Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Attack ArpND by AP ARUBA

  • 1.  Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 07:54 AM
    Good morning friends.
    
    A few days ago I had a problem with my nobreaks from one of the racks of my company, and since the electricity here is unstable, I have several power outages throughout the week. There are 8 stacked switches distributed in 2 circuits and one nobreak for each circuit.
    In these racks, I have several Aruba APS distributed and I realize that when the power fails and the switch loses connection, the APS seem to get lost and start to do ArpND attack on the network, with many APS packets. (detected by the core).
    
    Sometimes, it seems these APS get the entire MAC table of the switch, as if it were responsible for the routing of the packets.
    Is it possible that this happens in case of communication failure between the AP and the controller ?! any way to make sure that in case of failure the AP simply does not transmit signal ?!
    "Attack ( arpNd ) detected on vlan.0.2 [ InPort(lag.0.104) LEN(78) DA(33:33:00:00:00:02) SA(9C:1C:12:C3:22:AA) C-TAG(8100:0002) ETYPE(86DD) SIP(fe80::9e1c:12ff:fec3:22aa) DIP(ff02::2) VER(6) PROTO(58) TOS(0) TTL(255) FLOW(0) ICMP(133:0) ]"   Thank you!

     



  • 2.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 09:49 AM
    Is this an instant cluster?


  • 3.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 11:19 AM

    We have  4 controllers.

    Aruba-01 is the master.

    Aruba-02 is the Standby

    These controllers is a cluster with IP .35

    The other 2(Aruba-03 and 04) Are Local with Master .35

     

    We have this design because number of licenses.

     

     

     



  • 4.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 01:02 PM

    No problem with the design.

     

    When the access points lose connectivity with the controller, the access points will ARP for the default gateway to try to reestablish connectivity.  What switching infrastructure is that message being generated by?



  • 5.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 01:16 PM

    Our Switch are Enterasys (Extreme Networks ).  Model B5G.

    For some reason that i dont know how to explain, during this Lost of Connectivity, all network works normally, it is only with the return of intrastructure that we gave problems. When AP's return connectivity, the network dotn work properly. It seems like the Ap's are Core of my network.



  • 6.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 01:19 PM

    How many access points do you have?



  • 7.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 02:12 PM

    Something about 140.

    56 on cluster (1 and 2)

    43 on aruba-03

    40 on aruba-04

     

    These AP's registered on ARUBA-04 are the problem. They are connected  on rack that the nobreak doesnt work.

     

     

     

     



  • 8.  RE: Attack ArpND by AP ARUBA

    Posted Apr 09, 2018 08:39 PM

    What is nobreak?



  • 9.  RE: Attack ArpND by AP ARUBA

    Posted Apr 10, 2018 08:23 AM

    Sorry Joseph.

    In Brazil, NoBreak is a UPS, battery power source ...

    but our batteries are without battery and we dont have chargers, then, with the power failure, our switches are turned off. 

     

     

     

     

     



  • 10.  RE: Attack ArpND by AP ARUBA

    Posted Apr 10, 2018 08:28 AM

    Thank you.

     

    According to the thread here:  https://community.extremenetworks.com/extreme/topics/hostdos-8-attack-arpnd-detected-on-vlan it just means that a device on your network is sending 3 ARPs in less than half a second.

     

    When access points lose connectivity to the controller, they do send ARPs for their default gateway.  Do the access points come up by themselves after?



  • 11.  RE: Attack ArpND by AP ARUBA

    Posted Apr 10, 2018 08:38 AM

    Also, what version of ArubaOS is this?



  • 12.  RE: Attack ArpND by AP ARUBA

    Posted Apr 10, 2018 10:26 AM

    Aruba OS 6.3.1.16

    when the power returns, the network becomes unstable, and we need to reset the switches because the APS become responsible for the communication of ALL Mac Adress. After reset, the network returns to properly operation and APS can connect on controller. 

     



  • 13.  RE: Attack ArpND by AP ARUBA

    Posted Apr 10, 2018 11:38 AM

    6.3.1.16 is very old.  What model controllers and what model access points are you running?  It might be time to consider an upgrade.



  • 14.  RE: Attack ArpND by AP ARUBA

    Posted Apr 10, 2018 01:32 PM

    We know. 

    But the device is out of warranty and we do not have an active contract for Aruba solution.

    We dont have authorization to update the firmware. I think many problems could be solved but we cant. 

     

    Aruba 3400

    Aps 135.

     

    Any ideia?