Summary
This document describes the behavior of the Address Resolution Protocol (ARP) and Gratuitous ARP (GARP) on NetScaler devices.
Background
Typical network devices use ARP to locate the hardware (MAC) address of other hosts on the local network. In normal operation, a host needing to send a packet to a given IP address sends out an ARP request for that IP address (assuming the MAC address is not contained in its local ARP cache), which is a broadcast packet sent out on the local network. The host which owns the requested IP address responds to the broadcast with a unicast ARP reply directed to the host that sent the request.
Below is the normal ARP operation for a host at 00:d0:68:0c:2e:55 (10.1.1.100) who needs to send a message to 10.1.1.200, which is owned by a host with MAC 00:e0:0c:25:1a:2b:
Sequence | Source MAC | Dest MAC | Message |
0 | 00:d0:68:0c:2e:55 | ff:ff:ff:ff:ff:ff (Broadcast) | Who has 10.1.1.200? Tell 10.1.1.100 |
1 | 00:e0:0c:25:1a:2b | 00:d0:68:0c:2e:55 | 10.1.1.200 is at 00:e0:0c:25:1a:2b |
GARP is a special type of ARP broadcast that sends out an unsolicited ARP request or reply to all hosts on the local network. Whether the GARP packet is sent out using the request or reply operation code, most network devices populate their tables with the IP-MAC mapping contained in the GARP packet.
Operation code: request
Sequence | Source MAC | Dest MAC | Message |
0 | 00:e0:0c:25:1a:2b | ff:ff:ff:ff:ff:ff | Who has 10.1.1.200? Tell 10.1.1.200 |
1 | 00:e0:0c:25:1a:2b | ff:ff:ff:ff:ff:ff | Who has 10.1.1.200? Tell 10.1.1.200 |
2 | 00:e0:0c:25:1a:2b | ff:ff:ff:ff:ff:ff | Who has 10.1.1.200? Tell 10.1.1.200 |
Operation code: reply
Sequence | Source MAC | Dest MAC | Message |
0 | 00:e0:0c:25:1a:2b | ff:ff:ff:ff:ff:ff | 10.1.1.200 is at 00:e0:0c:25:1a:2b |
1 | 00:e0:0c:25:1a:2b | ff:ff:ff:ff:ff:ff | 10.1.1.200 is at 00:e0:0c:25:1a:2b |
2 | 00:e0:0c:25:1a:2b | ff:ff:ff:ff:ff:ff | 10.1.1.200 is at 00:e0:0c:25:1a:2b |
The most common legitimate use for GARP is to ensure that network devices’ ARP tables are populated with the most up-to-date information without delay. NetScaler uses both normal ARP and GARP in different contexts.
NetScaler ARP Behavior
NetScaler generates and processes ARP traffic in the normal way. However, unlike a normal network device, NetScaler-owned IP addresses are not bound to a single interface. Instead, all physical interfaces on the NetScaler listen for all NetScaler-owned IP addresses unless explicitly configured otherwise. This has the following effects on ARP behavior:
• ARP requests generated by the NetScaler are sent out on all connected interfaces that are UP
• Netscaler sends ARP replies out on all connected interfaces that are UP, regardless of what interface the request was received on
The NetScaler ARP table can be viewed with either of the following commands:
NS-CLI> sh ns arp
root@ns# /netscaler/nsapimgr –d allarp
The NetScaler ARP tables can be cleared globally using the following command:
NS-CLI> rm ns arp -all
A single entry can be removed from the ARP table using the following command:
NS-CLI> rm ns arp <IP address>
NetScaler GARP Behavior
NetScaler issues GARP for all NetScaler-owned IP addresses (for example, Virtual IP address (VIP), Mapped IP address (MIP), NetScaler IP address (NSIP), and Subnet IP address (SNIP)) at the following times:
• When any of the following commands is executed:
> add vserver
> add ip
> set vlan <id> -ipaddress <IP> <netmask>
• After a High Availability failover (this is particularly important because if GARP is not used here, network devices may continue to send traffic to the failed device)
• At startup for the MIP and NSIP only
ARP and GARP can be disabled for a NetScaler-owned VIP using the following command:
> set ip <IP address> -arp DISABLED
Note: ARP/GARP can only be disabled for an IP address of type VIP. Attempting to run this command on a NSIP, MIP or SNIP causes NetScaler to return the following error message:
ERROR: Operation not permitted
By default, NetScaler sends out two GARP packets per interface when any of the aforementioned events take place. These packets use the request operation code. The first packet sent has the “Target MAC address” field of the ARP header set to all 1’s and the second to all 0’s. To illustrate, if a NetScaler sent GARPs for the MIP 1.2.3.4, out on an interface with MAC address 00:e0:0c:2f:8a:02, the packets have the following structure:
First GARP packet:
Protocol | Field | Value |
Ethernet | Source MAC | 00:e0:0c:2f:8a:02 |
Destination MAC | FF:FF:FF:FF:FF:FF | |
ARP | Opcode | Request |
Sender MAC | 00:e0:0c:2f:8a:02 | |
Sender IP | 1.2.3.4 | |
Target MAC | FF:FF:FF:FF:FF:FF | |
Target IP | 1.2.3.4 | |
Message Interpretation | Who has 1.2.3.4? Gratuitous ARP | |
Second GARP packet:
Protocol | Field | Value |
Ethernet | Source MAC | 00:e0:0c:2f:8a:02 |
Destination MAC | FF:FF:FF:FF:FF:FF | |
ARP | Opcode | Request |
Sender MAC | 00:e0:0c:2f:8a:02 | |
Sender IP | 1.2.3.4 | |
Target MAC | 00:00:00:00:00:00 | |
Target IP | 1.2.3.4 | |
Message Interpretation | Who has 1.2.3.4? Gratuitous ARP | |
It is possible to change the default GARP behavior using the following nsapimgr directive. This may be required to make NetScaler interoperate properly with some network devices. The default behavior is garpreply=0.
root@ns# /netscaler/nsapimgr –ys garpreply=1
After this command, only one GARP packet is sent out per interface, and its operation code is set to reply. Using the same parameters as the previous example, the GARP packet sent has the following structure:
Protocol | Field | Value |
Ethernet | Source MAC | 00:e0:0c:2f:8a:02 |
Destination MAC | FF:FF:FF:FF:FF:FF | |
ARP | Opcode | Reply |
Sender MAC | 00:e0:0c:2f:8a:02 | |
Sender IP | 1.2.3.4 | |
Target MAC | 00:e0:0c:2f:8a:02 | |
Target IP | 1.2.3.4 | |
Message Interpretation | 1.2.3.4 is at 00:e0:0c:2f:8a:02 | |
More Information
GARP also has potentially malicious uses, such as the poisoning of ARP tables. As such, Intrusion Detection Systems (IDS) or other security appliances may generate alerts when seeing GARP packets from the NetScaler.
