KB.15.15

In the show ip source-lockdown bindings command output, the “Not in

HW” column specifies whether or not (YES or NO) a statically configured IP-to-

MAC and VLAN binding on a specified port has been combined in the lease

database maintained by the DHCP Snooping feature.

Debugging dynamic IP lockdown

To enable the debugging of packets dropped by dynamic IP lockdown, enter the debug

dynamic-ip-lockdown command.

Syntax

debug dynamic-ip-lockdown

To send command output to the active CLI session, enter the debug destination session

command.

Counters for denied packets are displayed in the debug dynamic-ip-lockdown command

output. Packet counts are updated every five minutes. An example of the command output is shown

in Figure 279 (page 381).

When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source

IP-to-MAC address binding for the port on which the packets are received, a message is entered

in the event log.

Figure 279 Debug dynamic-ip-lockdown command output

Verifying the dynamic IP lockdown configuration

To display the ports on which dynamic IP lockdown is configured, enter the show ip

source-lockdown status command at the global configuration level.

Syntax

show ip source-lockdown status

An example of the show ip source-lockdown status command output is shown in Figure

11-5. Note that the operational status of all switch ports is displayed. This information indicates

whether or not dynamic IP lockdown is supported on a port.

Using Port Security 381