Apple devices spoofing default gateway?

Thu Mar 14 18:13:50 UTC 2019

You asked if anyone else has seen this. It’s possibly going on in other networks but nobody is noticing. What symptoms brought the problem to your attention?

You can sanitize the packet captures by limiting them to just the headers. The payloads are likely not useful for troubleshooting anyway, since this seems to be a Layer 2 problem. You asked for help, and sanitized packets would help people help you :)

 -mel

> On Mar 14, 2019, at 10:02 AM, Simon Lockhart <simon at slimey.org> wrote:
> 
> On Thu Mar 14, 2019 at 12:53:01PM +0000, Mel Beckman wrote:
>> Can you post some packet captures? 
> 
> I have some packet captures, but as they're from a live network, I'd rather
> not post them publicly.
> 
>> I was a network engineer on the WiFi network at SFO, for both passengers and
>> baggage scanners, with several hundred APs. Several times we were misled by
>> packet captures that seemed to show client traffic causing network problems,
>> such as packet storms, but which ultimately always had some more mundane
>> cause, like a failed DHCP server or flapping switch interface. 
> 
> Sure - we're rattling every possible other cause we can think of, including
> using alternative DHCP server software vendor, etc. The only thing that's
> reliably making the problem go away is running the APs against WLC version 8.2.
> 
>> The particular SFO network I worked on has Juniper switching and Aruba APs,
>> so it???s not directly applicable to your ecosystem. But the complexities of
>> interpreting packet captures may apply.
> 
> I'm the sort of person who has copies of RFCs printed out on his desk. I'm 
> fairly experienced at interpreting packet captures :)
> 
> Simon