128
Enhancements
Release M.10.43 Enhancements
Prerequisite: DHCP Snooping
Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on
ports and VLAN traffic:
■ Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already
stored in the lease database created by DHCP snooping or added through a static configuration
of an IP-to-MAC binding.
Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with an
existing DHCP-assigned address must either request a new leased IP address or renew their
existing DHCP-assigned address. Otherwise, a client’s leased IP address is not contained in the
DHCP binding database. As a result, dynamic IP lockdown will not allow inbound traffic from
the client.
■ It is recommended that you enable DHCP snooping a week before you enable dynamic IP
lockdown to allow the DHCP binding database to learn clients’ leased IP addresses. You must
also ensure that the lease time for the information in the DHCP binding database lasts more than
a week.
Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients. In
this way, you repopulate the lease database with current IP-to-MAC bindings.
■ The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports
configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are
learned, a corresponding permit rule is dynamically created and applied to the port
(preceding the final deny any vlan <VLAN_IDs> rule as shown in the example in Figure 3).
These VLAN_IDs correspond to the subset of configured and enabled VLANS for which
DHCP snooping has been configured.
■ For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has
DHCP snooping enabled.
■ Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown-
enabled ports in this VLAN to be removed. The port reverts back to switching traffic as usual.
Filtering IP and MAC Addresses Per-Port and Per-VLAN
This section contains an example that shows the following aspects of the Dynamic IP Lockdown
feature:
■ Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information
in the DHCP Snooping lease database and statically configured IP-to-MAC address bindings
■ Packet filtering using source IP address, source MAC address, and source VLAN as criteria
To Next Page
Loading...
Need help?
General