Filter
Top Products
127
Enhancements
Release M.10.43 Enhancements
Protection Against IP Source Address Spoofing
Many network attacks occur when an attacker injects packets with forged IP source addresses into
the network. Also, some network services use the IP source address as a component in their
authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source
address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address
lists to limit management access. An attacker that is able to send traffic that appears to originate
from an authorized IP source address may gain access to network services for which he is not
authorized.
Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level
port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if
they contain a known IP source address and MAC address binding for the port.
Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through
statically configured IP source bindings to create internal, per-port lists. The internal lists are
dynamically created from known IP-to-MAC address bindings to filter VLAN traffic on both the source
IP address and source MAC address.
Differences Between Switch Platforms
There are some differences in the feature set and operation of Dynamic IP Lockdown, depending on
the switch on which it is implemented. These are listed below.
■ There is no restriction on GVRP on 3500/5400 switches. On 2600/2800/3400cl switches,
Dynamic IP Lockdown is not supported if GVRP is enabled on the switch.
■ Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP
snooping limit of 8,000 entries.
■ A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP
snooping enabled.
■ On the ProCurve switch series 5400 and 3500, dynamic IP lockdown is supported on a port
configured for statically configured port-based ACLs.
Switch Number of Hosts Comments
3500/5400 64 bindings per port
Up to 4096 bindings per switch
This limit is shared with DHCP snooping because
they both use the snooping database.
3400cl/2800 32 bindings per port
Up to 32 VLANs with DHCP snooping
enabled
This is not guaranteed as the hardware
resources are shared with QoS.
2600 8 bindings per port
Up to 8 VLANs with DHCP snooping
enabled
This is not guaranteed as the hardware
resources are shared with QoS.