Posted on October 2, 2020 11:08 am
 |  Asked by fabien.briatte
Print Friendly, PDF & Email


I’m curious why gratuitous ARP is disabled by default on Arista (causing issue with load balancers fail-over for example) ?

Posted by Alexis Dacquay
Answered on October 2, 2020 12:56 pm

Hi Fabien,

Are you talking about LB to Arista GARP, or Arista to LB GARP?

GARP is active by default on EOS, they are sent every 30 seconds.

You can adjust the timer for when the GARPs are sent with the below command.

ip virtual-router mac-address advertisement-interval <0-86400> Seconds

If you change from the default of 30 seconds to 0, then it disables GARP from being sent.
Maybe you have disabled GARP?

Can you please detail your scenario and configuration?

Some load-balancers don't manage GARP very well and need to use IP masquerading or longer GARP timing, because some LB don't failover well as the standby keeps sending frames, so the primary must keep sending GARP until its standby unit gets silent.
Another option is that during failover, the newly active LB gets the shared virtual or floating IP, but uses its own local physical MAC address.


Posted by fabien.briatte
Answered on October 2, 2020 2:40 pm

Hi Alexis,

According to the documentation, by default Arista switches reject gratuitous ARP:


By default, Arista switch interfaces reject gratuitous ARP request packets. The arp gratuitous accept command configures an L3 interface to accept the gratuitous ARP request packets sent from a different device in the network and add their mappings to the ARP table. Gratuitous ARP can be configured on Ethernet interfaces, VLANs/SVI, or L3 port channels, but has no effect on L2 interfaces.


Here the scenario is 2 load balancers, sharing a virtual IP , and when there is fail over, the new active one sends a GARP, which is rejected by the switch. Just curious why the default behavior is to reject ?







Posted by Alexis Dacquay
Answered on October 2, 2020 3:00 pm

I see, you are talking about the GARP from the LB to Arista.

This might be seen as a security vulnerability, a hijack.
The EOS behaviour is influenced by the Linux kernel's behaviour. By default, gratuitous ARP packets do not create new ARP entries in the Linux kernel. The CLI command "arp gratuitous accept" allows to change that default behaviour.

Post your Answer

You must be logged in to post an answer.