Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Dynamic IP Lockdown

Jaap Laaij
Frequent Advisor

Dynamic IP Lockdown

Hi all,

The company I work for at the moment is considering LAN security.
There are several options to choose from.

One of the options I consider to implement is Dynamic IP lockdown (besides DHCP snooping protection and ARP protection).

Am I right that dynamic IP lockdown:
1. Locks an IP and MAC address combination to a port
2. Prevents "using" a e.g workstations IP and MAc-address combination even when a ws is turned off.

Another question I have:
3. What age-out mechanism is used (mac-age-out?)



Re: Dynamic IP Lockdown

Yes, Dynamic IP Lockdown works exaclty how you described it and it is an addon to the arp protection feature. It checks each IPv4 packet received from a port (wirespeed!) so, if this feature is enabled on a port, then it is not possible to steal IP+MAC combination by using a computer connected to that port.

There is no age-out mechanisms. It uses the same database like in the arp-protect feature. Entries can be collected automatically (dhcp snooping) or inserted manually:
ip source-binding

So, it is possible to use it also when it is not feasible to require a dhcp assigment (think of servers).
Jaap Laaij
Frequent Advisor

Re: Dynamic IP Lockdown

Hi Krzysztof,

Thanks for your answer.
This will help me convince my manager :).

Greetz Jaap
(A late response because of the "black-out")