Configuration Reference - arp
cleanshutdown (toggle)
dhcp_timeout (time)
Default: 8h
Used in detection of systems with static IP addresses. Looks for broadcast DHCPDISCOVERs and flags a node as rogue if it
fails to see one before timer is exceeded. This value should be greater than 50% of your DHCP lease time.
gw_timeout (time)
Default: 1d
Used in detection of systems with statically-defined gateway ARP entries. If a system has not ARPed for the gateway
within this interval, it is removed from the IP->MAC mappings and should be flagged as rogue by the next probe.
heartbeat (time)
Default: 30s
To eliminate the negative effects of switch flooding of poisoned ARPs on some (cough...cough...Netgear MR814v2) routers, we
must first send a valid ARP to establish that the system is on-line. The heartbeat is the length of time between the initial
"hello" and a poisoned "goodbye".
interval (time)
Default: 60s
Interval at which poisoned ARPs ("traps") are sent to infected/unregistered systems.
strobe (toggle)
Default: enabled
Options: enabled|disabled
If enabled, sends ARP request to all IP addresses within range immediately after startup. This allows for the internal MAC
to IP mappings to be populated quickly.
stuffing (toggle)
Default: disabled
Options: enabled|disabled
If enabled, forces PF system to "stuff" router ARP cache with a bogus MAC for systems that are not responding. This
option effectively increases the "stickiness" of traps by suppressing broadcast ARP traffic from the gateway. It is also
somewhat dangerous in that it relies on systems to issue a GARP (gratuitous ARP) at boot to reclaim previously stuffed
addresses.
timeout (time)
Default: 8h
Length of time of inactivity after which an unresponsive system is aged out. Hello ARPs are sent at timeout/2
and timeout-interval to avoid prematurely timing out a system.