My environment: Cisco Catalyst 3560E
Before a PC can talk to another PC, it must do an ARP request to map the IP address to a MAC address.
Client A (ARP Request Broadcast): Who is 192.168.10.12?
Client B (ARP Reply): I am 192.168.10.12, mac address B
A client can send out unsolicited reply (gratuitous ARP) according to the ARP RFC. That means anyone can claim to be the owner of any IP-MAC address pair. ARP attack is using this to poison the ARP cache on switch and redirect the traffic.
Dynamic ARP inspection is a security feature to protect from ARP attack based on DHCP snooping binding database.
For those host with static IP address (not get address from DHCP server), their information will not be stored in the DHCP binding table therefore you will get reject message on the console.
In that case you’ll need to create an ARP access-list to allow static address hosts: