Symptom
DHCP Snooping is not updating the DHCP Snooping binding table when a DHCP ACK is sent from the DHCP Server.
With features like Dynamic ARP Inspection configured, you may see traffic filtered out incorrect from hosts with existing DHCP Leases.
Example error logs that may be seen:
Nov 20 10:39:06.428: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi4/0/1, vlan 101.([0016.d4ed.69c4/19.70.10.234/0000.0000.0000/19.70.10.233/10:39:06 UTC Tue Nov 20 2018])
Nov 20 10:39:07.428: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi4/0/1, vlan 101.([0016.d4ed.69c4/19.70.10.234/0000.0000.0000/19.70.10.233/10:39:07 UTC Tue Nov 20 2018])
Nov 20 10:39:08.428: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi4/0/1, vlan 101.([0016.d4ed.69c4/19.70.10.234/0000.0000.0000/19.70.10.233/10:39:08 UTC Tue Nov 20 2018])
Conditions
DHCP Snooping must be enabled for this issue to be seen.
Features like Dynamic ARP Inspection must be configured to cause an impact to traffic flow.
The DHCP Server must be in a different subnet from the client, such that DHCP Relay is used (as the packets must be unicast between the server and client).
DHCP Broadcast messages are not impacted by this issue.
Workaround
Avoiding features like Dynamic ARP Inspection in tandem with DHCP snooping will avoid impacts caused by this issue.
There are otherwise no direct workarounds for this issue.
Further Problem Description
DHCP Acks from the server are sent as unicast messages directly to the relay agent.
These packets are forwarded by the switch in hardware instead of being punted to the CPU.
DHCP Snooping requires a copy of the packet sent to the CPU and as a result the binding table is not updated.
