I have implemented "arp inspection" on LAN. We have around thousand users in VLAN 100 (diagram attached) and the reason I have implemented "arp inspection" besides arp spoofing to bound clients/users to not change their ip addresses and machines/mac-addresses.
In ARP INSPECTION ACL I have added clients who are behind the router and bind them against single mac-address. (I hope diagram will help you to understand the scenario).
At my end (in real scenario) ARP ACL performing perfectly for those who are in VLAN 100, but performaing abnormally with those who are behind the router.I have not added those clients in ARP ACL but still those clients are working fine.
My question is, does users (behind the router) must be required to added in ARP ACL? In my lab it blocked all the traffic of those clients who are behind the router until I need to added them in ARP ACL.
I am using 3550 with "c3550-ipservicesk9-mz.122-25.SEB4.bin".