Owner's Manual
Chapter 17. Security | 455
NETGEAR 8800 User Manual
source IP lockdown is enabled on another port, the switch creates ACLs to allow DHCP
packets and to deny all IP traffic for that particular port.
Source IP lockdown is enabled on a per-port basis; it is not available at the VLAN level. If
source IP lockdown is enabled on a port, the feature is active on the port for all VLANs to
which the port belongs.
Note: The source IP lockdown feature works only when hosts are
assigned IP address using DHCP; source IP lockdown does not
function for statically configured IP addresses.
The source IP lockdown ACLs listed in table are applied per port (in order of precedence from
highest to lowest.)
The counter has the same name as that of the rule of the catch-all ACL, so the counter is also
named
esSrcIpLockdown_<portIfIndex>_4.
Configuring Source IP Lockdown
To configure source IP lockdown, you must enable DHCP snooping on the ports connected to
the DHCP server and DHCP client before you enable source IP lockdown. You must enable
source IP lockdown on the ports connected to the DHCP client, not on the ports connected to
the DHCP server. To enable DHCP snooping, use the following command:
enable ip-security dhcp-snooping {vlan} <vlan_name> ports [all | <ports>]
violation-action [drop-packet {[block-mac | block-port] [duration
<duration_in_seconds> | permanently] | none]}] {snmp-trap}
Table 49. Source IP Lockdowns Applied Per-port
ACL Name Match
Condition
Action When Applied Comments
esSrcIpLockdown_<portIfIndex>_<source IP
in hex>
Source IP Permit Runtime Multiple ACLs of
this type can be
applied, one for
each permitted
client.
esSrcIpLockdown_<portIfIndex>_1 Proto UDP,
Dest Port 67
Permit Configuration
time
esSrcIpLockdown_<portIfIndex>_2 Proto UDP,
Dest Port 68
Permit Configuration
time
esSrcIpLockdown_<portIfIndex>_3 Ethertype
ARP
Permit Configuration
time
esSrcIpLockdown_<portIfIndex>_4 All Deny +
count
Configuration
time