IP Phone and Gratuitous ARP

Unanswered Question
Aug 4th, 2008

Hi, I am a little confused. Is enabling GARP on the phone will increas the security and prevent attack or disable?

From below I copied from the link http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42scurty.html#wp1044160 it seems enable GARP will enable the Phone to prevent from attacking. But the CM phone help page on CM4.2 shows disble is right way to prevent from attack. Please clarify for me. Thanks

Gratuitous ARP

Just like any other data device on the network, the phones are vulnerable to traditional data attacks. The phones have features to prevent some of the common data attacks that can occur on a corporate network. One such feature is Gratuitous APR (Gratuitous Address Resolution Protocol, or GARP). This feature helps to prevent man-in-the-middle (MITM) attacks to the phone. A MITM attack involves an attacker who tricks an end station into believing that he is the router and tricks the router into believing that he is the end station. This scheme makes all the traffic between the router and the end station travel through the attacker, thus enabling the attacker to log all of the traffic or inject new traffic into the data conversation.

Gratuitous ARP helps protect the phones from having an attacker capture the signaling and RTP voice streams from the phone if the attacker was able to get onto the voice segment of the network. This feature protects only the phones; it does not protect the rest of the infrastructure from a Gratuitous ARP attack. This feature is of less importance if you are running a Cisco infrastructure because the switch port provides features that protect both the phones and the network gear. For a description of these switch port features see the section on Switch Port.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
rob.huffman Mon, 08/04/2008 - 12:18

Hi CF,

Disabling the Gratuitous ARP Setting

By default, Cisco Unified IP Phones accept Gratuitous ARP packets. Gratuitous ARP packets, which devices use, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a packet that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window.


Note Disabling this functionality does not prevent the phone from identifying its default router.

Cisco Unified CallManager Security Guide, Release 5.1(3)

Phone Hardening


Hope this helps!



This Discussion