This article describes the behavior of the Address Resolution Protocol (ARP) and Gratuitous ARP (GARP) on NetScaler devices.

GARP also has potentially malicious uses, such as the poisoning of ARP tables. As such, Intrusion Detection Systems (IDS) or other security appliances may generate alerts when seeing GARP packets from the NetScaler.

Background

Typical network devices use ARP to locate the hardware (MAC) address of other hosts on the local network. In normal operation, a host needing to send a packet to a given IP address sends out an ARP request for that IP address (assuming the MAC address is not contained in its local ARP cache), which is a broadcast packet sent out on the local network. The host which owns the requested IP address responds to the broadcast with a unicast ARP reply directed to the host that sent the request.

Below is the normal ARP operation for a host at 00:d0:68:0c:2e:55 (10.1.1.100) who needs to send a message to 10.1.1.200, which is owned by a host with MAC 00:e0:0c:25:1a:2b:

GARP is a special type of ARP broadcast that sends out an unsolicited ARP request or reply to all hosts on the local network. Whether the GARP packet is sent out using the request or reply operation code, most network devices populate their tables with the IP-MAC mapping contained in the GARP packet.

Operation code: request

Operation code: reply

The most common legitimate use for GARP is to ensure that network devices’ ARP tables are populated with the most up-to-date information without delay. NetScaler uses both normal ARP and GARP in different contexts.

NetScaler ARP Behavior

NetScaler generates and processes ARP traffic in the normal way. However, unlike a normal network device, NetScaler-owned IP addresses are not bound to a single interface. Instead, all physical interfaces on the NetScaler listen for all NetScaler-owned IP addresses unless explicitly configured otherwise. This has the following effects on ARP behavior:

• ARP requests generated by the NetScaler are sent out on all connected interfaces that are UP. LA channels count as a single interface.
• Netscaler sends ARP replies on all connected interfaces that are UP, regardless of what interface the request was received on. LA channels count as a single interface. This is to prevent multiple interfaces on the same L2 broadcast from causing ARP storms.

The NetScaler ARP table can be viewed with either of the following commands:
NS-CLI> sh arp
root@ns# /netscaler/nsapimgr –d allarp

The NetScaler ARP tables can be cleared globally using the following command:
NS-CLI> rm arp -all

A single entry can be removed from the ARP table using the following command:
NS-CLI> rm arp <IP address>

NetScaler GARP Behavior

NetScaler issues GARP for all NetScaler-owned IP addresses (for example, Virtual IP address (VIP), Mapped IP address (MIP), NetScaler IP address (NSIP), and Subnet IP address (SNIP)) at the following times:

•  When any of the following commands is executed:
  > add vserver
  > add ip
  > set vlan <id> -ipaddress <IP> <netmask>

• After a High Availability failover, including event state changes on the Secondary (this is particularly important because if GARP is not used here, network devices may continue to send traffic to the failed device)
• At startup for the MIP and NSIP only

ARP and GARP can be disabled for a NetScaler-owned VIP using the following command:
> set ip <IP address> -arp DISABLED

Note: ARP/GARP can only be disabled for an IP address of type VIP. Attempting to run this command on a NSIP, MIP or SNIP causes NetScaler to return the following error message:
ERROR: Operation not permitted

By default, NetScaler sends out two GARP packets per interface when any of the aforementioned events take place. These packets use the request operation code. The first packet sent has the “Target MAC address” field of the ARP header set to all 1’s and the second to all 0’s. To illustrate, if a NetScaler sent GARPs for the MIP 1.2.3.4, out on an interface with MAC address 00:e0:0c:2f:8a:02, the packets have the following structure:

First GARP packet

Second GARP packet

It is possible to change the default GARP behavior using one of two methods

• From ADC CLI: set network L2Param -garpReply enabled (default is disabled)
• From ADC shell: nsapimgr –ys garpreply=1 (default is 0)
  • Note 1: This command is now deprecated in later firmware releases and a warning will advise admins to use the CLI method
  • Note 2: To persist this configuration across reboots when using this method, the entry should be added to /nsconfig/rc.netscaler

This may be required to make NetScaler interoperate properly with some network devices.

After this command, only one GARP packet is sent out per interface, and its operation code is set to reply. Using the same parameters as the previous example, the GARP packet sent has the following structure: