Customers have reported that, intermittently in a given subnetwork, Address Resolution Protocol (ARP) responses for the default gateway's IP address point to some specific wireless clients rather than to the router. This could lead to either client or network-wide connectivity problems for other devices on the same VLAN/subnetwork.
The incorrect ARP responses point to MAC addresses that belong to Apple macOS devices which are running 10.14 or earlier
New Android devices are associated to the same subnetwork
The access points to which the macOS devices are associated are AP-COS (1800/2800/3800/4800/1540/1560/9100 series), in FlexConnect Local Switching, or SDA, mode, not Cisco IOS® APs.
The access points have FlexConnect Proxy ARP (ARP caching) enabled
By default, FlexConnect ARP caching is enabled in AP-COS 8.3 and above
8.2 is not susceptible, because it did not support AP-COS FlexConnect ARP caching
This problem can affect deployments with AireOS or 9800 series Wireless LAN Controllers, or with Mobility Express
This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices.
The macOS behavior is fixed in 10.15 and above
AP-COS APs, while in FlexConnect or SDA mode, provide Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification.
Disable FlexConnect Proxy ARP (ARP caching).
If running FlexConnect with AireOS or Mobility Express, use the command config flexconnect arp-caching disable
this command works with 8.10, 8.9, 8.8, 22.214.171.124, and 8.5 escalation (126.96.36.199 or above)
if using earlier 8.5 code, this command does not work (CSCvp73371), so upgrade to 188.8.131.52 or above
if using 8.3 code, upgrade to 8.3MR5 escalation (184.108.40.206 or above, available from TAC) to get the CSCvp73371 fix
if using SDA Fabric mode with AireOS, use the command config flexconnect arp-caching disable
this command works with 8.10, 220.127.116.11, 18.104.22.168 and 22.214.171.124
if using earlier 8.5 or 8.8 code, this command does not work (CSCvk79850), so upgrade to 126.96.36.199 / 188.8.131.52 / 8.10 or above
If running FlexConnect with a 9800 series controller, use the command no arp-caching under wireless profile flex
By disabling FlexConnect Proxy ARP, ARP requests for wireless clients will be broadcast over the air, rather than answered by the APs. This will increase battery consumption somewhat for wireless handheld devices such as Cisco 8821 phones.
If running FlexConnect with AireOS 184.108.40.206 or above (CSCvp42721), and if no clients need to use static addressing, then:
make sure that, at each location, all APs are in the same non-default FlexConnect group
configure DHCP Required on the WLAN
use the command config flexconnect arp-caching disable
This will prevent clients from using IP addresses other than the ones assigned by DHCP.