All, For the last week or so, we have seen some unusual problems with our autonomous (cisco) APs. In particular, for short periods of time (~5-10 minutes), a large number of them would appear "down" in our monitoring system.
In these instances we began capturing traffic, and until just now I didn't realize what I was looking at. First, a couple captures of the networks when "out of service" 11:48:52.945768 00:1b:63:dc:5f:fc > 00:13:46:46:31:8c, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.1 tell 192.168.0.102 11:48:52.945771 00:1b:63:dc:5f:fc > 00:13:46:46:31:8c, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.1 tell 192.168.0.102 11:48:52.945920 00:1b:63:dc:5f:fc > 00:13:46:46:31:8c, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.1 tell 192.168.0.102 11:48:52.945924 00:1b:63:dc:5f:fc > 00:13:46:46:31:8c, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.1 tell 192.168.0.102 17:19:12.349320 00:1b:63:de:04:a1 > 00:16:cb:c4:72:48, ethertype ARP (0x0806), length 60: arp who-has 10.0.1.1 tell 10.0.1.188 17:19:12.349449 00:1b:63:de:04:a1 > 00:16:cb:c4:72:48, ethertype ARP (0x0806), length 60: arp who-has 10.0.1.1 tell 10.0.1.188 17:19:12.349453 00:1b:63:de:04:a1 > 00:16:cb:c4:72:48, ethertype ARP (0x0806), length 60: arp who-has 10.0.1.1 tell 10.0.1.188 17:19:12.349456 00:1b:63:de:04:a1 > 00:16:cb:c4:72:48, ethertype ARP (0x0806), length 60: arp who-has 10.0.1.1 tell 10.0.1.188 17:19:12.349477 00:1b:63:de:04:a1 > 00:16:cb:c4:72:48, ethertype ARP (0x0806), length 60: arp who-has 10.0.1.1 tell 10.0.1.188 Basically we'd see thousands of ARPs like this. What I just discovered this evening is that 00:1b:63 is registered to Apple. The first MAC address above wasn't registered in our system, but the second was .... someone's iPhone. I am guessing that the iPhone has traveled from an offcampus location (e.g. home network) to ours, and is trying to ARP for the gateway. The home location may use the same SSID as we do for simplicity of configuration. However in the process it's flooding our wireless network with thousands of ARPs.. in one case, nearly 11,500 ARPs per second! anyone else seeing this? -Kevin ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
