https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240384#M29567 Yes, Dynamic IP Lockdown works exaclty how you described it and it is an addon to the arp protection feature. It checks each IPv4 packet received from a port (wirespeed!) so, if this feature is enabled on a port, then it is not possible to steal IP+MAC combination by using a computer connected to that port.<BR /><BR />There is no age-out mechanisms. It uses the same database like in the arp-protect feature. Entries can be collected automatically (dhcp snooping) or inserted manually:<BR /> ip source-binding <VLAN> <IP> <MAC> <PORT><BR /><BR />So, it is possible to use it also when it is not feasible to require a dhcp assigment (think of servers).</PORT></MAC></IP></VLAN> Tue, 18 May 2010 17:59:25 GMT Krzysztof Oledzki 2010-05-18T17:59:25Z https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240383#M29566 Hi all,<BR /><BR />The company I work for at the moment is considering LAN security.<BR />There are several options to choose from.<BR /><BR />One of the options I consider to implement is Dynamic IP lockdown (besides DHCP snooping protection and ARP protection).<BR /><BR />Am I right that dynamic IP lockdown:<BR />1. Locks an IP and MAC address combination to a port<BR />2. Prevents "using" a e.g workstations IP and MAc-address combination even when a ws is turned off.<BR /><BR />Another question I have:<BR />3. What age-out mechanism is used (mac-age-out?)<BR /><BR />TIA<BR /><BR />Jaap Tue, 18 May 2010 14:21:40 GMT https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240383#M29566 Jaap Laaij 2010-05-18T14:21:40Z https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240384#M29567 Yes, Dynamic IP Lockdown works exaclty how you described it and it is an addon to the arp protection feature. It checks each IPv4 packet received from a port (wirespeed!) so, if this feature is enabled on a port, then it is not possible to steal IP+MAC combination by using a computer connected to that port.<BR /><BR />There is no age-out mechanisms. It uses the same database like in the arp-protect feature. Entries can be collected automatically (dhcp snooping) or inserted manually:<BR /> ip source-binding <VLAN> <IP> <MAC> <PORT><BR /><BR />So, it is possible to use it also when it is not feasible to require a dhcp assigment (think of servers).</PORT></MAC></IP></VLAN> Tue, 18 May 2010 17:59:25 GMT https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240384#M29567 Krzysztof Oledzki 2010-05-18T17:59:25Z https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240385#M29568 Hi Krzysztof,<BR /><BR />Thanks for your answer.<BR />This will help me convince my manager :).<BR /><BR />Greetz Jaap<BR />(A late response because of the "black-out") Tue, 25 May 2010 10:18:23 GMT https://community.hpe.com/t5/switches-hubs-and-modems/dynamic-ip-lockdown/m-p/5240385#M29568 Jaap Laaij 2010-05-25T10:18:23Z