8-27
Configuring Advanced Threat Protection
Dynamic IP Lockdown
• Dynamic IP lockdown only filters packets in VLANs that are enabled
for DHCP snooping. In order for Dynamic IP lockdown to work on a
port, the port must be configured for at least one VLAN that is enabled
for DHCP snooping.
To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan
[vlan-id-range] command at the global configuration level or the
dhcp-snooping command at the VLAN configuration level.
• Dynamic IP lockdown is not supported on a trusted port. (However,
note that the DHCP server must be connected to a trusted port when
DHCP snooping is enabled.)
By default, all ports are untrusted. To remove the trusted configura-
tion from a port, enter the no dhcp-snooping trust < port-list> command
at the global configuration level.
For more information on how to configure and use DHCP snooping, see
“DHCP Snooping” on page 8-4.
■ After you enter the ip source-lockdown command (enabled globally with
the desired ports entered in <port-list>), the dynamic IP lockdown feature
remains disabled on a port if any of the following conditions exist:
• If DHCP snooping has not been globally enabled on the switch.
• If the port is not a member of at least one VLAN that is enabled for
DHCP snooping.
• If the port is configured as a trusted port for DHCP snooping.
Dynamic IP lockdown is activated on the port only after you make the
following configuration changes:
• Enable DHCP snooping on the switch.
• Configure the port as a member of a VLAN that has DHCP snooping
enabled.
• Remove the trusted-port configuration.
■ You can configure dynamic IP lockdown only from the CLI; this feature
cannot be configured from the web management or menu interface.
■ If you enable dynamic IP lockdown on a port, you cannot add the port to
a trunk.
■ Dynamic IP lockdown must be removed from a trunk before the trunk is
removed.
