VMWare use of Gratuitous ARP REPLY
- by trs80
I have an ESXi cluster that hosts several Windows Server VMs and around 30 Windows workstation VMs. Packet captures show a high number of ARP replies of the form:
-sender_ip: VM IP
-sender_mac: VM virtual MAC
-target_ip: 0.0.0.0
-target_mac: Switch interface MAC
The specific addresses aren't really a concern -- they're all legitimate and we're not having any problems with communications (most of the questions surrounding GARP and VMWare have to do with ping issues, a problem we don't have). I'm looking for an explanation of the traffic pattern in an environment that functions as expected.
So the question is why would I see a high number of unsolicited ARP replies? Is this a mechanism VMWare uses for some purpose? What is it? Is there an alternative?
EDIT:
Quick diagram:
[esxi]--[switch vlan]--[inline IDS]--[fw]--(rest of network)
The IDS is complaining about these unsolicited ARPs. Several IDS vendors trigger on ARP replies without a prior request, or for ARP replies that have a target IP of 0.0.0.0.
The target MAC in these replies is the VLAN interface on the switch.
Capture points:
-The IDS grabs the offending packets
-The FW can see the same ones
-A VM on the ESXi host does not see these, although there is an ARP request for a specific IP on the ESXi host that has source_ip=0.0.0.0 and source_mac=[switch vlan interface].
I can't share the captures, unfortunately.
Really I'm interested in finding out if this is normal for an ESXi deployment.