Enhancements
Release M.10.43 Enhancements
Protection Against IP Source Address Spoofing
Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access. An attacker that is able to send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized.
Dynamic IP lockdown provides protection against IP source address spoofing by means of
Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through statically configured IP source bindings to create internal,
Differences Between Switch Platforms
There are some differences in the feature set and operation of Dynamic IP Lockdown, depending on the switch on which it is implemented. These are listed below.
■There is no restriction on GVRP on 3500/5400 switches. On 2600/2800/3400cl switches, Dynamic IP Lockdown is not supported if GVRP is enabled on the switch.
■Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP snooping limit of 8,000 entries.
Switch | Number of Hosts | Comments |
|
|
|
3500/5400 | 64 bindings per port |
| Up to 4096 bindings per switch |
3400cl/2800 | 32 bindings per port |
| Up to 32 VLANs with DHCP snooping |
| enabled |
This limit is shared with DHCP snooping because they both use the snooping database.
This is not guaranteed as the hardware resources are shared with QoS.
2600 | 8 bindings per port | This is not guaranteed as the hardware |
| Up to 8 VLANs with DHCP snooping | resources are shared with QoS. |
| enabled |
|
|
|
|
■A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP snooping enabled.
■On the ProCurve switch series 5400 and 3500, dynamic IP lockdown is supported on a port configured for statically configured
127