VMWare use of Gratuitous ARP REPLY

I have an ESXi cluster that hosts several Windows Server VMs and around 30 Windows workstation VMs. Packet captures show a high number of ARP replies of the form:
-sender_ip: VM IP
-sender_mac: VM virtual MAC
-target_mac: Switch interface MAC

The specific addresses aren’t really a concern — they’re all legitimate and we’re not having any problems with communications (most of the questions surrounding GARP and VMWare have to do with ping issues, a problem we don’t have). I’m looking for an explanation of the traffic pattern in an environment that functions as expected.

So the question is why would I see a high number of unsolicited ARP replies? Is this a mechanism VMWare uses for some purpose? What is it? Is there an alternative?

Quick diagram:
[esxi]–[switch vlan]–[inline IDS]–[fw]–(rest of network)

The IDS is complaining about these unsolicited ARPs. Several IDS vendors trigger on ARP replies without a prior request, or for ARP replies that have a target IP of

The target MAC in these replies is the VLAN interface on the switch.

Capture points:
-The IDS grabs the offending packets
-The FW can see the same ones
-A VM on the ESXi host does not see these, although there is an ARP request for a specific IP on the ESXi host that has source_ip= and source_mac=[switch vlan interface].

I can’t share the captures, unfortunately.

Really I’m interested in finding out if this is normal for an ESXi deployment.


Source : Link , Question Author : trs80 , Answer Author : Community

Leave a Comment