Hello,

My experience in configuring switches and routers is limited and I am stuck on 2 issues with my new Catalyst 1000 switch which I believe are related:

1. ARP inspection errors
2. Failure to ping other hosts on the same switch in the same VLAN 10

The ARP error messages I get are:

• 022175: *Mar 18 14:15:10.663 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi1/0/5, vlan 10.([9009.d01b.e427/0.0.0.0/ffff.ffff.ffff/10.0.0.5/14:15:09 UTC Sat Mar 18 2023])
• 022186: *Mar 18 14:45:21.920 UTC: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Req) on Gi1/0/6, vlan 10.([9009.d01b.e428/0.0.0.0/ffff.ffff.ffff/10.0.0.6/14:45:20 UTC Sat Mar 18 2023])

These are the 2 fixed IP interfaces to my NAS, so that is why they are not showing in the DHCP snooping Binding table:

show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
EC:24:B8:EF:71:EA 10.0.0.218 2238520 dhcp-snooping 10 GigabitEthernet1/0/31
54:05:DB:FD:68:8B 10.0.0.168 2076963 dhcp-snooping 10 GigabitEthernet1/0/25
98:FA:9B:55:E8:41 10.0.0.254 775548 dhcp-snooping 10 GigabitEthernet1/0/18
Total number of bindings: 3

But I have configured an ACL to cover for those 2 NAS ports:

arp access-list ARP-ACL-Servers
permit ip host 10.0.0.5 mac host 9009.d01b.e427
permit ip host 10.0.0.6 mac host 9009.d01b.e428

I have also attached here the running config of my switch in question. My network setup is realy simple: a router 920 connected to my service provider and 4 main switches connected to this router. The router is handling the inter-VLAN routing.

There is also another problem which I never encountered before when configuring a switch: I cannot reach or ping this NAS (which is on the same VLAN 10) from a host connected to this same switch? When my host PC is connected to another (older Cisco 350 switch) I can reach & ping this NAS just fine (which is connected to the Catalyst 1000 on ports 5 & 6). When I check the arp table on my PC, connected to the new 1000 Catalyst switch, the 2 NAS server IP's are not there. When I connect to the older 350 switch the NAS does show up in the arp table on my PC (and I can reach it again). But when I am connected to the switch via SSH - CLI I can ping and traceroute to the NAS just fine.

I am very sure I am making a big beginner mistake here, but I am at a loss where to look. All the research I have done in this Cisco Community has not pinpointed me where the problem is. The results from my PC arp table tell me it is ARP related and most likely with the arp inspection that I am not so familiar with. I also noticed that the IP address next to the MAC address in the error message is blank, which is probably the immediate cause for the error message. But then why does it work from another switch & why does the new Switch not take the ACL into account?

So, can anybody pinpoint my mistake or give me some guidance on where to look for a solution.

Many thanks in advance,

Steven