Preventing ARP Flux on Linux

ARP, the address resolution protocol, is used on an Ethernet network to map IP addresses to hardware (MAC) addresses. By default, a Linux box with several network interfaces will respond to ARP requests received on any interface for any of the IP addresses of its interfaces. Here is an example: Let’s assume we have a box which is connected with two interfaces A (MAC 00:00:00:AA:AA:AA) and B (MAC 00:00:00:BB:BB:BB). Interface A is configured to the IP address 172.16.0.1 and B to 172.16.0.2. Thus, both interfaces point to the same segment.

We use arping to query for the hardware address of the IP address 172.16.0.1 and expect to get the MAC address 00:00:00:AA:AA:AA of interface A in return.

[root@nugger]# arping -I eth0 172.16.0.1
ARPING 172.16.0.1 from 172.16.0.99 eth0
Unicast reply from 172.16.0.1 [00:00:00:AA:AA:AA]  7.889ms
Unicast reply from 172.16.0.1 [00:00:00:BB:BB:BB]  8.014ms

[root@nugger]# arping -I eth0 172.16.0.2
ARPING 172.16.0.2 from 172.16.0.99 eth0
Unicast reply from 172.16.0.2 [00:00:00:AA:AA:AA]  6.612ms
Unicast reply from 172.16.0.2 [00:00:00:BB:BB:BB]  8.991ms

Instead, we get the MACs of A and B alternating. You can tune this behavior using arp_ignore and arp_announce sysctl properties:

arp_ignore - INTEGER

Define different modes for sending replies in response to
received ARP requests that resolve local target IP addresses:

0 - (default): reply for any local target IP address, configured
    on any interface
1 - reply only if the target IP address is local address
    configured on the incoming interface
2 - reply only if the target IP address is local address
    configured on the incoming interface and both with the
    sender's IP address are part from same subnet on this interface
3 - do not reply for local addresses configured with scope host,
    only resolutions for global and link addresses are replied

arp_announce - INTEGER
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests sent on
interface:
0 - (default) Use any local address, configured on any interface
    ...
2 - Always use the best local address for this target.
    In this mode we ignore the source address in the IP packet
    and try to select local address that we prefer for talks with
    the target host. Such local address is selected by looking
    for primary IP addresses on all our subnets on the outgoing
    interface that include the target IP address. If no suitable
    local address is found we select the first local address
    we have on the outgoing interface or on all other interfaces,
    with the hope we will receive reply for our request and
    even sometimes no matter the source IP address we announce.

Setting net.ipv4.conf.all.arp_ignore=1 and net.ipv4.conf.all.arp_announce=2 in /etc/sysctl.conf provides adequate settings. However, you should check whether these settings work in your network environment, especially if you depend on reaching an IP address from any other than the interface that it is assigned to.

net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2