Gratuitous arp configuration, Introduction to gratuitous arp, Enabling learning of gratuitous arp packets – H3C Technologies H3C S10500 Series Switches User Manual
Page 24
13
Gratuitous ARP configuration
Introduction to gratuitous ARP
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
•
Determine whether its IP address is already used by another device. If the IP address is already used,
the device is informed of the conflict by an ARP reply;
•
Inform other devices of a change of its MAC address.
Enabling learning of gratuitous ARP packets
With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.
Configuring periodic sending of gratuitous ARP packets
Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to prevent gateway spoofing,
prevent ARP entries from aging out, and prevent the virtual IP address of a VRRP group from being used
by a host.
•
Prevent gateway spoofing
When an attacker sends forged gratuitous ARP packets to the hosts on a network, the traffic destined for
the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external
network.
To prevent gateway spoofing attacks, enable the gateway to send gratuitous ARP packets containing its
primary IP address and manually configured secondary IP addresses at a specific interval, so hosts can
learn correct gateway address information.
•
Prevent ARP entries from aging out
If network traffic is heavy or if a host’s CPU usage is high on a host, received ARP packets may be
discarded or not be processed in time. Eventually, the dynamic ARP entries on the receiving host age out,
and the traffic between the host and the corresponding devices is interrupted until the host re-creates the
ARP entries.
To prevent this problem, enable the gateway to send gratuitous ARP packets periodically. The gratuitous
ARP packets contain the gateway's primary IP address or one of its manually configured secondary IP
addresses, so the receiving host can update ARP entries in time, ensuring traffic continuity.
•
Prevent the virtual IP address of a VRRP group from being used by a host
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local
network, so that the hosts can update local ARP entries and avoid using the virtual IP address of the VRRP
group.