Email Subscription Notifications Suspended Temporarily
We are in the process of making navigation in the Servers and Operating Systems forums simpler and more direct. While doing this, we have to temporarily suspend email notifications for subscriptions. If you are subscribed to one or more discussion boards or blogs in the community, please check them daily to see new content. Notifications will be turned back on in a few days. We apologize for any inconvenience this may cause. Thanks, Warren_Admin
Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Dynamic IP Lockdown

Jaap Laaij
Frequent Advisor

Dynamic IP Lockdown

Hi all,

The company I work for at the moment is considering LAN security.
There are several options to choose from.

One of the options I consider to implement is Dynamic IP lockdown (besides DHCP snooping protection and ARP protection).

Am I right that dynamic IP lockdown:
1. Locks an IP and MAC address combination to a port
2. Prevents "using" a e.g workstations IP and MAc-address combination even when a ws is turned off.

Another question I have:
3. What age-out mechanism is used (mac-age-out?)



Re: Dynamic IP Lockdown

Yes, Dynamic IP Lockdown works exaclty how you described it and it is an addon to the arp protection feature. It checks each IPv4 packet received from a port (wirespeed!) so, if this feature is enabled on a port, then it is not possible to steal IP+MAC combination by using a computer connected to that port.

There is no age-out mechanisms. It uses the same database like in the arp-protect feature. Entries can be collected automatically (dhcp snooping) or inserted manually:
ip source-binding

So, it is possible to use it also when it is not feasible to require a dhcp assigment (think of servers).
Jaap Laaij
Frequent Advisor

Re: Dynamic IP Lockdown

Hi Krzysztof,

Thanks for your answer.
This will help me convince my manager :).

Greetz Jaap
(A late response because of the "black-out")