Configuring Advanced Threat Protection

Dynamic IP Lockdown

Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5:

permit 10.0.8.5 001122-334455 vlan 2

permit 10.0.8.7 001122-334477 vlan 2

permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5

deny any vlan 1-10 permit any

Figure 8-4. Example of Internal Statements used by Dynamic IP Lockdown

Note that the deny any statement is applied only to VLANs for which DHCP snooping is enabled. The permit any statement is applied only to all other VLANs.

Enabling Dynamic IP Lockdown

To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-lockdowncommand at the global configuration level. Use the no form of the command to disable dynamic IP lockdown.

Syntax: [no] ip source-lockdown <port-list>

Enables dynamic IP lockdown globally on all ports or on specified ports on the routing switch.

Operating Notes

Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping.

DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions apply:

DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping, enter the dhcp-snoopingcommand at the global configuration level.

8-26