Filtering IP and MAC addresses per-port and per-VLAN
Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information in the DHCP Snooping lease database and statically configured IP-to-MAC address bindings
Packet filtering using source IP address, source MAC address, and source VLAN as criteria.
IP Address |
MAC Address |
VLAN ID |
---|---|---|
10.0.8.5 |
001122–334455 |
2 |
10.0.8.7 |
001122–334477 |
2 |
10.0.10.3 |
001122–334433 |
5 |
The following example shows an IP-to-MAC address and VLAN binding that have been statically configured in the lease database on port 5.
IP Address |
MAC Address |
VLAN ID |
---|---|---|
10.0.10.1 |
001122–110011 |
5 |
Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5:
Internal statements used by dynamic IP lockdown
permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10 permit any
The deny any
statement is
applied only to VLANs for which DHCP snooping is enabled. The permit
any
statement is applied only to all other VLANs.