Cisco – Gratuitous ARP: Disabling / Blocking / Ignoring / Spoofing

Send, clear, ignore and spoof ARP. Know how to truly disable the processing of gratuitous ARP in a Cisco router.

Getting started

Here we have a simple topology with Kali Linux (running Wireshark) connected to a Cisco 3725:

Current ARP table in the router:

We see only the router itself is in its own ARP table.

Send an unsolicited (gratuitous) ARP

Let’s manually shoot out a single unsolicited ARP “reply” (using arping) to the router from the Linux client:

Wireshark on the Linux client shows the action:

“debug arp” on the router also shows some action:

Let’s check the router’s ARP table now with “sh arp“:

Ok, we see the Linux client now. The router accepted the gratuitous/unsolicited ARP “reply”.

Clear the ARP entry

Let’s attempt to clear the ARP entry:

Interesting! The router automatically sent an ARP request when we attempted “clear ip arp” and immediately added it back to its ARP table:

Let’s just clear it again with Linux disconnected:

There we go!

Ignore the gratuitous ARP “replies”

Now let’s add “ip arp gratuitous none” to our global configuration to ignore these unsolicited ARP “replies”:

Now let’s fire off that unsolicited ARP “reply” from Linux again:

We can see our router received it and ignored it!:

Even when we clear the ARP entry, the router ignores the response to its own ARP request!:

Be aware:

FYI: “no ip gratuitous-arps” is only applicable to PPP/SLIP peer addresses, you can see it has no effect:

To prove the vulnerability to malicious intent, let’s use arpspoof:

Poof, we can poison the table all we want:

To prove “ip arp gratuitous none” guards us against this threat, let’s do the exact same attack with it applied:

As you can see, the gratuitous ARP was ignored and our table is still squeaky clean:

Mission accomplished.

Leave a Reply

Your email address will not be published. Required fields are marked *