Meraki

Community

About forkwhilefork

Re: MX Doesn't Send Gratuitous ARP on 1:1 NAT IPs

by in Security & SD-WAN
‎Nov 6 2019 8:31 PM
‎Nov 6 2019 8:31 PM
I'm glad it helped! Don't forget to make a wish, open a support case, and bring it up with your sales team 🙂 ... View more

Re: MX Doesn't Send Gratuitous ARP on 1:1 NAT IPs

by in Security & SD-WAN
‎Jun 26 2018 9:14 PM
1 Kudo
‎Jun 26 2018 9:14 PM
1 Kudo
Thanks for the wish! I agree that it's uncommon, but when it does happen it's very, very inconvenient. Plus, this shouldn't be a problem in the first place. Every other firewall out there sends out gratuitous ARP for 1:1 NATs. ... View more

MX Doesn't Send Gratuitous ARP on 1:1 NAT IPs

by in Security & SD-WAN
‎Jun 26 2018 6:18 PM
16 Kudos
‎Jun 26 2018 6:18 PM
16 Kudos
When you replace an existing firewall (MX or otherwise) with an MX, the MX will send out gratuitous ARP on the WAN for the primary IP only. It will not send out gratuitous ARP for IPs configured as 1:1 NATs. This means that the internet will be accessible for most LAN devices, but inbound connections to 1:1 NAT IPs will not work until the upstream device (i.e. ISP's router) clears its ARP table. The upstream device will not send an ARP request for those IPs because it thinks it knows what the correct MAC address is - this is why gratuitous ARP is necessary.   Here is a Meraki knowledge base article that explains this: https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/1%3A1_NAT_Rules_not_working_properly_after_installing_MX   However, sometimes you don't have access to the upstream device's ARP cache. For example, some of my customers' primary ISP is government-provided fiber. They will not make any changes outside of weekly maintenance windows, and the ARP cache timeout on their gear is 4 hours. So clearly this is a problem. There are 2 things we can do in this case: 1. Change the MX's primary IP to each 1:1 NAT IP, one at a time, so it sends gratuitous ARP on those IPs. This is, frankly, a huge pain in the ass. 2. Use e.g. a Python script to send a specially-crafted ARP packet from a laptop. This is also a huge pain in the ass.   Why am I making this post? To raise awareness. For one thing, I've wasted a lot of time not understanding why this kind of swap didn't work. I'd like to save others that frustration. But mostly, so that Engineering will be more motivated to fix it. I've pushed this issue really, really hard with my sales team and their sales engineer. Apparently, there is already a "feature request" entered for it, but they haven't yet committed any resources to fix it. The more requests/complaints they get, the more likely they will be to actually work on it. So please, everyone, Make a Wish for this! Here's the wish I usually send (from the Security Appliance -> Firewall page):   "Please send gratuitous ARP from 1:1 NAT IPs so that device swaps don't require clearing the ARP cache of the upstream device." ... View more
© 2025 Cisco Systems, Inc.