11-27
Configuring Advanced Threat Protection
Dynamic IP Lockdown
Adding an IP-to-MAC Binding to the DHCP Binding
Database
A switch maintains a DHCP binding database, which is used for dynamic IP
lockdown as well as for DHCP and ARP packet validation. The DHCP snooping
feature maintains the lease database by learning the IP-to-MAC bindings of
VLAN traffic on untrusted ports. Each binding consists of the client MAC
address, port number, VLAN identifier, leased IP address, and lease time.
Dynamic IP lockdown supports
a total of 4K static and dynamic bindings with
up to 64 bindings per port. When DHCP snooping is enabled globally on a
VLAN, dynamic bindings are learned when a client on the VLAN obtains an IP
address from a DHCP server. Static bindings are created manually with the
CLI or from a downloaded configuration file.
When dynamic IP lockdown is enabled globally or on ports the bindings
associated with the ports are written to hardware. This occurs during these
events:
■
Switch initialization
■
Hot swap
■
A dynamic IP lockdown-enabled port is moved to a DHCP snooping-
enabled VLAN
■
DHCP snooping or dynamic IP lockdown characteristics are changed
such that dynamic IP lockdown is enabled on the ports
Potential Issues with Bindings
■
When dynamic IP lockdown enabled, and a port or switch has the
maximum number of bindings configured, the client DHCP request
will be dropped and the client will not receive an IP address through
DHCP.
■
When dynamic IP lockdown is enabled and a port is configured with
the maximum number of bindings, adding a static binding to the port
will fail.
■
When dynamic IP lockdown is enabled globally, the bindings for each
port are written to hardware. If global dynamic IP lockdown is
enabled and disabled several times, it is possible to run out of buffer
space for additional bindings. The software will delay adding the
bindings to hardware until resources are available.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......