Showing results for 
Search instead for 
Did you mean: 

The "%SW_DAI-4-DHCP_SNOOPING_DENY:" error message is received when configuring the dynamic ARP inspection in switches that run Cisco IOS Software


Core issue

The error message looks similar to this example:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 252.([xxxx.xxxx.xxxx/]

Note: The xxxx is the MAC address of the sender.

The default message is:

%SW_DAI-4-DHCP_SNOOPING_DENY: [dec] Invalid ARPs ([chars]) on [chars], vlan [dec].([[enet]/[chars]/[enet]/[chars]/[time-of-day]])

This message means that the switch has received Address Resolution Protocol (ARP) packets considered invalid by ARP inspection. The packets are erroneous, and their presence can show attempted man-in-the-middle attacks in the network. This log message appears when the IP and MAC address of the sender binding for the received VLAN is not present in the DHCP snooping database.

The first [dec] is the number of invalid ARP packets. The first [chars] is either Req (request) or Res (response), and the second [chars] is the short name of the ingress interface. The second [dec] is the ingress VLAN ID. [enet]/[chars]/[enet]/[chars]/[time-of-day] is the MAC address of the sender, the IP address of the sender, the MAC address of the target, the IP address of the target, and the time of day.

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks. It also ensures that only valid ARP requests and responses are relayed.


You receive this message when the MAC address does not match the binding. In order to display the DHCP snooping binding entries, use the show ip dhcp snooping binding command.

If the device does not use DHCP or the information is correct and you trust the device on the port, you can enable trust on that port with the ip arp inspection trust command.

Also, DHCP snooping must be enabled in order to permit ARP packets that have dynamically assigned IP addresses with the ip dhcp snooping command.

Refer to the Enabling Additional Validation section of Configuring Dynamic ARP Inspection in order to enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address,

Refer to the DHCP Snooping section of Layer 2 Security Features on Catalyst 3750 Series Switches Configuration Example for more information.


PDF version does not show text correctly.

Frequent Contributor


What happens if in production network both DHCP snooping and DAI are enabled the same time?

Is it going to block traffic as the moment DAI starts, DHCP snooping binding table is empty?


Hi Florin,

I recently tried to enable both at the same time and the PC's lost network connectivity so based on my experience I believe the devices are being blocked because the DHCP snooping database is empty.  I am going to schedule a change, first I'm going to remove all DAI configuration, then I am going to configure DHCP snooping and let the DB populate. Lastly I'm going to add the DAI config and see what happens, hopefully this will resolve the issue.  If you've done this already, can you let me know what happened.



hi Erik .I had similar issue last week. could u proof  that if u enable dai and dhcp snooping same time switch will block all arp and pc will not be able to get ip ?