HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 299
Enabling Dynamic IP Lockdown, Operating Notes
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 299 highlights
Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5: permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10 permit any Figure 8-4. Example of Internal Statements used by Dynamic IP Lockdown Note that the deny any statement is applied only to VLANs for which DHCP snooping is enabled. The permit any statement is applied only to all other VLANs. Enabling Dynamic IP Lockdown To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-lockdown command at the global configuration level. Use the no form of the command to disable dynamic IP lockdown. Syntax: [no] ip source-lockdown Enables dynamic IP lockdown globally on all ports or on specified ports on the routing switch. Operating Notes ■ Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping. ■ DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions apply: • DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping, enter the dhcp-snooping command at the global configuration level. 8-26