[OpenIndiana-discuss] arp response tuning for IP Source Guard

[Tim Mooney]

In regard to: Re: [OpenIndiana-discuss] arp response tuning for IP Source...:

All-

Here's some more information on this thread I started related to
Cisco's IP Source Guard feature (with ARP probes) and intermittent
packet loss from OI.

Our network engineers opened a case with Cisco, and Cisco eventually
decided that it's a limitation in the current implementation.  Cisco
TAC referenced CSCva54094 related to the issue.

While testing and debugging, we also discovered that some of the
list speculation from earlier in the thread turned out to be correct:
we could pacify the Cisco switch if I set the following two ARP-related
tunables:

 	sudo ndd -set /dev/arp arp_defend_interval 20000
 	sudo ndd -set /dev/arp arp_defend_rate 360

For whatever reason, making OI gratuitously ARP more frequently than every
minute (we chose every 20 seconds) was enough to make the Cisco switch
keep its device map up to date.

If we hear of a fix being released from Cisco I'll follow-up again, but
otherwise that probably closes out this thread.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164