Configuring Advanced Threat Protection > Dynamic IP lockdown

  

 next

Dynamic IP lockdown

The Dynamic IP lockdown feature is used to prevent IP source address spoofing on a per-port and per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in VLAN traffic received on a port are forwarded only if they contain a known source IP address and MAC address binding for the port. The IP-to-MAC address binding can either be statically configured or learned by the DHCP Snooping feature.

Protection against IP source address spoofing

Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access. An attacker that is able to send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized.

Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if they contain a known IP source address and MAC address binding for the port.

Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through statically configured IP source bindings to create internal, per-port lists. The internal lists are dynamically created from known IP-to-MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address.

Prerequisite: DHCP snooping

Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic:

  • Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored in the lease database created by DHCP snooping or added through a static configuration of an IP-to-MAC binding.

    Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with an existing DHCP-assigned address must either request a new leased IP address or renew their existing DHCP-assigned address. Otherwise, a client’s leased IP address is not contained in the DHCP binding database. As a result, dynamic IP lockdown will not allow inbound traffic from the client.

  • It is recommended that you enable DHCP snooping a week before you enable dynamic IP lockdown to allow the DHCP binding database to learn clients’ leased IP addresses. You must also ensure that the lease time for the information in the DHCP binding database lasts more than a week.

    Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients. In this way, you repopulate the lease database with current IP-to-MAC bindings.

  • The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corresponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan <VLAN_IDs> rule. These VLAN_IDs correspond to the subset of configured and enabled VLANS for which DHCP snooping has been configured.

  • For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has DHCP snooping enabled.

  • Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to switching traffic as usual.

Filtering IP and MAC addresses per-port and per-VLAN

This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature:

  • Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis from information in the DHCP Snooping lease database and statically configured IP-to-MAC address bindings

  • Packet filtering using source IP address, source MAC address, and source VLAN as criteria.

In this example, the following DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping.

Sample DHCP snooping entries

IP Address MAC Address VLAN ID
10.0.8.5 001122–334455 2
10.0.8.7 001122–334477 2
10.0.10.3 001122–334433 5

The following example shows an IP-to-MAC address and VLAN binding that have been statically configured in the lease database on port 5.

IP Address MAC Address VLAN ID
10.0.10.1 001122–110011 5

Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5:

Internal statements used by dynamic IP lockdown

permit 10.0.8.5 001122-334455 vlan 2

permit 10.0.8.7 001122-334477 vlan 2

permit 10.0.10.3 001122-334433 vlan 5

permit 10.0.10.1 001122-110011 vlan 5

deny any vlan 1-10

permit any
[NOTE: ]

NOTE: The deny any statement is applied only to VLANs for which DHCP snooping is enabled. The permit any statement is applied only to all other VLANs.

Enabling Dynamic IP Lockdown

IPv4

To enable dynamic IP lockdown on all ports or specified ports, enter this command at the global configuration level.

Syntax

[no] ip source-lockdown <port-list>

port-list

Specifies one or more ports on which to enable IP source lockdown.

Use the no form of the command to disable dynamic IP lockdown.

IPv6

Enabling dynamic IPv6 source lockdown

To enable dynamic IPv6 lockdown on all ports or specified ports, enter this command at the global configuration level.

Syntax

[no] ipv6 source-lockdown <port-list>

port-list

Specifies one or more ports on which to enable IP source lockdown.

Use the no form of the command to disable dynamic IP lockdown.

Enabling traps for dynamic IPv6 source lockdown

Use this command to configure traps for IPv6 source lockdown.

Syntax

[no] snmp-server enable traps dyn-ipv6-lockdown [[out-of-resources] | [violations]]

out-of-resources

Sends a trap message when resources are unavailable for configuring dynamic IPv6 source lockdown.

violations

Sends a trap message when a source lockdown violation occurs.

Enabling debug logging for dynamic IPv6 source lockdown

Syntax

[no] debug dynamic-ipv6-lockdown [config|event|packet]

config

Displays dynamic lockdown configuration messages.

event

Displays dynamic lockdown event messages.

packet

Displays dynamic lockdown packet messages.

Operational notes

  • Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping.

  • DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The following restrictions apply:

    • DHCP snooping is required for dynamic IP lockdown to operate. To enable DHCP snooping, enter the dhcp-snooping command at the global configuration level.

    • Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping.

      To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-id-range] command at the global configuration level or the dhcp-snooping command at the VLAN configuration level.

    • Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled.)

      By default, all ports are untrusted. To remove the trusted configuration from a port, enter the no dhcp-snooping trust <port-list> or no dhcp6-snooping trust <port-list> command at the global configuration level.

  • After you enter the ip source-lockdown command (enabled globally with the desired ports entered in <port-list> the dynamic IP lockdown feature remains disabled on a port if any of the following conditions exist:

    • If DHCP snooping has not been globally enabled on the switch.

    • If the port is not a member of at least one VLAN that is enabled for DHCP snooping.

    • If the port is configured as a trusted port for DHCP snooping.

    Dynamic IP lockdown is activated on the port only after you make the following configuration changes:

    • Enable DHCP snooping on the switch.

    • Configure the port as a member of a VLAN that has DHCP snooping enabled.

    • Remove the trusted-port configuration.

  • You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured from the WebAgent or menu interface.

  • If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk.

  • Dynamic IP lockdown must be removed from a trunk before the trunk is removed.

Adding an IP-to-MAC binding to the DHCP binding database

A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.

Dynamic IP lockdown supports a total of 4K static and dynamic bindings with up to 64 bindings per port. When DHCP snooping is enabled globally on a VLAN, dynamic bindings are learned when a client on the VLAN obtains an IP address from a DHCP server. Static bindings are created manually with the CLI or from a downloaded configuration file.

When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports are written to hardware. This occurs during these events:

  • Switch initialization

  • Hot swap

  • A dynamic IP lockdown-enabled port is moved to a DHCP snooping enabled VLAN

  • DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP lockdown is enabled on the ports.

Potential issues with bindings

  • When dynamic IP lockdown enabled, and a port or switch has the maximum number of bindings configured, the client DHCP request will be dropped and the client will not receive an IP address through DHCP.

  • When dynamic IP lockdown is enabled and a port is configured with the maximum number of bindings, adding a static binding to the port will fail.

  • When dynamic IP lockdown is enabled globally, the bindings for each port are written to hardware. If global dynamic IP lockdown is enabled and disabled several times, it is possible to run out of buffer space for additional bindings. The software will delay adding the bindings to hardware until resources are available.

Adding a static binding

To add the static configuration of an IP-to-MAC binding for a port to the database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.

For IPv4

Syntax

[no]ip source-binding <mac-address> vlan <vlan-id> <ip-address>interface <port-number>

mac-address

Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.

vlan-id

Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.

ip-address

Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.

<port-number>

Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database.

An example of the ip source-binding command is shown here:

HP Switch(config)# ip source-binding 0030c1-7f49c0
interface vlan 100 10.10.20.1 interface A4
[NOTE: ]

NOTE: The ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.

For IPv6

Syntax

[no]ipv6 source-binding <mac-address> vlan <vlan-id> <ip-address> interface <port-number>

mac-address

Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.

vlan-id

Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.

ip-address

Specifies an IPv6 address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.

<port-number>

Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database.

Verifying the dynamic IP lockdown configuration

To display the ports on which dynamic IP lockdown is configured, enter the show ip source-lockdown status command at the global configuration level.

For IPv4

Syntax

show ip source-lockdown status

Output for the show ip source-lockdown status command is shown in the following example.

Output for the show ip source-lockdown status command

HP Switch(config)# show ip source-lockdown status
 Dynamic IP Lockdown Status Information

Global State: Enabled

     Port     Operational State
     -------- ------------------
     1        Active
     2        Not in DHCP Snooping vlan
     3        Disabled
     4        Disabled
     5        Trusted port, Not in DHCP Snooping vlan
     . . . .  . . . . . . . . . . .

For IPv6

Syntax

show ipv6 source-lockdown status

Displaying the static configuration of IP-to-MAC bindings

To display the static configurations of IP-to-MAC bindings stored in the DHCP lease database, enter the show ip source-lockdown bindings or show ipv6 source-lockdown bindings command.

For IPv4

Syntax

show ip source-lockdown bindings [port-number]

port-number

(Optional) Specifies the port number on which source IP-to-MAC address and VLAN bindings are configured in the DHCP lease database.

The following example shows output from the show ip source-lockdown bindings command.

Output for the show ip source-lockdown bindings command

HP Switch (config)# show ip source-lockdown bindings

Dynamic IP Lockdown (DIPLD) Bindings

Mac Address     IP Address   VLAN   Port   Not in HW
-----------     ----------   ----   ----   ----------
001122-334455   10.10.10.1   1111   x11
005544-332211   10.10.10.2   2222   Trk11  YES
. . . . . . . . . . . . . . . . . . . . . . . . .

In the show ip source-lockdown bindings command output, the “Not in HW” column specifies whether or not (YES or NO) a statically configured IP-to- MAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature.

For IPv6

Syntax

show ipv6 source-lockdown bindings [port-number]

Debugging dynamic IP lockdown

To enable the debugging of packets dropped by dynamic IP lockdown, enter the debug dynamic-ip-lockdown command.

Syntax:

debug dynamic-ip-lockdown

To send command output to the active CLI session, enter the debug destination session command.

Counters for denied packets are displayed in the debug dynamic-ip-lockdown command output. Packet counts are updated every five minutes. An example of the command output is shown in Output for the debug dynamic-ip-lockdown command.

When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP-to-MAC address binding for the port on which the packets are received, a message is entered in the event log.

Output for the debug dynamic-ip-lockdown command

HP Switch(config)# debug dynamic-ip-lockdown

DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 1 packets
DIPLD 01/01/90 00:06:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 294 packets
DIPLD 01/01/90 00:11:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 300 packets
DIPLD 01/01/90 00:16:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 300 packets
DIPLD 01/01/90 00:21:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 299 packets
DIPLD 01/01/90 00:26:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 300 packets
DIPLD 01/01/90 00:31:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 300 packets
DIPLD 01/01/90 00:36:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 299 packets
DIPLD 01/01/90 00:41:25 : denied ip 192.168.2.100 (0)
(PORT 4) -> 192.168.2.1 (0), 300 packets

Differences between switch platforms

There are some differences in the feature set and operation of Dynamic IP Lockdown, depending on the switch on which it is implemented. These are listed below.

  • There is no restriction on GVRP on 3500/5400/2615 switches. On 2600/2800/3400 switches, Dynamic IP Lockdown is not supported if GVRP is enabled on the switch.

  • Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP snooping limit of 8,192 entries.

  • A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP snooping enabled.

  • On the HP switch series 3500/5400/2615, dynamic IP lockdown is supported on a port configured for statically configured port-based ACLs.

Differences in switch platforms

Switch Number of Hosts Comments
3500/5400

64 bindings per port

Up to 4096 manual bindings per switch

 This limit is shared with DHCP snooping because they both use the snooping database.
3400/2800

32 bindings per port; up to 512 manual bindings

Up to 32 VLANs with DHCP snooping enabled

 This is not guaranteed as the hardware resources are shared with QoS.
2610/2615/2915

8 bindings per port; up to 512 manual bindings

Globally 118 to 125 hosts

Up to 8 VLANs with DHCP snooping enabled

 This is not guaranteed as the hardware resources are shared with IDM ACLs. The number of global bindings available is based on the number o f DHCP snooping-enabled VLANS (1-8).
2600

8 bindings per port; up to 512 manual bindings

Up to 8 VLANs with DHCP snooping enabled

 This is not guaranteed as the hardware resources are shared with QoS.

prev

 

up

 next

Dynamic ARP protection 

home

 Using the instrumentation monitor

Copyright © 2015 Hewlett-Packard Development Company, L.P.