ARP Problem

Unanswered Question
May 21st, 2010

Hi all,

This is kind of a continutaion of another one of my problems but I feel it has moved on so am starting another thread.

I have two routers 192.168.1.5 and 192.168.1.6

And 3 L3 Switches 192.168.1, .2, & .3

192.168.1.1 can ping everything but 192.168.1.6


192.168.1.2 can ping everything

192.168.1.3 can ping everything but 192.168.1.6 which is directly connected (via a transparent firewall)

192.168.1.5 is also transparentently firewalled and connected to 192.168.1.1

Outside of these devices (outside of this subnet) all 192.168.1-6 addresses are reachable.

So its like 192.168.1.1 and .3 are switching packets correctly for anything that wants to reach .6 but themselves are not able to ARP .6

I have attached a topology of how this is all set up and the way the traffic should flow through the firewalls.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
milan.kulik Fri, 05/21/2010 - 06:09

Hi,

which swich model are you using?

IMHO, the problem could be following:

Most of Cisco switches are using the same MAC source address in all VLANs.

So when your switch 192.168.1.3 is sending an ARP request to the 192.168.1.6 router, it sends it as a broadcast out from the port in VLAN1 with some source MAC address.

The L2 FW forwards it to the VLAN3 port and the switch broadcasts the frame out of all remaining VLAN3 ports, i.e., deliveres to the 192.168.1.6 router correctly.

When the router replies with his ARP reply though, the destination MAC address it the unicast MAC address received from the original ARP request frame.

When the ARP reply frames appears on the switch VLAN3 port, the switch recognizes that frame as sent to himself (using the same MAC address in all VLANs) and does not forward tthe frame to anywhere! (As no L3 interface is configured in VLAN3, it drops the ARP reply frame finally.)

See http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech_note09186a00801c9b4e.shtml#fixed

It would be interesting to capture the frames to check which MAC addresses are being used to confirm/disprove my theory.

If I'm right, I'd expect the 192.168.1.1 switch not being able to reach the 192.168.1.5 router, too, as the topology seems to be symmetric.

And I don't know why 192.168.1.1 is not able to reach 192.168.1.6. Maybe STP playing some role or your diagram is simplifying a real more complicated situation?

HTH,

Milan

Paul Wedde Fri, 05/21/2010 - 07:21

Hi Milan,

Thanks for you ideas.

.1 can speak to .5, no problems.

.2 can speak to .6

Every device outside of this subnet can speak .6

It is only .1 and .3 that can not ARP .6

.2 is able to ARP .6, route packets to it and .3 is actively and correctly switching packets through itself to .6

As far as I can tell the switching path is all clear bewteen all these devices. It is simply the ARP that can not take place. I'm going to try applying a Static ARP entry tomorrow

The main difference between the 2 firewalls is that Firewall One on the left side of the topology is only managing the one L2 domain where as Firewall 2 is managing 2 Layer 2 domains and I think that perhaps somehow it is "blending" them.

milan.kulik Fri, 05/21/2010 - 07:52

Hi,

as far as I can see, the topology is quite symmetric and unless something wrong configured (incorect subnet mask, etc.), it should work the same way between switch1 and router1 as switch3 and router2.

So I don't understand your FW note :-(

I suppose the triangle between the switches is using VLAN1 access ports only?

Which port is blocked by STP there?

Another theoretical possibility might be something like unidirectional cable problem, but I suppose it would create troubles in other communication, too.

BR,

Milan

Actions

This Discussion