[OpenIndiana-discuss] arp response tuning for IP Source Guard

[James Carlson]

On 01/05/17 15:37, Tim Mooney wrote:
> When that was enabled for the subnet I'm on, my hipster workstation and
> the hipster VirtualBox VM I have both started experiencing packet loss.
> Talking with the network engineers, the Cisco switch is sending batches
> of 3 ARP probes periodically, and both my workstation and the VM appear
> to be periodically not responding to the ARP probes.  That causes the
> switch to temporarily ban/block packets from either system, which is
> what's causing the intermittent packet loss.
> 
> Anyone have any suggestions for what tuning I should be looking at
> that would tell the Illumos network stack that it's OK to respond to
> semi-frequent batches of ARP probes?

It would be great to see the syslog messages and (if possible) a packet
trace showing what's going on.  In general, if the system itself is
directly responsible for these outages, it will at least log something
about the event.

Are these ARP requests or responses?  There are subtle differences
between the two.

Based on what I remember from working on this code many years ago, one
of the really confusing bits to deal with is Ethernet bridge ("switch")
behavior itself.  Many bridges (I think at least Extreme, and probably
others) have special mechanisms built-in to protect against ARP storms,
and they rate-limit based on the number of broadcasts.  This is (I
believe!) independent of any sort of "Source Guard" feature.  I ran into
this issue numerous times when testing Solaris IP Duplicate Address
Detection.

It's also possible that it's something else -- such as a driver issue.

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>