C

17 Messages

 • 

274 Points

Thu, Jun 24, 2021 9:59 AM

ICX 7250 ARP and IP Source Binding Problem

Hello,

I have following problem when enter this:

CUS(config)#arp 95.183.181.254 00e0.4c68.0b7d ethernet 5/1/13
ADD static arp 95.183.181.254 -> 00e0.4c68.0b7d -> 1/2/5 (VRF: 0)
Error - ip address not directly connected

I want to bind my pc ip address with that mac address on 13th port. What am I doing wrong? 

Also I have folloing problem too when I try to enter ip source binding:

CUS(config)#ip source binding 95.183.181.252 ethernet 1/2/5 vlan 1810
Warning - IP Source Guard is Not configured on the per-port-per-VE vlan 1810 for port 1/2/5, 95.183.181.252 binding will not be active.

How can I solve this?

This is my running config:


CUS(config)#show running-config
Current configuration:
!
ver 08.0.90jT213
!
stack unit 1
  module 1 icx7250-48p-poe-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  priority 128
  stack-trunk 1/2/1 to 1/2/2
  stack-trunk 1/2/3 to 1/2/4
stack unit 2
  module 1 icx7250-48-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-trunk 2/2/1 to 2/2/2
  stack-trunk 2/2/3 to 2/2/4
stack unit 3
  module 1 icx7250-48-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-trunk 3/2/1 to 3/2/2
  stack-trunk 3/2/3 to 3/2/4
stack unit 4
  module 1 icx7250-48-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-trunk 4/2/1 to 4/2/2
  stack-trunk 4/2/3 to 4/2/4
stack unit 5
  module 1 icx7250-48-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-trunk 5/2/1 to 5/2/2
  stack-trunk 5/2/3 to 5/2/4
stack enable
stack mac d4c1.9e77.be10
!
!
tftp disable
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
!
!
!
vlan 1810 name idari by port
 tagged ethe 1/2/5
 untagged ethe 1/1/1 to 1/1/48 ethe 1/2/6 to 1/2/8 ethe 2/1/1 to 2/1/48 ethe 2/2/5 to 2/2/8 ethe 3/1/1 to 3/1/48 ethe 3/2/5 to 3/2/8 ethe 4/1/1 to 4/1/48 ethe 4/2/5 to 4/2/8 ethe 5/1/1 to 5/1/48 ethe 5/2/5 to 5/2/8
 router-interface ve 1810
 loop-detection
!
vlan 1911 name Yonetim by port
 tagged ethe 1/2/5
 router-interface ve 1911
!
!
!
!
!
!
!
!
!
!
loop-detection-interval 30
errdisable recovery cause loop-detect
errdisable recovery interval 600
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
enable acl-per-port-per-vlan
hostname CUS_211_HAZIRLIK
ip arp inspection vlan 1911
ip dhcp snooping vlan 1810
ip dhcp snooping vlan 1911
ip route 0.0.0.0/0 192.168.11.1
!
no telnet server
username super password .....
!
!
snmp-server community ..... rw
snmp-server enable traps syslog
snmp-server host 95.183.180.42 version v2c .....
snmp-server host 95.183.180.170 version v2c .....
!
!
clock timezone gmt GMT+03
!
!
ntp
 server 95.183.180.6
!
!
hitless-failover enable
!
!
sz registrar
!
!
!
!
!
!
!
!
!
interface ethernet 1/2/5
 arp inspection trust
 dhcp snooping trust
!
interface ve 1810
!
interface ve 1911
 ip address 192.168.11.211 255.255.255.0
!
arp 95.183.181.254 00e0.4c68.0b7d inspection
arp 95.183.181.1 c091.34f9.0500 inspection
!
!
!
ip source bind 95.183.181.252 ethernet 1/2/5 vlan 1810
ip source bind 172.18.18.18 ethernet 4/1/15 vlan 1810
!
!
!
!
!
!
!
!
!
!
end

Employee

 • 

25 Messages

 • 

380 Points

5 m ago

Hello cankaya_university_bim

Generally, for an ARP entry to be learned, the router must have an IP address on the same subnet.

I can notice the ARP entry you're trying to configure in the example does not belong to any subnet in the switch. That is the reason why this entry cannot be configured.

On the other hand, IP source guard must be enabled at the interface level:

ICX7150-24P Router(config)#enable acl-per-port-per-vlan
Reload required.  Please write memory and then reload or power cycle.
ICX7150-24P Router(config)#int e 1/1/2
ICX7150-24P Router(config-if-e1000-1/1/2)#source
  source-guard                  Assign IP Source Guard option to this interface
ICX7150-24P Router(config-if-e1000-1/1/2)#source-guard ena
  enable   Config IP Source-Guard
ICX7150-24P Router(config-if-e1000-1/1/2)#source-guard enable

Please let me know if this info clarifies your doubts.

17 Messages

 • 

274 Points

Arp inspection prblem solved. I have to enable it in vlan with ip arp inspection vlan command.

I will try source-gurad with a VE interface configured. Thanks a lot.

Official Rep

 • 

210 Messages

 • 

3.1K Points

Hi Cankaya_university_bim,

Glad to hear that arp inspection worked. As a side note, for similar issues its always helpful if you open a support case to closely work with our support staff, This way we can access your switch remote and provide a faster resolution.

Thanks

Jijo 

(edited)

Important Announcement