Configuring Source IP Lockdown

To configure source IP lockdown, you must enable DHCP (Dynamic Host Configuration Protocol) snooping on the ports connected to the DHCP server and DHCP client before you enable source IP lockdown. You must enable source IP lockdown on the ports connected to the DHCP client, not on the ports connected to the DHCP server.

Enable DHCP snooping using the command:
enable ip-security dhcp-snooping {vlan} vlan_name ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}

For more information about DHCP snooping see, Configuring DHCP Snooping.

Source IP lockdown is disabled on the switch by default.
To enable source IP lockdown, use the command:
enable ip-security source-ip-lockdown ports [all | ports]
To disable source IP lockdown, use the command
disable ip-security source-ip-lockdown ports [all | ports]

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback