Configuring Advanced Threat Protection

Dynamic IP Lockdown

Monitoring Dynamic ARP Protection

When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp-protectcommand. Use this command when you want to debug the following conditions:

The switch is dropping valid ARP packets that should be allowed.

The switch is allowing invalid ARP packets that should be dropped.

ProCurve(config)# debug arp-protect

1. ARP request is valid

"DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port A1, vlan "

2. ARP request detected with an invalid binding

"DARPP: Deny ARP request 000000-000003,10.0.0.1 port A1, vlan 1"

3. ARP response with a valid binding

"DARPP: Allow ARP reply 000000-000002,10.0.0.2 port A2, vlan 1"

4.ARP response detected with an invalid binding

"DARPP: Deny ARP reply 000000-000003,10.0.0.2 port A2, vlan 1"

Figure 8-3. Example of debug arp-protect CommandDynamic IP Lockdown

The Dynamic IP Lockdown feature is used to prevent IP source address spoofing on a per-port and per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in VLAN traffic received on a port are forwarded only if they contain a known source IP address and MAC address binding for the port. The IP-to-MAC address binding can either be statically configured or learned by the DHCP Snooping feature.

8-23