Download Print this page

Enabling Dynamic Ip Lockdown - HP 2530 Manual Supplement

Hide thumbs Also See for 2530:

Quick setup manual (6 pages)

,

Quick setup manual (9 pages)

,

Installation and getting started manual (93 pages)

Table Of Contents

Table of Contents

Advertisement

Example 14 Internal statements used by Dynamic IP Lockdown

permit 10.0.8.5 001122-334455 vlan 2

permit 10.0.8.7 001122-334477 vlan 2

permit 10.0.10.3 001122-334433 vlan 5

permit 10.0.10.1 001122-110011 vlan 5

deny any vlan 2,5

permit any

Note that the deny any statement is applied only to VLANs for which DHCP snooping is enabled.

The permit any statement is applied only to all other VLANs.

Enabling dynamic IP lockdown

To enable dynamic IP lockdown globally on all ports or on specified ports on the routing switch,

enter the ip source-lockdown command at the global configuration level; use the no form of

the command to disable dynamic IP lockdown.

Syntax:

[no] ip source-lockdown <port-list>

Parameter

port-list

Example:

HP Switch(config)# ip source lockdown 5-8, 17

Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed

IP packets entering the switch. The only IP packets exempt from dynamic IP lockdown are broadcast

DHCP request packets, which are handled by DHCP snooping.

DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions

apply:

DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping,

enter the dhcp-snooping command at the global configuration level.

Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. For

Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN

that is enabled for DHCP snooping.

To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-id-range]

command at the global configuration level or the dhcp-snooping command at the VLAN

configuration level.

Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server

must be connected to a trusted port when DHCP snooping is enabled.)

By default, all ports are untrusted. To remove the trusted configuration from a port, enter the

no dhcp-snooping trust <port-list> command at the global configuration level.

For more information on how to configure and use DHCP snooping, see

(page

7).

To enable IP lockdown:

22

Updates for the HP Switch Software Access Security Guide

Task

Specifies a port number or

a range of port numbers.

Detail

Separate individual port numbers or ranges of port

numbers with a comma (for example, 13-15, 17).

"DHCP snooping"

Table of Contents

Show Quick Links

Hide quick links:

Advertisement

Table of Contents