Troubleshooting AR and Switch Communication Failure Caused by ARP Anti‑Attack Feature

Problem description : The AR router and the switch cannot communicate with each other.

AR router configuration :

vlan 100
 dhcp snooping enable
 dhcp snooping check user-bind enable
 arp anti-attack check user-bind enable
 ip source check user-bind enable
 ip pool vlan100
 gateway-list 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 interface Vlanif100
 ip address 192.168.100.1 255.255.255.0
 dhcp select global
 interface GigabitEthernet6/0/0
 port link-type trunk
 port trunk allow-pass vlan 100

Switch configuration :

vlan batch 100
 interface Vlanif100
 ip address 192.168.100.254 255.255.255.0
 interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 100

Alarm information : None.

Troubleshooting process :

Suspected DHCP configuration issues; no anomalies found on the AR.

Checked MAC and ARP tables on the switch – both learned the AR address.

Checked MAC and ARP tables on the AR – MAC table was normal, but the ARP table did not learn the switch’s address.

Found the command arp anti-attack check user-bind enable enabled on VLAN 100 of the AR.

Identified that global IP‑MAC static binding is required.

Root cause : The arp anti-attack check user-bind enable feature performs ARP inspection by comparing the source IP, MAC, interface, and VLAN of each ARP packet with entries in a binding table; packets that do not match are considered attacks and are dropped, preventing ARP learning between the AR and the switch.

Solution : Create a static user‑bind entry under the global configuration, e.g., user-bind static ip-address X.X.X.X mac-address H-H-H , to allow the ARP packets from the switch.

Recommendation and summary : When troubleshooting layer‑2/3 connectivity issues, first verify MAC tables, then ARP tables, and finally other protocols; disabling or correctly configuring ARP anti‑attack checks and using static bindings can resolve similar problems.