GARP (Gratuitous ARP): Is an ARP message sent without request. Mainly used to notify other hosts in the network of a MAC address assignment change. When a host receives a GARP it either adds a new entry to the cache table or modifies an existing one. I will expand more about GARP in the next section, as it’s the one that concerns us most from a security point of view.
Gratuitous ARP GARP messages GARP Request: A regular ARP request that contains the source IP address as sender and target address, source MAC address as sender, and broadcast MAC address (ff:ff:ff:ff:ff:ff) as a target. There will be no reply to this request
GARP Reply: The source/destination IP addresses AND MAC addresses are set to the sender addresses. This message is sent to no request.
GARP Probe: When an interface goes up with a configured IP address, it sends a probe to make sure no other host is using the same IP; hence, preventing IP conflicts. A probe has the sender IP set to zeros (0.0.0.0), the target IP is the IP being probed, the sender MAC is the source MAC, and the target MAC address is set to all zeros.
GARP use cases: Make sure there are no IP conflicts on the segment (GARP Probe) In failover systems like clusters, HSRP, VRRP, etc.; a virtual MAC address is used to point to the active device, when this device fails, the failover control sends a gratuitous ARP to ask other systems to change their ARP table entries and point the vMAC of the cluster to the new active device. (GARP Request/Reply). GARP is also used when an Ethernet interface goes up; that’s when the host sends a GARP to notify all systems with his IP address, instead of waiting for them to ask and send replies to each one. (GARP Request/Reply). Extensively used with data center technologies like Vmotion and load balancers. Whenever a machine is moved or a virtual interface is created on a load balancer; GARP is used to notify other devices of the changes.