Send, clear, ignore and spoof ARP. Know how to truly disable the processing of gratuitous ARP in a Cisco router.
Getting started
Here we have a simple topology with Kali Linux (running Wireshark) connected to a Cisco 3725:
Current ARP table in the router:
We see only the router itself is in its own ARP table.
Send an unsolicited (gratuitous) ARP
Let’s manually shoot out a single unsolicited ARP “reply” (using arping) to the router from the Linux client:
Wireshark on the Linux client shows the action:
“debug arp” on the router also shows some action:
Let’s check the router’s ARP table now with “sh arp“:
Ok, we see the Linux client now. The router accepted the gratuitous/unsolicited ARP “reply”.
Clear the ARP entry
Let’s attempt to clear the ARP entry:
Interesting! The router automatically sent an ARP request when we attempted “clear ip arp 10.2.1.30” and immediately added it back to its ARP table:
Let’s just clear it again with Linux disconnected:
There we go!
Ignore the gratuitous ARP “replies”
Now let’s add “ip arp gratuitous none” to our global configuration to ignore these unsolicited ARP “replies”:
Now let’s fire off that unsolicited ARP “reply” from Linux again:
We can see our router received it and ignored it!:
Even when we clear the ARP entry, the router ignores the response to its own ARP request!:
Be aware:
FYI: “no ip gratuitous-arps” is only applicable to PPP/SLIP peer addresses, you can see it has no effect:
To prove the vulnerability to malicious intent, let’s use arpspoof:
Poof, we can poison the table all we want:
To prove “ip arp gratuitous none” guards us against this threat, let’s do the exact same attack with it applied:
As you can see, the gratuitous ARP was ignored and our table is still squeaky clean:
Mission accomplished.