I have a 4503 with ethernet trunk to a cluster of Dell switches, with access port to a Watchguard firewall in "drop-in" (bridged) mode:
C4503===Dell5324===Dell5234--x--Watchguard--server
== 802.1q trunk
-- untagged
The 4503 has an "interface Vlan" for Layer-3 access to the Watchguard's Vlan. The Watchguard is not learning the MAC address of the Cisco, but the Cisco is learning the MAC of the Watchguard.
I placed a sniffer where the "x" is above, and saw the Watchguard arp'ing for the Cisco every 60 seconds; and saw the Cisco's replies. But the arp table on the Watchguard showed the Cisco's address as MAC
00-00-00-00-00-00, which I assume means "incomplete". I also saw pings (unicast) from the Cisco MAC to the Watchguard MAC, but no replies from the Watchguard (of course... no arp entries = no replies).If the Watchguard is replaced with another device (e.g. laptop), then there are no problems. I've tried converting the Watchguard to routed mode, but the problem persists.
I'm installing three Watchguards to this Cisco router/switch, and all three exhibited this. One of them (in routed mode) started behaving finally after I pulled everything apart and put it back together.
Harv