yeah we were hoping that given the controller based architecture, maybe there was a way to actually do two things.  Capture a list of all of the clients exhibiting this behavior, and then eventually start to hone in on individual clients and do things like packet captures.

The thing is, we really had no idea this was happening until we tried to implement a new version of code, where by Cisco introduced (of course without really making it apparent and by default enabling this "feature") a new feature that actually blacklists clients that exhibit behavior like this.  trouble is, without making it obvious this was the case, we thought the upgrade had another bug and it actually took TAC a long time to figure out why these clients were blacklisted.  So theoretically, the controllers are already able to see this behavior, whcy can't we initially alert to this behavior, report on it, then give us the option to turn it on.  Sad part is, since every one thought it was a bug, we had to back out the upgrade.  But again, if the controllers are able to "classify" the bad behavior, then there should be a way to see the collective group of offenders ahead of time.  One would think.

That leads to the next portion of this, we want to be able to build the list first, work with the end user teams to inspect those systems and find out why they are doing this.  Some could be Macs, some could be Windows based, many are likely even consumer devices like TV's etc.  We'll have to deal with them all differently but we at least need to know who they are before we just boot them off the network.

And to Cisco, turning on a feature like this by default is kind of a rookie move, it's great to add new capabilities, but you should at least have them in a non-invasive mode to start, with the admin being able to go in and enable the blacklisting when they are comfortable.

We technically haven't seen any direct issues with ARP flooding, we now know it's there and we realize behind the scenes it is likely causing issues with CPU spikes, wireless client reliability, etc.

Apparently, there is a "new feature" in the version of code we were upgrading too that specifically looks for wireless clients that are essentially committing bad ARP behavior and by default, the WLC blacklists the client.  This feature didn't exist in 17.3.3 which is what we are upgrading from.  As far is the IP reuse/theft, we're not seeing this from these clients.  They just appear to behaving poorly as it relates to ARP.

Again, really, we understand how to troubleshoot the individual clients once we find out who they are, but so far we've found no way of creating the list of naughty clients.  We're really not looking to upgrade back to 17.3.5a+ without having fixed this.  there are some new commands to change when/how the rate limiting is done for ARP flooding but that's not the point, we'd like find the clients and fix them ahead of time.  Is there truly no detailed logging we can do on the WLC's/AP's to find this behavior?  Again, it appears that several Cisco devices of the ARP traffic commands.

hope that makes sense.