dynamic arp inspection failure

Unanswered Question
Sep 25th, 2007

Hi all.

I've introduced dynamic arp inspection in accordance with arp access-list (s) and experienced the following trouble:

The inspection sometimes (three times a week) fails. Well formed arp responses are denied. The workaround is to load the same access-list again.

I have two similarly configured nets. The first has a C3560G in core, the second two C3750G in stack. Failures occurs only on the slave in stack.

IOS is Version 12.2(25)SEE2 in both cases.

Is it something known about this issue, or seems to be rather a HW failure on the slave?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Mon, 10/01/2007 - 10:37

You could be hitting the bug - CSCsg18176 (Catalyst 3750 and 3560 switches).

When dynamic ARP inspection is enabled and IP validation is disabled, the switch drops ARP requests that have a source address of The workaround is to configure an ARP access control list (ACL) that permits IP packets with a source IP address of (and any MAC) address) and apply the ARP ACL to the desired DAI VLANs.

t.fiala Tue, 10/02/2007 - 02:17

Thaks for your reply and CSCsg18176 bug description. It may help in the future, but I am afraid it does not match my present case. My 3750 stack sudenly starts filtering well formed ARP responses, e.g.:

25.9.2007 12:25 ss-s01-1.fzu.cz Warning 13023: Sep 25 12:25:38.743 CEST: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Gi2/0/26, vlan 200.([0050.fc8d.f4fa/ CEST Tue Sep 25 2007])

If I load the same arp access-list again, the failure disappears.

Regards, Tomas


This Discussion