Should the arp entry of the switch interface connected to the passive firewall interface be seen?

Should the arp entry of the switch interface connected to the passive firewall interface be seen?

13011
Created On 02/07/19 16:30 PM - Last Modified 02/05/25 01:17 AM


Question


Should I expect to see the arp entry of the switch interface connected to the passive firewall interface: 
show arp ethernet1/2

 

Environment


  • PAN-OS 8.1
  • HA A/P
  • Switch

Answer


No, you should not expect to see the arp entry of the switch interface connected to the passive firewall but the arp entry will show you the mac address of the switch interface connected to the active firewall instead. 
admin@PA1-VM> show arp ethernet1/2

maximum of entries supported :      2500
default timeout:                    1800 seconds
total ARP entries in table :        1
total ARP entries shown :           1
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/2       172.16.1.2      00:50:56:81:2e:3f ethernet1/2         c      45

Reason: Only the active firewall will send Gratuitous ARP messages from each of its connected interfaces to inform the connected switch of the virtual MAC address location.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmlPCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail