ARP – Will ARP Poison Attack Work in the WAN?

Gratuitous ARP is a sort of "advance notification", it updates the ARP cache of other systems before they ask for it (no ARP request) or to update outdated information.

When talking about gratuitous ARP, the packets are actually special ARP request packets, not ARP reply packets as one would perhaps expect. Some reasons for this are explained in RFC 5227.

The gratuitous ARP packet has the following characteristics:

• Both source and destination IP in the packet are the IP of the host issuing the gratuitous ARP
• The destination MAC address is the broadcast MAC address (ff:ff:ff:ff:ff:ff)
  • This means the packet will be flooded to all ports on a switch
• No reply is expected

Gratuitous ARP is used for some reasons:

• Update ARP tables after a MAC address for an IP changes (failover, new NIC, etc.)
• Update MAC address tables on L2 devices (switches) that a MAC address is now on a different port
• Send gratuitous ARP when interface goes up to notify other hosts about new MAC/IP bindings in advance so that they don't have to use ARP requests to find out
• When a reply to a gratuitous ARP request is received you know that you have an IP address conflict in your network

As for the second part of your question, HSRP, VRRP etc. use gratuitous ARP to update the MAC address tables on L2 devices (switches). Also there is the option to use the burned-in MAC address for HSRP instead of the "virtual"one. In that case the gratuitous ARP would also update the ARP tables on L3 devices/hosts.

The RFC doesn't address your second scenario. The reason for this is that Host C sending to Host A may not be on the same network as Host A. Host A having an ARP cache entry in that case doesn't make sense since Host A will never look for Host C in its ARP cache. Host A will always know Host C is not on its network, so it will always look for its own gateway's entry in its ARP cache when it wants to send to Host C.

There may be implementations that do what you what you describe, but it is not addressed by the standard, and it would seem to waste ARP cache memory.