in the DHCP binding database, and dynamic IP lockdown will not allow inbound traffic from
the client.
• HP recommends that you enable DHCP snooping a week before you enable dynamic IP
lockdown to let the DHCP binding database learn clients’ leased IP addresses. Also ensure
that the lease time for the information in the DHCP binding database lasts more than a week.
You can also configure a DHCPserver to re-allocate IP addresses to DHCP clients to repopulate
the lease database with current IP-to-MAC bindings.
• The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports
configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are
learned, a corresponding permit rule is dynamically created and applied to the port (preceding
the final deny any vlan <VLAN_IDs> rule as shown in “Internal statements used by Dynamic
IP Lockdown” (page 22)). These VLAN_IDs correspond to the subset of configured and enabled
VLANS for which DHCP snooping has been configured.
• For dynamic IP lockdown to work, a port must be a member of at least one VLAN with DHCP
snooping enabled.
• Disabling DHCP snooping on a VLAN removes Dynamic IP bindings on Dynamic IP
Lockdown-enabled ports in that VLAN. The port reverts back to switching traffic as usual.
Filtering IP and MAC addresses per-port and per-VLAN
• Internal Dynamic IP lockdown bindings are dynamically applied on a per-port basis from
information in the DHCP Snooping lease database and statically configured IP-to-MAC address
bindings.
• Packet filtering uses source IP address, source MAC address, and source VLAN as criteria.
In Example 1, DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are
enabled for DHCP snooping.
Example 12 DHCP snooping entries
VLAN IDMAC AddressIP Address
2001122-33445510.0.8.5
2001122-33447710.0.8.7
5001122-33443310.0.10.3
Example 2 shows an IP-to-MAC address and VLAN binding that have been statically configured
in the lease database on port 5.
Example 13 IP-to-MAC address and VLAN binding
VLAN IDMAC AddressIP Address
5001122-11001110.0.10.1
Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies
the following dynamic VLAN filtering on port 5:
Dynamic IP Lockdown 21