Enhancements
Release M.10.43 Enhancements
Prerequisite: DHCP Snooping
Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic:
■Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored in the lease database created by DHCP snooping or added through a static configuration of an
Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with an existing
■It is recommended that you enable DHCP snooping a week before you enable dynamic IP lockdown to allow the DHCP binding database to learn clients’ leased IP addresses. You must also ensure that the lease time for the information in the DHCP binding database lasts more than a week.
Alternatively, you can configure a DHCP server to
■The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown. As new
■For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has DHCP snooping enabled.
■Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown- enabled ports in this VLAN to be removed. The port reverts back to switching traffic as usual.
Filtering IP and MAC Addresses
This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature:
■Internal Dynamic IP lockdown bindings dynamically applied on a
■Packet filtering using source IP address, source MAC address, and source VLAN as criteria
128