IP source lockdown

IP source lockdown provides added security by preventing IP source address spoofing on a per-port basis. Every packet is inspected for this purpose in hardware. When IP source lockdown is enabled, IP traffic received on an interface (port) is forwarded only if the VLAN, IP address, MAC address, interface (port) matches the IP binding database entry.

NOTE:

It is best to configure IP source lockdown during a switch maintenance period as enabling it may cause client traffic to be dropped for 10 to 15 seconds.

To use IPv4 source lockdown, the IPv4 binding database must be populated. The binding database is typically dynamically populated by DHCPv4 snooping that learns and saves the binding information. Alternatively, the IPv4 binding database can be statically populated with the ipv4 source-binding command described in this chapter. Often DHCPv4 snooping is used to dynamically populate most of the IP binding database along with the ipv4 source-binding command that is used to add the binding information for several known and trusted clients, typically administrators. For dynamic IP binding database population with DHCPv4 snooping, see DHCP snooping.

To use IPv6 source lockdown, the IPv6 binding database must be populated. The binding database is typically dynamically populated by DHCPv6 snooping that learns and saves the binding information. Alternatively, the IPv6 binding database can be statically populated with the ipv6 source-binding command described in this chapter. Often DHCPv6 snooping is used to dynamically populate most of the IPv6 binding database along with the ipv6 source-binding command that is used to add the binding information for several known and trusted clients, typically administrators. For dynamic IPv6 binding database population with DHCPv6 snooping, see DHCP snooping.

NOTE:

IP source lockdown should not be configured on ISL (inter-switch link) ports.