KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

391

392

393

394

395

396

397

398

399

400

address is not contained in the DHCP binding database. As a result, dynamic IP lockdown

will not allow inbound traffic from the client.

• It is recommended that you enable DHCP snooping a week before you enable dynamic IP

lockdown to allow the DHCP binding database to learn clients’ leased IP addresses. You must

also ensure that the lease time for the information in the DHCP binding database lasts more

than a week.

Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients.

In this way, you repopulate the lease database with current IP-to-MAC bindings. 11-25

Configuring Advanced Threat Protection Dynamic IP Lockdown

• The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports

configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are

learned, a corresponding permit rule is dynamically created and applied to the port (preceding

the final deny any vlan <VLAN_IDs> rule. These VLAN_IDs correspond to the subset of

configured and enabled VLANS for which DHCP snooping has been configured.

• For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has

DHCP snooping enabled.

• Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP

Lockdown-enabled ports in this VLAN to be removed. The port reverts back to switching traffic

as usual.

Filtering IP and MAC addresses per-port and per-VLAN

This section contains an example that shows the following aspects of the Dynamic IP Lockdown

feature:

• Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information

in the DHCP Snooping lease database and statically configured IP-to-MAC address bindings

• Packet filtering using source IP address, source MAC address, and source VLAN as criteria.

In this example, the following DHCP leases have been learned by DHCP snooping on port 5.

VLANs 2 and 5 are enabled for DHCP snooping.

Table 38 Sample DHCP snooping entries

VLAN IDMAC AddressIP Address

2001122–33445510.0.8.5

2001122–33447710.0.8.7

5001122–33443310.0.10.3

The following example shows an IP-to-MAC address and VLAN binding that have been statically

configured in the lease database on port 5.

VLAN IDMAC AddressIP Address

5001122–11001110.0.10.1

Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies

the following dynamic VLAN filtering on port 5:

Overview 391