ARP Resolution Failing — Hosts Cannot Communicate on Same Subnet
Presenting Symptom
Hosts on the same subnet cannot ping each other, but each can ping its default gateway.
Network Context
A small branch office network with two PCs (PC-A: 192.168.1.10/24, PC-B: 192.168.1.20/24) connected to a Cisco Catalyst 2960 switch (IOS 15.0). The switch has no VLANs configured; all ports are in VLAN 1. The default gateway is a router at 192.168.1.1. Both PCs have correct IP configuration and can ping the gateway, but pings between PCs fail.
Diagnostic Steps
Check ARP table on PC-A
arp -aInterface: 192.168.1.10 --- 0x5 Internet Address Physical Address Type 192.168.1.1 00-1a-2b-3c-4d-5e dynamic 192.168.1.20 (incomplete)
If PC-B's MAC address shows as 'incomplete', PC-A did not receive an ARP reply. Normal would show a MAC address for PC-B.
Check ARP table on PC-B
arp -aInterface: 192.168.1.20 --- 0x6 Internet Address Physical Address Type 192.168.1.1 00-1a-2b-3c-4d-5e dynamic 192.168.1.10 (incomplete)
Same symptom on PC-B confirms ARP resolution is failing in both directions.
Check switch MAC address table for the VLAN
show mac address-table vlan 1Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 00-1a-2b-3c-4d-5e DYNAMIC Gi0/1 1 00-1a-2b-3c-4d-5f DYNAMIC Gi0/2
If both MAC addresses are present on the correct ports, the switch is learning them. If one is missing, the host may be disconnected or the port may be in error-disable state.
Check for port security or VLAN misconfiguration on switch
show interfaces statusPort Name Status Vlan Duplex Speed Type Gi0/1 PC-A connected 1 a-full a-100 10/100/1000BaseTX Gi0/2 PC-B connected 1 a-full a-100 10/100/1000BaseTX
Both ports should be connected and in VLAN 1. If a port is in a different VLAN or disabled, ARP will fail.
Check for VLAN 1 SVI or interface VLAN 1 on switch
show ip interface brief | include VlanVlan1 192.168.1.2 YES manual up up
The switch should have an IP in VLAN 1 if it needs to participate. However, for host-to-host communication, the switch does not need an IP. This step is to rule out misconfiguration like a shutdown SVI.
Root Cause
Port security is enabled on switch ports Gi0/1 and Gi0/2 with a maximum MAC address count of 1, and each port has learned only the connected PC's MAC. However, when PC-A sends an ARP request for PC-B, the switch forwards it out Gi0/2. PC-B responds, but the switch sees a new source MAC (PC-B) on Gi0/1? Actually, the ARP reply from PC-B is unicast to PC-A's MAC, so the switch forwards it out Gi0/1. But if port security is configured with sticky MAC and the MAC of PC-B is not allowed on Gi0/1, the switch drops the frame. The root cause is that port security is configured with a single allowed MAC per port, and the ARP reply is being dropped because the switch does not allow the destination MAC on the ingress port. Alternatively, if the switch has port security with violation mode 'shutdown', the port may have been err-disabled after a violation. In this scenario, the ports are up but ARP fails because the switch drops the unicast ARP reply due to port security filtering.
Resolution
Verification
1. On PC-A: ping 192.168.1.20 Expected: Reply from 192.168.1.20: bytes=32 time<1ms TTL=128 2. On PC-A: arp -a Expected: 192.168.1.20 with a valid MAC address (not incomplete) 3. On switch: show port-security interface Gi0/1 Expected: Maximum MAC Addresses: 2, Current MAC Addresses: 1 (or 2 if both learned)
Prevention
1. Avoid using port security on ports connecting to end hosts that need to communicate with each other on the same VLAN, unless you configure a sufficient maximum MAC address count. 2. Use VLANs to segment traffic; if hosts need to communicate, place them in the same VLAN and ensure port security allows multiple MACs or disable it. 3. Implement port security with violation mode 'restrict' instead of 'shutdown' to avoid port err-disable and log violations for troubleshooting.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of ARP operation and how switch features like port security can interfere with Layer 2 forwarding. Questions may present a troubleshooting scenario where hosts cannot ping each other but can ping the gateway, and ask to identify the cause (port security, VLAN mismatch, etc.). The key fact is that ARP requests are broadcast and forwarded, but ARP replies are unicast and must be switched based on the destination MAC; any filtering of unicast frames (e.g., port security) can break communication.
Exam Tips
Remember that ARP requests are broadcast and ARP replies are unicast; port security can block unicast frames if the source MAC is not allowed on the ingress port.
If hosts can ping the gateway but not each other, the problem is likely Layer 2 (switch) related, not Layer 3.
Use 'show port-security' and 'show mac address-table' to quickly diagnose ARP issues caused by switch filtering.
Commands Used in This Scenario
show interfaces status
Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.
show mac address-table
Displays the MAC address table (also known as CAM table) on a switch, showing which MAC addresses are learned on which VLAN and port, used to verify Layer 2 forwarding and detect issues like MAC flooding or incorrect port assignments.
show port-security
Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions