Operational notes
Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping.
- DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions apply:
DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping, enter the
dhcp-snooping
command at the global configuration level.Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping.To enable DHCP snooping on a VLAN, enter the
dhcp-snooping vlan [vlan-id-range]
command at the global configuration level or thedhcp-snooping
command at the VLAN configuration level.Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled.)By default, all ports are untrusted. To remove the trusted configuration from a port, enter the
no dhcp-snooping trust <port-list>
orno dhcp6-snooping trust <port-list>
command at the global configuration level.
- After you enter the
ip source-lockdown
command (enabled globally with the desired ports entered in <port-list> the dynamic IP lockdown feature remains disabled on a port if any of the following conditions exist:If DHCP snooping has not been globally enabled on the switch.
If the port is not a member of at least one VLAN that is enabled for DHCP snooping.
If the port is configured as a trusted port for DHCP snooping.
Enable DHCP snooping on the switch.
Configure the port as a member of a VLAN that has DHCP snooping enabled.
Remove the trusted-port configuration.
You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured from the WebAgent or menu interface.
If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk.
Dynamic IP lockdown must be removed from a trunk before the trunk is removed.