Configuring Advanced Threat Protection

Dynamic IP Lockdown

The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corre- sponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan <VLAN_IDs> rule as shown in the example in Figure 8-4. These VLAN_IDs correspond to the subset of configured and enabled VLANS for which DHCP snooping has been configured.

For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has DHCP snooping enabled.

Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to switching traffic as usual.

Filtering IP and MAC Addresses Per-Port and Per-VLAN

This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature:

Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information in the DHCP Snooping lease database and stati- cally configured IP-to-MAC address bindings

Packet filtering using source IP address, source MAC address, and source VLAN as criteria

In this example, the following DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping.

Table 1. Sample DHCP Snooping Entries

IP Address

MAC Address

VLAN ID

 

 

 

10.0.8.5

001122-334455

2

10.0.8.7

001122-334477

2

10.0.10.3

001122-334433

5

 

 

 

The following example shows an IP-to-MAC address and VLAN binding that have been statically configured in the lease database on port 5.

IP Address

MAC Address

VLAN ID

 

 

 

10.0.10.1

001122-110011

5

 

 

 

8-25