On Thu, Mar 14, 2019 at 7:29 AM Simon Lockhart <simon@slimey.org> wrote:
Apple devices, but what's more strange is that we're only seeing it where those Apple devices are connected to Cisco 1810 and 1815 APs, and where those APs are connected to a Cisco WLC running v8.5 software. If we downgrade the WLC to v8.2 the problem goes away (but v8.2 doesn't support 1815 APs, so we
Apple's Bonjour protocols include something called Apple Bonjour Sleep Proxy for Wake on Demand --- When a device goes to sleep, the Proxy that runs on various Apple devices is supposed to seize all the IP and MAC addresses that device had registered, so it can wait for an incoming TCP SYN, (and if one's received, then signal the sleeping device to wake up and process the connection.) Bonjour and the related mDNS protocols used for AirPlay/AirPrint/etc are built on Link-Local multicast. I wonder what would happen if some random Wireless LAN controllers malfunctioned, and decided that it would like to ignore that Link-Local restriction and proxy those packets b/w subnets anyways, as if they had been unrestricted multicast or Unicast, Possibly with the source IP address on registration Mangled to or "gateway'd" from the router's IP address. (Or perhaps they wanted to have a feature to let someone AirPlay from a different VLAN than another device?) Either way.... playing around with the source IP address on the Link-local m/c packets might accidentally get them a Default Gateway IP address registered with other workstations as a mobile device that's gone to sleep and needs a proxy. -- -JH