Enables the source IP lockdown feature on one or more ports.
all | Specifies all ports for which source IP lockdown should be enabled. |
ports | Specifies one or more ports for which source IP lockdown should be enabled. |
By default, source IP lockdown is disabled on the switch.
Note
Source-IP lockdown cannot be enabled on load sharing ports.Source IP lockdown prevents IP address spoofing by automatically placing source IP address filters on specified ports. If configured, source IP lockdown allows only traffic from a valid DHCP-assigned address obtained by a DHCP snooping-enabled port or an authenticated static IP address to enter the network.
To configure source IP lockdown, you must enable DHCP snooping on the ports connected to the DHCP server and DHCP client before you enable source IP lockdown. You must enable source IP lockdown on the ports connected to the DHCP client, not on the ports connected to the DHCP server. The same DHCP bindings database created when you enable DHCP snooping is also used by the source IP lockdown feature to create ACLs that permit traffic from DHCP clients. All other traffic is dropped. In addition, the DHCP snooping violation action setting determines what action(s) the switch takes when a rouge DHCP server packet is seen on an untrusted port.
To enable DHCP snooping, use the following command:
enable ip-security dhcp-snooping {vlan} vlan_name ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}To display the source IP lockdown configuration on the switch, use the following command:
show ip-security source-ip-lockdownThe following command enables source IP lockdown on ports 1:1 and 1:4:
enable ip-security source-ip-lockdown ports 1:1, 1:4
This command was first available in ExtremeXOS 11.6.
This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.