diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml
index f5ee973b23..60fd4edb2a 100644
--- a/playbooks/roles/os_neutron/defaults/main.yml
+++ b/playbooks/roles/os_neutron/defaults/main.yml
@@ -239,6 +239,7 @@ neutron_apt_packages:
   - iputils-arping
   - keepalived
   - libpq-dev
+  - ebtables
 
 neutron_apt_remove_packages:
   - conntrackd
diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters b/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters
new file mode 100644
index 0000000000..2c3c338db4
--- /dev/null
+++ b/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters
@@ -0,0 +1,13 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# neutron/agent/linux/ebtables_driver.py
+ebtables: CommandFilter, ebtables, root
+ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE=
diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
index 22210ca50b..7027e4063f 100644
--- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
+++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
@@ -79,6 +79,7 @@
     - { src: "rootwrap.d/linuxbridge-plugin.filters", dest: "/etc/neutron/rootwrap.d/linuxbridge-plugin.filters" }
     - { src: "rootwrap.d/l3.filters", dest: "/etc/neutron/rootwrap.d/l3.filters" }
     - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
   notify:
     - Restart neutron services
   tags:
diff --git a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2
index 3a82320258..28457ca111 100644
--- a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2
+++ b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2
@@ -76,8 +76,11 @@ physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
 
 {% endif %}
 
-# Agent (empty for Linux bridge agent)
+# Agent
 [agent]
+# TODO: Allow this to be the default of True once the upstream issue
+# with access through floating IP's is fixed (odyssey4me re: liberty-2)
+prevent_arp_spoofing = False
 
 # L2 population
 [l2pop]