[OpenIndiana-discuss] arp response tuning for IP Source Guard

[Tim Mooney]

All-

I'm running hipster, updated a few days ago, illumos-b106467

Our network engineers recently enabled Cisco's IP Source Guard on the
subnet my workstation is on.  The IP Source Guard overview is here:

 	http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html#66969

It's basically a bit of additional network protection to help prevent
man-in-the-middle attacks via arp spoofing.

When that was enabled for the subnet I'm on, my hipster workstation and
the hipster VirtualBox VM I have both started experiencing packet loss.
Talking with the network engineers, the Cisco switch is sending batches
of 3 ARP probes periodically, and both my workstation and the VM appear
to be periodically not responding to the ARP probes.  That causes the
switch to temporarily ban/block packets from either system, which is
what's causing the intermittent packet loss.

Anyone have any suggestions for what tuning I should be looking at
that would tell the Illumos network stack that it's OK to respond to
semi-frequent batches of ARP probes?

Thanks,

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164