Dynamic ARP Inspection Dropping Valid ARP Packets
Presenting Symptom
Hosts on a specific VLAN are unable to communicate with each other or the default gateway, while hosts on other VLANs work fine.
Network Context
A small branch office network with a Cisco Catalyst 3850 switch acting as the DHCP server and default gateway for VLAN 10 (192.168.10.0/24). The switch has Dynamic ARP Inspection (DAI) enabled on VLAN 10 with DHCP snooping configured. The network has about 50 hosts in VLAN 10, and the problem started after a new switch was added to the network.
Diagnostic Steps
Check DAI statistics on the switch
show ip arp inspection statistics vlan 10VLAN 10 ACL drops: 0 DHCP drops: 50 Invalid source MAC: 0 Invalid destination MAC: 0 Invalid IP: 0
If DHCP drops are non-zero, DAI is dropping ARP packets because the sender's IP-MAC binding is not in the DHCP snooping database. This indicates that the ARP packets are from hosts that did not get their IP via DHCP or the binding is missing.
Check DHCP snooping binding database
show ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface 00:11:22:33:44:55 192.168.10.10 86300 dhcp-snooping 10 GigabitEthernet1/0/1 ...
If the MAC and IP of the affected hosts are missing from the binding table, DAI will drop their ARP packets. This confirms that the hosts either have static IP addresses or the DHCP snooping database is not being populated correctly.
Verify DAI configuration on VLAN 10
show ip arp inspection vlan 10Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Enabled VLAN 10 DHCP Snooping : Enabled ACL Check : Disabled ACL Name :
Ensure DAI is enabled and DHCP snooping is the source of validation. If ACL check is also enabled, it might be blocking valid ARP packets.
Check if the affected hosts have static IP addresses
show ip interface brief | include 192.168.10.Interface IP-Address OK? Method Status Protocol GigabitEthernet1/0/1 192.168.10.10 YES DHCP up up ...
If the method is 'DHCP', the host obtained its IP via DHCP. If 'manual', the host has a static IP. Static IP hosts will not have a DHCP snooping binding, causing DAI to drop their ARP packets.
Root Cause
The affected hosts have static IP addresses configured manually, but Dynamic ARP Inspection (DAI) is enabled on VLAN 10 with DHCP snooping as the validation method. DAI drops ARP packets from hosts whose IP-MAC binding is not in the DHCP snooping database. Since static IP hosts are not in the database, their ARP packets are dropped, preventing communication.
Resolution
Verification
Run 'show ip arp inspection statistics vlan 10' and verify that DHCP drops are now 0. Also, test connectivity from the affected hosts by pinging the default gateway. The ping should succeed.
Prevention
1. Use DHCP for all hosts to ensure automatic population of the DHCP snooping database. 2. If static IPs are necessary, pre-configure static ARP ACL entries for those hosts before enabling DAI. 3. Regularly audit the network for static IP assignments and update the ARP ACL accordingly.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why hosts with static IPs cannot communicate when DAI is enabled. The exam tests understanding of DAI operation, DHCP snooping, and the need for static ARP ACLs for static hosts. Key fact: DAI relies on DHCP snooping bindings by default; static hosts require an ARP ACL.
Exam Tips
Remember that DAI uses DHCP snooping bindings to validate ARP packets; static IP hosts will be dropped unless an ARP ACL is configured.
The 'show ip arp inspection statistics' command is crucial to identify DAI drops; look for 'DHCP drops' to pinpoint the issue.
Know the difference between DAI validation methods: DHCP snooping vs. ARP ACLs. The exam may ask which method to use for static hosts.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions