KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

391

392

393

394

395

396

397

398

399

400

Dynamic IP lockdown is activated on the port only after you make the following configuration

changes:

◦ Enable DHCP snooping on the switch.

◦ Configure the port as a member of a VLAN that has DHCP snooping enabled.

◦ Remove the trusted-port configuration.

• You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured

from the WebAgent or menu interface.

• If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk.

• Dynamic IP lockdown must be removed from a trunk before the trunk is removed.

Differences Between Switch Platforms

There are some differences in the feature set and operation of Dynamic IP Lockdown, depending

on the switch on which it is implemented. These are listed below.

• There is no restriction on GVRP on 3500/5400 switches. On 2600/2800/ 3400 switches,

Dynamic IP Lockdown is not supported if GVRP is enabled on the switch.

• Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP snooping

limit of 8,192 entries.

• A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP snooping

enabled.

• On the HP switch series 5400 and 3500, dynamic IP lockdown is supported on a port

configured for statically configured port-based ACLs.

Table 39 Differences in switch platforms

CommentsNumber of HostsSwitch

This limit is shared with DHCP snooping

because they both use the snooping

database.

64 bindings per port Up to 4096

manual bindings per switch

3500/5400

This is not guaranteed as the hardware

resources are shared with QoS.

32 bindings per port; up to 512

manual bindings Up to 32 VLANs with

DHCP snooping enabled

3400/2800

This is not guaranteed as the hardware

resources are shared with IDM ACLs.

8 bindings per port; up to 512 manual

bindings Globally 118 to 125 hosts

2610

The number of global bindingsUp to 8 VLANs with DHCP snooping

enabled available is based on the number o f

DHCP snooping-enabled VLANS (1-8).

This is not guaranteed as the hardware

resources are shared with QoS.

8 bindings per port; up to 512 manual

bindings Up to 8 VLANs with DHCP

snooping enabled

2600

Adding an IP-to-MAC binding to the DHCP binding database

A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as

for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database

by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports. Each binding consists of the

client MAC address, port number, VLAN identifier, leased IP address, and lease time.

Dynamic IP lockdown supports a total of 4K static and dynamic bindings with up to 64 bindings

per port. When DHCP snooping is enabled globally on a VLAN, dynamic bindings are learned

when a client on the VLAN obtains an IP address from a DHCP server. Static bindings are created

manually with the CLI or from a downloaded configuration file.

Overview 393