OS UPDATING ARP TABLES (VRRP,ARP_ACCEPT,GARP,ARP-SPOOFING,DHCP-SNOOPING)

Network admins also use always 2 Load-Balancers , 2 Firewalls etc for redundancy.
My company use F5 Load Balancers and Checkpoint firewalls.
Sometimes at network operations, service may switch from one load-balancer to another, or from one firewall to another.
Such switching makes MAC adress change for same network device IP address. 
Network admins tell that, in fact there is a technology called VRRP for using same MAC address at such switching issues but neither F5 nor Checkpoint did not implement it in its firmware, so they cant do anything for using same MAC adress.
When such MAC address changes occur, network devices issue GARP packages advertising MAC changes.
Operating Systems are requested to accept and implement such ARP changes in their ARP table.
Linux has a parameter for this. It is called ARP_ACCEPT.
It may be considered also as a security issue for ARP-Spoofing like attacks. (e,g: man-in-the-middle attack )
My company uses DHCP-snooping to prevent ARP-Spoofing so network admins offered us to enable ARP_ACCEPT and we enabled it.
Below is sample result after a MAC adress change issue.

				Feel free to communicate by bulent.yucesoy@gmail.com


[server1]~#ip -s neigh | grep 1.1.1.2
1.1.1.2 dev eth0  ref 3 used 0/159/0 FAILED
[server1]~#

[server1]~#ping  1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
From 1.1.1.3 icmp_seq=2 Destination Host Unreachable
From 1.1.1.3 icmp_seq=3 Destination Host Unreachable
From 1.1.1.3 icmp_seq=4 Destination Host Unreachable


--- 1.1.1.2 ping statistics ---
5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 11002ms, pipe 4
[server1]~#

[server1]~#sysctl -w net.ipv4.conf.sit0.arp_accept=1
[server1]~#sysctl -w net.ipv4.conf.eth1.arp_accept=1
[server1]~#sysctl -w net.ipv4.conf.eth0.arp_accept=1
[server1]~#sysctl -w net.ipv4.conf.lo.arp_accept=1
[server1]~#sysctl -w net.ipv4.conf.default.arp_accept=1
[server1]~#sysctl -w net.ipv4.conf.all.arp_accept=1


[server1]~#ip -s neigh | grep 1.1.1.2
1.1.1.2 dev eth0 lladdr 00:0a:49:d0:32:04 ref 4 used 1/1/1 REACHABLE
[server1]~#ping  1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=255 time=0.140 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=255 time=0.092 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=255 time=0.116 ms

--- 1.1.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.092/0.116/0.140/0.019 ms
[server1]~#