For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 09, 2015

Gratuitous ARP - how it's working

Hi,   I did some research about Gratuitous ARP (GARP) on the Internet and in F5 docs as well as did some tcdumps on my test system. I am not network expert so maybe it's obvious question but I can...
application delivery
availability
design
LTM
TMOS
Saskia_81056's avatar
Saskia_81056
Icon for Nimbostratus rankNimbostratus
Feb 12, 2015

ARP = Layer 3. All L3 devices in this L2 broadcast domain will process the GARP by putting the new MAC<->IP mapping into their ARP table. They don't care if there has been a request or not (which is why it can be easily used for spoofing)

 

Regarding the switches (L2): They don't really care about the GARP. The only sideway effect of the whole GARP thing is: As soon as the GARP frame arrives at the switch, it will learn the source MAC of this packet. Because of this, the switch will update its MAC address table.

 

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2015
    Hi, Well, I would say ARP is L2/L3 but this is not so important here. So I should assume that every L3 device should update arp cache after receiving GARP: L3 switch, router, server, workstation etc.? I suspect that my test on W2K8 server were showing something different because of a bug I was reading about. Piotr
  • Saskia_81056's avatar
    Saskia_81056
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2015
    Yep. You could e.g. just send out a ARP Reply (by using a packet builder) which announces your mac address to be the gateway ip within a subnet and all L3 devices would update their arp table accordingly. In case of the BIG-IP and many other clusters it will help to announce the current primary.
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2015
    Well, I guess testing using win platform was not the best choice, will play with linux to see how it works :-) Piotr
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 13, 2015
    I did such test, based on info here I expected that server (RedHat) will add entries to arpcache but it was not the case. So maybe I am missing some clue. Scenario: 1. arp cache checked on linux host (Red Hat Linux release 7.3 (Valhalla) - actually PHPAuction based host) with arp -n - two entries present, one is floating selfIP on LTM (VE 11.2.0HF7) - probably because it's set as DG 2. VS located on the same VLAN as linux host, disabled and then enabled 3. On linux host I can see long list of garp packets generated by LTM - for vip of mentioned vs total of 5 garp packets received 4. arp -n - no new entries Is that OK? So server/workstation should not add info from garp to arp cache based on received garp? Or it's some config option/bug in RedHat version I am using? Then I did test for entries already in arpcache, floating selfIP, vip. After failover to second device immediately entries were updated with MAC of new active unit. What is strange update was immediate, even before I was able to see garp packets in tcpdump - is that because of tcpdump limitation or some "magic" occurred? Piotr P.S. For whomever it will be of the value in the future, here is best explanation I found till now about garp: http://www.ultramonkey.org/3/ip_address_takeover.html
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 14, 2015
    what i feel isn't quite right in your opening post is saying there are multiple types are gratuitous ARP messages. i don't believe there are. there is just the ARP announcement which is sometimes called gratuitous ARP. on your linux test, this might be useful: https://lists.debian.org/debian-user/2010/04/msg01110.html