enable ip-security source-ip-lockdown ports

enable ip-security source-ip-lockdown ports [all | ports]

Description

Enables the source IP lockdown feature on one or more ports.

Syntax Description

all Specifies all ports for which source IP lockdown should be enabled.
ports Specifies one or more ports for which source IP lockdown should be enabled.

Default

By default, source IP lockdown is disabled on the switch.

Usage Guidelines

Note

Note

Source-IP lockdown cannot be enabled on load sharing ports.

Source IP lockdown prevents IP address spoofing by automatically placing source IP address filters on specified ports. If configured, source IP lockdown allows only traffic from a valid DHCP-assigned address obtained by a DHCP snooping-enabled port or an authenticated static IP address to enter the network.

To configure source IP lockdown, you must enable DHCP snooping on the ports connected to the DHCP server and DHCP client before you enable source IP lockdown. You must enable source IP lockdown on the ports connected to the DHCP client, not on the ports connected to the DHCP server. The same DHCP bindings database created when you enable DHCP snooping is also used by the source IP lockdown feature to create ACLs that permit traffic from DHCP clients. All other traffic is dropped. In addition, the DHCP snooping violation action setting determines what action(s) the switch takes when a rouge DHCP server packet is seen on an untrusted port.

To enable DHCP snooping, use the following command:

enable ip-security dhcp-snooping {vlan} vlan_name ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}

Displaying Source IP Lockdown Information

To display the source IP lockdown configuration on the switch, use the following command:

show ip-security source-ip-lockdown

Example

The following command enables source IP lockdown on ports 1:1 and 1:4:

enable ip-security source-ip-lockdown ports 1:1, 1:4

History

This command was first available in ExtremeXOS 11.6.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.