Providing Network Professionals The Edge

What is GARP (Gratuitous ARP Protection)?

Gratuitous ARP (protection)

This is an example of a typical standards based (beneficial) LAN feature which can be used in some cases by the bad guys for malicious purposes.  Therefore the following is a brief description on the feature and why most IP phones normally have the capability/feature to disable cooperation with this common LAN function.

Enabling GARP protection prevents the IP phone from replying to GARP requests.    Normally when an IP device wants to know the MAC address (layer 2) of another device it sends an ARP request (with the IP address it wants mapped) and receives an ARP response from the device which has that particular IP address assigned.

However if the IP device/phone receives a ‘gratuitous’ (unsolicited) ARP response providing a different MAC address to IP address mapping the end-device will go ahead and update its ARP table.  This can be a beneficial feature for example if a secondary HSRP (or VRRP) router detects failure of the primary router and wants to update all end-devices to use IT as the new default gateway; it will send out a GARP request to all the devices to update their tables.  However it can also be used for malicious purposes for man-in-the middle attacks to divert traffic from unsuspecting end-devices (namely IP phone voice traffic).

Therefore enabling GARP protection configures the IP phone to stop responding / acting upon unsolicited GARP requests and provides an additional level of security to the voice infrastructure.

Sign Up for Free UoverIP Learning Letters

  • UC Networking Tips and How-To's
  • Useful links to Unified Communication resources
  • Detailed Tutorials on configuring Cisco systems and integrations
  • UC Tools and Tricks of the Trade - applications, software and more

Whatcha waiting for?

About Behzad Munir

Behzad Munir, P.Eng, is a Voice Solutions Consultant working in Toronto, Canada

0 comments
%d bloggers like this: