■
The DHCP binding database allows VLANs enabled for DHCP
snooping to be known on ports configured for dynamic IP lockdown.
As new IP-to-MAC address and VLAN bindings are learned, a corre
sponding permit rule is dynamically created and applied to the port
(preceding the final deny any vlan <VLAN_IDs> rule as shown in the
example in Figure 10-4. These VLAN_IDs correspond to the subset of
configured and enabled VLANS for which DHCP snooping has been
configured.
■
For dynamic IP lockdown to work, a port must be a member of at
least one VLAN that has DHCP snooping enabled.
Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on
■
Dynamic IP Lockdown-enabled ports in this VLAN to be removed. The
port reverts back to switching traffic as usual.
Filtering IP and MAC Addresses Per-Port and Per-VLAN
This section contains an example that shows the following aspects of the
Dynamic IP Lockdown feature:
■
Internal Dynamic IP lockdown bindings dynamically applied on a per-port
basis from information in the DHCP Snooping lease database and stati
cally configured IP-to-MAC address bindings
Packet filtering using source IP address, source MAC address, and source
■
VLAN as criteria
In this example, the following DHCP leases have been learned by DHCP
snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping.
Table 1. Sample DHCP Snooping Entries
IP Address
10.0.8.5
10.0.8.7
10.0.10.3
The following example shows an IP-to-MAC address and VLAN binding that
have been statically configured in the lease database on port 5.
IP Address
10.0.10.1
Configuring Advanced Threat Protection
MAC Address
001122-334455
001122-334477
001122-334433
MAC Address
001122-110011
Dynamic IP Lockdown
VLAN ID
2
2
5
VLAN ID
5
10-25