8-31
Configuring Advanced Threat Protection
Dynamic IP Lockdown
Figure 8-6. Example of show ip source-lockdown bindings Command Output
In the show ip source-lockdown bindings command output, the “Not in HW”
column specifies whether or not (YES or NO) a statically configured IP-to-
MAC and VLAN binding on a specified port has been combined in the lease
database maintained by the DHCP Snooping feature.
Debugging Dynamic IP Lockdown
To enable the debugging of packets dropped by dynamic IP lockdown, enter
the debug dynamic-ip-lockdown command.
To send command output to the active CLI session, enter the debug destination
session command.
Counters for denied packets are displayed in the debug dynamic-ip-lockdown
command output. Packet counts are updated every five minutes. An example
of the command output is shown in Figure 8-7.
When dynamic IP lockdown drops IP packets in VLAN traffic that do not
contain a known source IP-to-MAC address binding for the port on which the
packets are received, a message is entered in the event log.
Syntax: debug dynamic-ip-lockdown
ProCurve(config)# show ip source-lockdown bindings
Dynamic IP Lockdown (DIPLD) Bindings
Mac Address IP Address VLAN Port Not in HW
----------- ---------- ----- ----- ---------
001122-334455 10.10.10.1 1111 X11
005544-332211 10.10.10.2 2222 Trk11 YES
. . . . . . . . . . . . . . . . . . . . . . . . . . .
