Cloud Managed Networks

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110
------------------------------


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

Suppress ARP is a specific configuration item that should be enabled on the VLAN interface of the gateway, you need to verify that the option is enabled.  There is nothing "under the hood" about that setting.  BCMC is also a configuration item on the VLAN interface of the gateway, this is a separate item than the WLAN configuration.  Both of these items instruct the gateway to limit the amount of traffic allowed into the VLAN on the gateway, which means that the gateway will limit the amount of traffic sent across the VLAN to the AP and then the clients.

DMO should only be enabled if you know exactly what that configuration is doing and you absolutely need the feature, otherwise disable to prevent multicast flooding that will bypass other multicast controls.

TME?  Who?

There is only one supported option in AOS 10 and is configured in the WLAN options.

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

Well, I have suppress ARP disabled on my VLAN 800:

But when I do: show datapath vlan on the gateway, I get this response on my vlan:

Flags: N - Nat Inside, M - Route Multicast, R - Routing
       S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP
       B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP
       W - GW Proxy ARP, O - Nat Outside
       1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS
       u - Uplink VLAN, f - Openflow Enabled, p - PPPoE, m - MTU
       H2 - L2 Relay, H4 - IPv4 Relay, H6 - IPv6 Relay

VLAN  Flags         Ingress RACL  L3-idx   Mtu    Adj-Mss   Ports
----  ------------  ------------  ------  -----  ---------  -----

800   RUm           0             0       1500   0          0/0/2, 0/0/3

Now tell me, what is not under the hood? Or do I interpret this wrong?

DMO is investigated, will probably turned off.

We have enabled the deny intra vlan traffic (client isolation). That's why it struck us that we can still see this ARP/GARP traffic.

Suppress ARP is a specific configuration item that should be enabled on the VLAN interface of the gateway, you need to verify that the option is enabled.  There is nothing "under the hood" about that setting.  BCMC is also a configuration item on the VLAN interface of the gateway, this is a separate item than the WLAN configuration.  Both of these items instruct the gateway to limit the amount of traffic allowed into the VLAN on the gateway, which means that the gateway will limit the amount of traffic sent across the VLAN to the AP and then the clients.

DMO should only be enabled if you know exactly what that configuration is doing and you absolutely need the feature, otherwise disable to prevent multicast flooding that will bypass other multicast controls.

TME?  Who?

There is only one supported option in AOS 10 and is configured in the WLAN options.

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

This is a quite specific ask, which needs more information than you provided. If you know where the traffic is coming from/initiated, and how it returns to where you don't want it to be, it may be easier to find a solution, or answer why this happens.

This looks to me like something you would discuss with your partner, and/or TAC. I don't think the details to the level you are asking are what is typically discussed in this community. It may need to be reproduced in lab to find if it is a configuration, design, or maybe even a bug or unsupported issue.

Well, I have suppress ARP disabled on my VLAN 800:

But when I do: show datapath vlan on the gateway, I get this response on my vlan:

Flags: N - Nat Inside, M - Route Multicast, R - Routing
       S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP
       B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP
       W - GW Proxy ARP, O - Nat Outside
       1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS
       u - Uplink VLAN, f - Openflow Enabled, p - PPPoE, m - MTU
       H2 - L2 Relay, H4 - IPv4 Relay, H6 - IPv6 Relay

VLAN  Flags         Ingress RACL  L3-idx   Mtu    Adj-Mss   Ports
----  ------------  ------------  ------  -----  ---------  -----

800   RUm           0             0       1500   0          0/0/2, 0/0/3

Now tell me, what is not under the hood? Or do I interpret this wrong?

DMO is investigated, will probably turned off.

We have enabled the deny intra vlan traffic (client isolation). That's why it struck us that we can still see this ARP/GARP traffic.

Suppress ARP is a specific configuration item that should be enabled on the VLAN interface of the gateway, you need to verify that the option is enabled.  There is nothing "under the hood" about that setting.  BCMC is also a configuration item on the VLAN interface of the gateway, this is a separate item than the WLAN configuration.  Both of these items instruct the gateway to limit the amount of traffic allowed into the VLAN on the gateway, which means that the gateway will limit the amount of traffic sent across the VLAN to the AP and then the clients.

DMO should only be enabled if you know exactly what that configuration is doing and you absolutely need the feature, otherwise disable to prevent multicast flooding that will bypass other multicast controls.

TME?  Who?

There is only one supported option in AOS 10 and is configured in the WLAN options.

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

I do not agree with that Herman. We followed the VSG (besides enabling DMO, which is adviced to be turned off now in the new VSG) and implemented the best practices when deploying this SSID, and we still see this issue. So I'm just wondering what others do, what others see, in this situation and what I, and maybe others, have to do to prevent this from happening. I don't want any, and I mean, any, traffic between clients. That's what the Deny Intra VLAN Traffic knob is for and why we enabled it. So, what do we do wrong?

This is a quite specific ask, which needs more information than you provided. If you know where the traffic is coming from/initiated, and how it returns to where you don't want it to be, it may be easier to find a solution, or answer why this happens.

This looks to me like something you would discuss with your partner, and/or TAC. I don't think the details to the level you are asking are what is typically discussed in this community. It may need to be reproduced in lab to find if it is a configuration, design, or maybe even a bug or unsupported issue.

Well, I have suppress ARP disabled on my VLAN 800:

But when I do: show datapath vlan on the gateway, I get this response on my vlan:

Flags: N - Nat Inside, M - Route Multicast, R - Routing
       S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP
       B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP
       W - GW Proxy ARP, O - Nat Outside
       1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS
       u - Uplink VLAN, f - Openflow Enabled, p - PPPoE, m - MTU
       H2 - L2 Relay, H4 - IPv4 Relay, H6 - IPv6 Relay

VLAN  Flags         Ingress RACL  L3-idx   Mtu    Adj-Mss   Ports
----  ------------  ------------  ------  -----  ---------  -----

800   RUm           0             0       1500   0          0/0/2, 0/0/3

Now tell me, what is not under the hood? Or do I interpret this wrong?

DMO is investigated, will probably turned off.

We have enabled the deny intra vlan traffic (client isolation). That's why it struck us that we can still see this ARP/GARP traffic.

Suppress ARP is a specific configuration item that should be enabled on the VLAN interface of the gateway, you need to verify that the option is enabled.  There is nothing "under the hood" about that setting.  BCMC is also a configuration item on the VLAN interface of the gateway, this is a separate item than the WLAN configuration.  Both of these items instruct the gateway to limit the amount of traffic allowed into the VLAN on the gateway, which means that the gateway will limit the amount of traffic sent across the VLAN to the AP and then the clients.

DMO should only be enabled if you know exactly what that configuration is doing and you absolutely need the feature, otherwise disable to prevent multicast flooding that will bypass other multicast controls.

TME?  Who?

There is only one supported option in AOS 10 and is configured in the WLAN options.

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

The ARP/GARP traffic that you are seeing, is that being captured on the AP uplink or over the air?

With Deny intra VLAN traffic enabled on the WLAN, the AP is supposed to be learning the default gateway and DNS servers from the DHCP responses and then automatically allow traffic to those destinations.  You can also configure the Intra VLAN Traffic Allowlist to statically define the allowed destinations.

I do not agree with that Herman. We followed the VSG (besides enabling DMO, which is adviced to be turned off now in the new VSG) and implemented the best practices when deploying this SSID, and we still see this issue. So I'm just wondering what others do, what others see, in this situation and what I, and maybe others, have to do to prevent this from happening. I don't want any, and I mean, any, traffic between clients. That's what the Deny Intra VLAN Traffic knob is for and why we enabled it. So, what do we do wrong?

This is a quite specific ask, which needs more information than you provided. If you know where the traffic is coming from/initiated, and how it returns to where you don't want it to be, it may be easier to find a solution, or answer why this happens.

This looks to me like something you would discuss with your partner, and/or TAC. I don't think the details to the level you are asking are what is typically discussed in this community. It may need to be reproduced in lab to find if it is a configuration, design, or maybe even a bug or unsupported issue.

Well, I have suppress ARP disabled on my VLAN 800:

But when I do: show datapath vlan on the gateway, I get this response on my vlan:

Flags: N - Nat Inside, M - Route Multicast, R - Routing
       S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP
       B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP
       W - GW Proxy ARP, O - Nat Outside
       1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS
       u - Uplink VLAN, f - Openflow Enabled, p - PPPoE, m - MTU
       H2 - L2 Relay, H4 - IPv4 Relay, H6 - IPv6 Relay

VLAN  Flags         Ingress RACL  L3-idx   Mtu    Adj-Mss   Ports
----  ------------  ------------  ------  -----  ---------  -----

800   RUm           0             0       1500   0          0/0/2, 0/0/3

Now tell me, what is not under the hood? Or do I interpret this wrong?

DMO is investigated, will probably turned off.

We have enabled the deny intra vlan traffic (client isolation). That's why it struck us that we can still see this ARP/GARP traffic.

Suppress ARP is a specific configuration item that should be enabled on the VLAN interface of the gateway, you need to verify that the option is enabled.  There is nothing "under the hood" about that setting.  BCMC is also a configuration item on the VLAN interface of the gateway, this is a separate item than the WLAN configuration.  Both of these items instruct the gateway to limit the amount of traffic allowed into the VLAN on the gateway, which means that the gateway will limit the amount of traffic sent across the VLAN to the AP and then the clients.

DMO should only be enabled if you know exactly what that configuration is doing and you absolutely need the feature, otherwise disable to prevent multicast flooding that will bypass other multicast controls.

TME?  Who?

There is only one supported option in AOS 10 and is configured in the WLAN options.

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110

I received the capture from our customer. It's from over the air, and it's all from it's own VLAN (where the clients resides itself). All while deny intra vlan traffic is enabled.

The ARP/GARP traffic that you are seeing, is that being captured on the AP uplink or over the air?

With Deny intra VLAN traffic enabled on the WLAN, the AP is supposed to be learning the default gateway and DNS servers from the DHCP responses and then automatically allow traffic to those destinations.  You can also configure the Intra VLAN Traffic Allowlist to statically define the allowed destinations.

I do not agree with that Herman. We followed the VSG (besides enabling DMO, which is adviced to be turned off now in the new VSG) and implemented the best practices when deploying this SSID, and we still see this issue. So I'm just wondering what others do, what others see, in this situation and what I, and maybe others, have to do to prevent this from happening. I don't want any, and I mean, any, traffic between clients. That's what the Deny Intra VLAN Traffic knob is for and why we enabled it. So, what do we do wrong?

This is a quite specific ask, which needs more information than you provided. If you know where the traffic is coming from/initiated, and how it returns to where you don't want it to be, it may be easier to find a solution, or answer why this happens.

This looks to me like something you would discuss with your partner, and/or TAC. I don't think the details to the level you are asking are what is typically discussed in this community. It may need to be reproduced in lab to find if it is a configuration, design, or maybe even a bug or unsupported issue.

Well, I have suppress ARP disabled on my VLAN 800:

But when I do: show datapath vlan on the gateway, I get this response on my vlan:

Flags: N - Nat Inside, M - Route Multicast, R - Routing
       S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP
       B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP
       W - GW Proxy ARP, O - Nat Outside
       1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS
       u - Uplink VLAN, f - Openflow Enabled, p - PPPoE, m - MTU
       H2 - L2 Relay, H4 - IPv4 Relay, H6 - IPv6 Relay

VLAN  Flags         Ingress RACL  L3-idx   Mtu    Adj-Mss   Ports
----  ------------  ------------  ------  -----  ---------  -----

800   RUm           0             0       1500   0          0/0/2, 0/0/3

Now tell me, what is not under the hood? Or do I interpret this wrong?

DMO is investigated, will probably turned off.

We have enabled the deny intra vlan traffic (client isolation). That's why it struck us that we can still see this ARP/GARP traffic.

Suppress ARP is a specific configuration item that should be enabled on the VLAN interface of the gateway, you need to verify that the option is enabled.  There is nothing "under the hood" about that setting.  BCMC is also a configuration item on the VLAN interface of the gateway, this is a separate item than the WLAN configuration.  Both of these items instruct the gateway to limit the amount of traffic allowed into the VLAN on the gateway, which means that the gateway will limit the amount of traffic sent across the VLAN to the AP and then the clients.

DMO should only be enabled if you know exactly what that configuration is doing and you absolutely need the feature, otherwise disable to prevent multicast flooding that will bypass other multicast controls.

TME?  Who?

There is only one supported option in AOS 10 and is configured in the WLAN options.

We are running 10.7.2.0 on the gateways (will be upgraded soon), 10.7.2.1 on the AP's. 

The VLAN interfaces are on the distribution switches, which also contain ACL's te prevent inter-vlan connectivity. Suppress ARP is not enabled, but that should be enabled automatically under the hood (has been told to me), BMC is enabled (broadcast filtering ARP), DMO is enabled (I hear the advice to enable this is undone because of mDNS flooding?). 

Possible solution from our TME: only enable deny inter user bridging? (Also no mac-to-IP tracking possible). Can you confirm?

Client isolation is going to prevent ARP from clients to other clients, but not from the wired network or the default gateway.  The client VLAN is being provided by the mobility gateway, yes?  Do you have "suppress ARP" (and "BCMC optimization") enabled on the VLAN interface?

What version of AOS 10 are you running?

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Oct 07, 2025 03:28 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Oh, and btw, the DNS server is not on the same VLAN.

Original Message:
Sent: Oct 07, 2025 03:27 AM
From: Chris
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation is enabled, but that doesn't stop the ARP/GARP traffic from being send back onto the wireless network. Client captures show an intense amount of this traffic. Why is it there and can we stop it?

Original Message:
Sent: Oct 06, 2025 07:04 PM
From: chulcher
Subject: Limit ARP / GARP back into the Wireless Network

Client isolation should only prevent traffic between devices on the same VLAN, only allowing access to the default gateway or anything that has been statically defined to be allowed.  Is your DNS server on the same VLAN as the client devices?

------------------------------
Carson Hulcher, ACEX#110