Configuring and Monitoring Port Security
IP Lockdown
Syntax: ip-lockdown <subnet mask/ips >
9-28
IP Lockdown
IP lockdown is available on the Series 2600 and 2800 switches only.
The "IP lockdown" utility enables you to restrict incoming traffic on a port to
a specific IP address/subnet, and deny all other traffic on that port.
Operating Rules for IP Lockdown
■
Users cannot specify that certain subnets be denied while others are
permitted.
Users cannot filter on protocol or destination IP address.
■
The lockdown feature applies to inbound traffic on a port only.
■
■
There is no logging functionality for this feature, i.e. no way to
determine if IP address violations occur.
■
The same subnet mask must be used for all ports within an 8 port
block (1-8, 7-16, etc), for example:
•
If you configure Port 1 with: ip-lockdown 192.168.0.1/24
•
Then configure Port 2 with: ip-lockdown 50.0.0.0/24
This is an acceptable subnet for port 2
•
Then configure Port 3 with: ip-lockdown 120.15.32.7/32
This command would return an error and not be configured due
to the differing subnet mask.
Using the IP Lockdown Command
The IP lockdown command operates as follows:
Defines the subnet and related IP addresses allowed for incoming traffic on the port.
The following example prevents traffic from all IP addresses other than those
specified in subnet 192.168.0.1/24 from entering the switch on interface 1.
ProCurve Switch 2626 (config) # interface 1
ProCurve Switch 2626 (eth-1) # ip-lockdown 192.168.0.1/24
ProCurve Switch 2626 (eth-1) # exit