My network is built primarily by a CRS125 working as a switch only, a LAN firewall and a gateway router (both RB2011's).
The routers are connected thru trunked ports as I am using numerous VLAN's.
All devices are on version 6.41 and I am using the new hardware offloading, both on CRS and on RB2011s.
I do not use VLAN aware Bridges as these would intercept HW offloading.

Following the hints to secure my devices I tried to set ARP to "reply only" while adding DHCP leases to ARP.
As I did not see any effect on that change, I even disabled ARP on all interfaces on the way from device A (VLAN / subnet 10) to device B (VLAN / subnet 20) without any effect.
From my understanding ARP does not come into play on the CRS as L2 matching is done within the switch chip. The same has to be said on the switching part on the routers. But as soon as traffic leaves the switch thru any VLAN interface I expected that ARP resolution would be neccessary. But my observation is that even with disabled ARP all connection works as before.

So can someone please try to explain where ARP comes into play on a router using HW offloading?

Arp will be used for all connections originating at the router.
So if router tries to connect to other machine on connected network, if it doesn't have it's mac in cache/table, it will ask.

Packets from source ip coming into router are used for table update.

Thx for your answer - it explains the connection between router and device A, but what about the connection between device A and B?

Where is ARP needed or where can I set ARP to reply-only to enhance security?

I try to draw it here:

connection dev A -> dev B: packets need to be forwarded by router
A -> router: mac learned from packet
router -> B: mac of B needed, if not present in cache, and discovery disabled (only reply) won't know where to send to -> failure


BTW: vlan filtering is not in hardware on crs1x