
> We appeared to hit this with Cisco kit:
> https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html
>
> They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
>
>> * This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices
>> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default.  Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
>
> The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices.
>
> --
> Hugo Slabbert       | email, xmpp/jabber: hugo@slabnet.com
> pgp key: B178313E   | also on Signal