Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
391392393394395396397398399400
Figure 290 Internal Statements used by Dynamic IP Lockdown
NOTE: The deny any statement is applied only to VLANs for which DHCP snooping is enabled.
The permit any statement is applied only to all other VLANs.
Operational notes
Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or
routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP
lockdown are broadcast DHCP request packets, which are handled by DHCP snooping.
DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions
apply:
DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP
snooping, enter the dhcp-snooping command at the global configuration level.
Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping.
In order for Dynamic IP lockdown to work on a port, the port must be configured for at
least one VLAN that is enabled for DHCP snooping.
To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan
[vlan-id-range] command at the global configuration level or the dhcp-snooping
command at the VLAN configuration level.
Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP
server must be connected to a trusted port when DHCP snooping is enabled.)
By default, all ports are untrusted. To remove the trusted configuration from a port, enter
the no dhcp-snooping trust <port-list> command at the global configuration
level.
For more information on how to configure and use DHCP snooping, see “DHCP Snooping
(page 388).
After you enter the ip source-lockdowncommand (enabled globally with the desired ports
entered in <port-list> the dynamic IP lockdown feature remains disabled on a port if any of
the following conditions exist:
If DHCP snooping has not been globally enabled on the switch.
If the port is not a member of at least one VLAN that is enabled for DHCP snooping.
If the port is configured as a trusted port for DHCP snooping.
392 Port Security