[OpenIndiana-discuss] arp response tuning for IP Source Guard
James Carlson
carlsonj at workingcode.com
Fri Jan 6 20:43:14 UTC 2017
On 01/06/17 08:17, Doug Hughes wrote:
> It seems to me that you might be hitting up against "arp_defend_rate"
> which by default says that the maximum arps it should be expecting in
> one hour is 100. It's he's sending 3 per minute, that's already 180. I
> could be wrong. I'd probably try setting that to 300 and confirm what's
> going on by using "snoop arp" and then focussing in on the mac address
> of the switch and seeing how many are coming in an hour.
I doubt that, unless the Cisco device is unusually cruel and stupid. :-/
The "defend rate" is the rate at which the system will defend itself
against active attacks -- that is, if some other system on the network
is claiming to own the Solaris machine's IP address, then the Solaris
machine will defend its ownership of the address up to that rate.
The point of the limitation is to avoid melting the network. If the
Solaris box is configured on the same broadcast network with a "stupid"
host that insists that it owns the same IP address, then it's better for
everyone involved if the Solaris box just backs down and slinks into a
corner rather than rapidly spewing broadcast messages in an attempt to
assert its dominance. You can never really dominate an idiot (as, well,
we've all learned recently ...).
Nobody should be challenging the system in that way. The act of doing
so would by itself poison nodes on the same network by corrupting ARP
caches. The defense mechanism tries to flush unintentional corruption
away by sending multiple broadcast Reply messages, but there's no
perfect way to fix the problem. So, if that's what Cisco is really
doing, it would at least be cruel, and I don't normally think that of them.
That's why I wanted to see a packet trace and/or error messages.
You can read more about the topic here:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.126.7917&rep=rep1&type=pdf
or by googling "Solaris duplicate address detection."
--
James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
More information about the openindiana-discuss
mailing list