[OpenIndiana-discuss] arp response tuning for IP Source Guard

PÁSZTOR György pasztor at linux.gyakg.u-szeged.hu
Fri Jan 6 17:15:29 UTC 2017


Hi,

"Tim Mooney" <Tim.Mooney at ndsu.edu> írta 2017-01-05 14:37-kor:
> 
> I'm running hipster, updated a few days ago, illumos-b106467
> 
> Our network engineers recently enabled Cisco's IP Source Guard on the
> subnet my workstation is on.  The IP Source Guard overview is here:
> 
> 	http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/ip_source_guard.html#66969
> 
[...]
> Anyone have any suggestions for what tuning I should be looking at
> that would tell the Illumos network stack that it's OK to respond to
> semi-frequent batches of ARP probes?

Have you run any tcpdump / anything to check what exactly happens?

As far as I remember this feature does the following:
It has a dhcp snooping database, which basicaly tracks all dhcp requests.
When a host/ mac at a port got a valid dhcp offer, it writes that into it's
snooping database.
So, in the snooping database, the records are tuples like this:
ip, mac, switch, port
Therefor it can validate the "unsafe" ports, that every incoming packet
must have the that source ip, the frame should have the given src mac, and
it allows that to come in only from the given switchport.
There are "trusted" ports. Practically the switches trust each other, thats
how switching remain working.
As far as I remember the feature, one port may have more than one entries.
Eg. if you put a soho switch / hub to an edge port, then it's you
responsibility, that those machines should not steal / spoof each other's
mac address / ip.

So the whole thing is about valid dhcp leases.
Does you host / hosts have valid dhcp leases?

Cheers,
Gyu



More information about the openindiana-discuss mailing list