Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 09, 2015

Gratuitous ARP - how it's working

Hi,

 

I did some research about Gratuitous ARP (GARP) on the Internet and in F5 docs as well as did some tcdumps on my test system. I am not network expert so maybe it's obvious question but I can't really figure out what is purpose of sending GARP by BIG-IP. From my research under GARP there are at least three types of ARP packets defined: 1. GARP Announcement - ARP request with sender IP in both source and destination IP fields 2. GARP Probe - ARP request with sender IP set to all zeros 3. GARP Reply - ARP replay send to broadcast MAC (not unicast as normal reply) with sender IP in both source and destination IP fields

 

According to my test BIG-IP is sending GARP described in point 1 above every time there is reconfiguration of VIP, selfIP or SNAT or there is failover performed.

 

That is part I can't figure out. Considering that given BIG-IP port is always attached to the same switch port GARP has nothing to update in switch MAC table - even for failover ports on both devices are hard wired to ports on switch - there is of course change in MAC-IP relation but for L2 device it's irrelevant. I can suspect that routers and maybe end stations are processing GARP some way but can't find info how. I did test on W2K8 server with cleared ARP cache. Even if I was able to see GARP packets in Wireshark on the server no entries showed up in ARP Cache. Maybe GARP is only processed when there is already entry for given MAC in server ARP cache - so if server is receiving GARP it's compared with entries in ARP cache and if source MAC has different mapping to IP entry is updated? If above is true is GARP processed same way by routers?

 

Sure GARP has much more sense for L2 devices if MAC Masquerading is used by traffic-group. In this case MAC is moving between switch ports and update makes sense.

 

Considering ARP processing GARP reply seems to be more appropriate for end stations - I assume all workstations will process reply (send to broadcast MAC) even if they never send request - then ARP cache will be updated even if for given MAC there was no entry before.

 

Or maybe I mixed everything up?

 

Piotr

 

application delivery
availability
design
LTM
TMOS

7 Replies

Sort By
  • Saskia_81056's avatar
    Saskia_81056
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2015

    ARP = Layer 3. All L3 devices in this L2 broadcast domain will process the GARP by putting the new MAC<->IP mapping into their ARP table. They don't care if there has been a request or not (which is why it can be easily used for spoofing)

     

    Regarding the switches (L2): They don't really care about the GARP. The only sideway effect of the whole GARP thing is: As soon as the GARP frame arrives at the switch, it will learn the source MAC of this packet. Because of this, the switch will update its MAC address table.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Feb 12, 2015
      Hi, Well, I would say ARP is L2/L3 but this is not so important here. So I should assume that every L3 device should update arp cache after receiving GARP: L3 switch, router, server, workstation etc.? I suspect that my test on W2K8 server were showing something different because of a bug I was reading about. Piotr
    • Saskia_81056's avatar
      Saskia_81056
      Icon for Nimbostratus rankNimbostratus
      Feb 12, 2015
      Yep. You could e.g. just send out a ARP Reply (by using a packet builder) which announces your mac address to be the gateway ip within a subnet and all L3 devices would update their arp table accordingly. In case of the BIG-IP and many other clusters it will help to announce the current primary.
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Feb 12, 2015
      Well, I guess testing using win platform was not the best choice, will play with linux to see how it works :-) Piotr
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Feb 12, 2015

    Hi Piotr,

     

    the primary reasons for sending GARP are to update the peripheral switches L2 forwarding tables (aka CAM tables) and to update the ARP cache of routers / firewalls / servers in case of a failover.

     

    The unit becoming active will send GARPs (as you already traced).

     

    This way it should not be necessary to clear ARP caches of peripheral devices manually. Due to the long ARP cache lifetime on these devices, services provided by the BIG-IP may seem to be unavailable until the router / firewall / server updates it´s ARP cache due to timeout.

     

    Thanks, Stephan