Another type of IP security prevents IP address spoofing by automatically placing source IP address filters on specified ports. This feature, called source IP lockdown, allows only traffic from a valid DHCP-assigned address obtained by a DHCP snooping-enabled port to enter the network. In this way, the network is protected from attacks that use random source addresses for their traffic. With source IP lockdown enabled, end systems that have a DHCP address assigned by a trusted DHCP server can access the network, but traffic from others, including those with static IP addresses, is dropped at the switch.
Source IP lockdown is linked to the “DHCP snooping” feature. The same DHCP bindings database created when you enable DHCP snooping is also used by source IP lockdown to create ACLs that permit traffic from DHCP clients. All other traffic is dropped. In addition, the DHCP snooping violation action setting determines what action(s) the switch takes when a rogue DHCP server packet is seen on an untrusted port.
When source IP lockdown is enabled on a port, a default ACL is created to deny all IP traffic on that port. Then an ACL is created to permit DHCP traffic on specified ports. Each time source IP lockdown is enabled on another port, the switch creates ACLs to allow DHCP packets and to deny all IP traffic for that particular port.
Source IP lockdown is enabled on a per-port basis; it is not available at the VLAN level. If source IP lockdown is enabled on a port, the feature is active on the port for all VLANs to which the port belongs.
NoteThe source IP lockdown feature works only when hosts are assigned IP address using DHCP; source IP lockdown does not function for statically configured IP addresses.
NoteSource IP lockdown cannot be enabled on Load sharing ports.
The source IP lockdown ACLs listed in table are applied per port (in order of precedence from highest to lowest).
|ACL Name||Match Condition||Action||When Applied||Comments|
|esSrcIpLockdown_<portIfIndex>_<source IP in hex>||Source IP||Permit||Runtime||Multiple ACLs of this type can be applied, one for each permitted client.|
|esSrcIpLockdown_<portIfIndex>_1||Proto UDP, Dest Port 67||Permit||Configuration time|
|esSrcIpLockdown_<portIfIndex>_2||Proto UDP, Dest Port 68||Permit||Configuration time|
|esSrcIpLockdown_<portIfIndex>_3||Ethertype ARP||Permit||Configuration time|
|esSrcIpLockdown_<portIfIndex>_4||All||Deny + count||Configuration time|
The counter has the same name as that of the rule of the catch-all ACL, so the counter is also named esSrcIpLockdown_<portIfIndex>_4.