Configuring Source IP Lockdown

To configure source IP lockdown, you must enable DHCP (Dynamic Host Configuration Protocol) snooping on the ports connected to the DHCP server and DHCP client before you enable source IP lockdown. You must enable source IP lockdown on the ports connected to the DHCP client, not on the ports connected to the DHCP server.

Note

Enabling DHCP snooping and source IP lockdown on the same port applies ACL rules with the same match conditions, but different actions. The rule with deny action takes precedence, so packets are dropped if the these ACL rules are installed on different slices. Many factors influence which slice rules are installed on. To see which slice these rules are installed on, use the command show access-list usage acl-slice port port or show access-list usage acl-rule port port .

Enable DHCP snooping using the command:
enable ip-security dhcp-snooping {vlan} vlan_name ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}

For more information about DHCP snooping see, Configuring DHCP Snooping.

Source IP lockdown is disabled on the switch by default.
To enable source IP lockdown, use the command:
enable ip-security source-ip-lockdown ports [all | ports]
To disable source IP lockdown, use the command
disable ip-security source-ip-lockdown ports [all | ports]

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback