Configuring and Monitoring Port Security

IP Lockdown

IP Lockdown

IP lockdown is available on the Series 2600 and 2800 switches only.

The “IP lockdown” utility enables you to restrict incoming traffic on a port to a specific IP address/subnet, and deny all other traffic on that port.

Operating Rules for IP Lockdown

Users cannot specify that certain subnets be denied while others are permitted.

Users cannot filter on protocol or destination IP address.

The lockdown feature applies to inbound traffic on a port only.

There is no logging functionality for this feature, i.e. no way to determine if IP address violations occur.

The same subnet mask must be used for all ports within an 8 port block (1-8, 7-16, etc), for example:

If you configure Port 1 with: ip-lockdown 192.168.0.1/24

Then configure Port 2 with: ip-lockdown 50.0.0.0/24 This is an acceptable subnet for port 2

Then configure Port 3 with: ip-lockdown 120.15.32.7/32

This command would return an error and not be configured due to the differing subnet mask.

Using the IP Lockdown Command

The IP lockdown command operates as follows:

Syntax: ip-lockdown <subnet mask/ips >

Defines the subnet and related IP addresses allowed for incoming traffic on the port.

The following example prevents traffic from all IP addresses other than those specified in subnet 192.168.0.1/24 from entering the switch on interface 1.

ProCurve Switch 2626

(config) #

interface 1

ProCurve Switch 2626

(eth-1) #

ip-lockdown 192.168.0.1/24

ProCurve Switch 2626

(eth-1) #

exit

9-28

Page 258
Image 258
HP 4100gl Operating Rules for IP Lockdown, Using the IP Lockdown Command, IP lockdown command operates as follows