Configuring Advanced Threat Protection

Dynamic IP Lockdown

ProCurve(config)# show ip source-lockdown bindings

Dynamic IP Lockdown (DIPLD) Bindings

Mac Address

IP Address

VLAN

Port

Not in HW

-----------

----------

-----

-----

---------

001122-334455

10.10.10.1

1111

X11

 

005544-332211

10.10.10.2

2222

Trk11

YES

. . . . . . . . . . . . . . . . . . . . . . . . . . .

Figure 8-6. Example of show ip source-lockdown bindings Command Output

In the show ip source-lockdown bindings command output, the “Not in HW” column specifies whether or not (YES or NO) a statically configured IP-to- MAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature.

Debugging Dynamic IP Lockdown

To enable the debugging of packets dropped by dynamic IP lockdown, enter the debug dynamic-ip-lockdowncommand.

Syntax: debug dynamic-ip-lockdown

To send command output to the active CLI session, enter the debug destination session command.

Counters for denied packets are displayed in the debug dynamic-ip-lockdowncommand output. Packet counts are updated every five minutes. An example of the command output is shown in Figure 8-7.

When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP-to-MAC address binding for the port on which the packets are received, a message is entered in the event log.

8-31