Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ARP Problem

Hi all,

This is kind of a continutaion of another one of my problems but I feel it has moved on so am starting another thread.

I have two routers and

And 3 L3 Switches 192.168.1, .2, & .3 can ping everything but can ping everything can ping everything but which is directly connected (via a transparent firewall) is also transparentently firewalled and connected to

Outside of these devices (outside of this subnet) all 192.168.1-6 addresses are reachable.

So its like and .3 are switching packets correctly for anything that wants to reach .6 but themselves are not able to ARP .6

I have attached a topology of how this is all set up and the way the traffic should flow through the firewalls.


Re: ARP Problem


which swich model are you using?

IMHO, the problem could be following:

Most of Cisco switches are using the same MAC source address in all VLANs.

So when your switch is sending an ARP request to the router, it sends it as a broadcast out from the port in VLAN1 with some source MAC address.

The L2 FW forwards it to the VLAN3 port and the switch broadcasts the frame out of all remaining VLAN3 ports, i.e., deliveres to the router correctly.

When the router replies with his ARP reply though, the destination MAC address it the unicast MAC address received from the original ARP request frame.

When the ARP reply frames appears on the switch VLAN3 port, the switch recognizes that frame as sent to himself (using the same MAC address in all VLANs) and does not forward tthe frame to anywhere! (As no L3 interface is configured in VLAN3, it drops the ARP reply frame finally.)


It would be interesting to capture the frames to check which MAC addresses are being used to confirm/disprove my theory.

If I'm right, I'd expect the switch not being able to reach the router, too, as the topology seems to be symmetric.

And I don't know why is not able to reach Maybe STP playing some role or your diagram is simplifying a real more complicated situation?



New Member

Re: ARP Problem

Hi Milan,

Thanks for you ideas.

.1 can speak to .5, no problems.

.2 can speak to .6

Every device outside of this subnet can speak .6

It is only .1 and .3 that can not ARP .6

.2 is able to ARP .6, route packets to it and .3 is actively and correctly switching packets through itself to .6

As far as I can tell the switching path is all clear bewteen all these devices. It is simply the ARP that can not take place. I'm going to try applying a Static ARP entry tomorrow

The main difference between the 2 firewalls is that Firewall One on the left side of the topology is only managing the one L2 domain where as Firewall 2 is managing 2 Layer 2 domains and I think that perhaps somehow it is "blending" them.

Re: ARP Problem


as far as I can see, the topology is quite symmetric and unless something wrong configured (incorect subnet mask, etc.), it should work the same way between switch1 and router1 as switch3 and router2.

So I don't understand your FW note :-(

I suppose the triangle between the switches is using VLAN1 access ports only?

Which port is blocked by STP there?

Another theoretical possibility might be something like unidirectional cable problem, but I suppose it would create troubles in other communication, too.