Trigger a Gratuitous ARP (GARP) from a Palo Alto Networks Device
Resolution
Overview
Gratuitous ARP (GARP) is used to update an ARP table of the hosts in a Broadcast Domain when the sender's IP address or MAC address has changed. Other usages of GARP include detecting IP conflicts and during HA fail-overs.
Details
In situations where there is no control over the upstream devices, the a command from the CLI can be used to update the ARP table of connected Layer3 devices that are unable to auto-update their ARP table. The following command will send gratuitous ARP for an IP address from a specific interface:
> test arp gratuitous ip <ip/netmask> interface <interface name>
Example
The following is an example of an interface details listing:
> show interface ethernet1/3
---------------------------------------------------------------------------
Name: ethernet1/3, ID: 18
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:1b:17:09:21:12
Operation mode: layer3
Untagged sub-interface support: no
---------------------------------------------------------------------------
Name: ethernet1/3, ID: 18
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.66.24.67/23
To update the ARP table of connected hosts for the ethernet1/3 IP Subnet (10.66.24.67/23 with MAC address of 00:1b:17:09:21:12), run the following CLI command:
> test arp gratuitous ip 10.66.24.67 interface ethernet1/3
1 ARPs were sent
PCAP details:
Ethernet II, Src: PaloAlto_09:21:12 (00:1b:17:09:21:12), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: PaloAlto_09:21:12 (00:1b:17:09:21:12)
Type: ARP (0x0806)
Address Resolution Protocol (request/gratuitous ARP)
Hardware type: Ethernet (1)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
[Is gratuitous: True]
Sender MAC address: PaloAlto_09:21:12 (00:1b:17:09:21:12)
Sender IP address: 10.66.24.67 (10.66.24.67)
Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
Target IP address: 10.66.24.67 (10.66.24.67)
NAT Scenario Example
Any IP address in subnet 10.66.24.67/23 can be used with the test arp gratuitous command to forcefully refresh the IP-MAC address mapping on connected Layer-3 devices. An example scenario for the use of the command is for an inbound NAT configuration on a Palo Alto Networks firewall.
The following is the destination NAT rule configured to translate traffic for IP 10.66.24.139, received on interface ethernet1/3, to an internal IP of 192.168.67.5:
> show running nat-policy
Inbound-NAT {
from untrust-L3;
source any;
to untrust-L3;
to-interface ;
destination 10.66.24.139;
service any/any/any;
translate-to "dst: 192.168.67.5";
}
To update the ARP table of connected hosts with IP address 10.66.24.139 (used in above NAT rule) with the ethernet1/3 MAC address 00:1b:17:09:21:12, run the CLI command as follows:
> test arp gratuitous ip 10.66.24.139 interface ethernet1/3
ARPs were sent
PCAP details:
Ethernet II, Src: PaloAlto_09:21:12 (00:1b:17:09:21:12), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: PaloAlto_09:21:12 (00:1b:17:09:21:12)
Type: ARP (0x0806)
Address Resolution Protocol (request/gratuitous ARP)
Hardware type: Ethernet (1)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
[Is gratuitous: True]
Sender MAC address: PaloAlto_09:21:12 (00:1b:17:09:21:12)
Sender IP address: 10.66.24.139 (10.66.24.139)
Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
Target IP address: 10.66.24.139 (10.66.24.139)
owner: akawimandan