%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 252.([xxxx.xxxx.xxxx/10.10.252.4/xxxx.xxxx.xxxx/10.10.252.254]
Note: The xxxx is the MAC address of the sender.
The default message is:
%SW_DAI-4-DHCP_SNOOPING_DENY: [dec] Invalid ARPs ([chars]) on [chars], vlan [dec].([[enet]/[chars]/[enet]/[chars]/[time-of-day]])
This message means that the switch has received Address Resolution Protocol (ARP) packets considered invalid by ARP inspection. The packets are erroneous, and their presence can show attempted man-in-the-middle attacks in the network. This log message appears when the IP and MAC address of the sender binding for the received VLAN is not present in the DHCP snooping database.
The first [dec] is the number of invalid ARP packets. The first [chars] is either Req (request) or Res (response), and the second [chars] is the short name of the ingress interface. The second [dec] is the ingress VLAN ID. [enet]/[chars]/[enet]/[chars]/[time-of-day] is the MAC address of the sender, the IP address of the sender, the MAC address of the target, the IP address of the target, and the time of day.
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks. It also ensures that only valid ARP requests and responses are relayed.
You receive this message when the MAC address does not match the binding. In order to display the DHCP snooping binding entries, use the show ip dhcp snooping binding command.
If the device does not use DHCP or the information is correct and you trust the device on the port, you can enable trust on that port with the ip arp inspection trustcommand.
Also, DHCP snooping must be enabled in order to permit ARP packets that have dynamically assigned IP addresses with the ip dhcp snooping command.