IP Locking

This section describes IP Locking configuration tasks. Topics in this section include:

IP Locking

IP Locking is an EOS feature configured on an Ethernet Layer 2 port.

When enabled, IP Locking ensures that a port will only permit IP and ARP packets with IP source addresses that have been authorized. As of the EOS Release 4.25.0F release update, IP locking can run in two modes - IPv4 Locking (which will be referred to as IP Locking) and IPv6 Locking, which is configured using the commands mentioned in the following sections. IP Locking prevents another host on a different interface from claiming ownership of an IP address through ARP spoofing. IPv6 Locking extends this behavior to IPv6 packets, including ICMPv6 Neighbor Discovery (Router Advertisement, Redirect) and DHCP (server-to-client) packets. Mode specific commands are also discussed.

On an IP Locked Port,
  • ARP probes with 0.0.0.0 as Sender Protocol Address (SPA) and is allowed for Duplicate Address Detection (DAD).
  • Incoming DHCP server response packets are dropped to avoid rogue device(s) acting as DHCP server(s).
  • Incoming DHCP client request packets are allowed for devices to complete DHCP handshake and obtain DHCP leases.
On an IPv6 Locked Port,
  • Incoming DHCPv6 server response packets are dropped and incoming DHCPv6 client request packets are allowed.
  • Incoming ICMPv6 ND : Router Advertisement packets are dropped as only routers should send these packets.
  • Incoming ICMPv6 ND : Router Solicitation packets are allowed.
  • Incoming ICMPv6 ND : Redirect packets are dropped as only routers should send these packets.
Figure 1. IP Locking

IP Locking relies on DHCP LeaseQuery (RFC4388) and MAC address learning to determine that an IP address has been authorized on a particular port. It is necessary to ensure that DHCP servers used in the network allow LeaseQuery messages.

Release Updates

Refer to the release updates for IP Locking.

EOS Release 4.25.1F:

Added support for disabling address filtering for IPv6 packets while still keeping all packet type specific drop rules such as ICMPv6 ND:RA, and ICMPv6 ND:Redirect and DHCPv6 (server-to-client) packets, using the locked-address ipv6 enforcement disabled command.

EOS Release 4.24.0F:

  • Added support for expiration modes of locked addresses, using the locked-address expiration mac disabled command.
  • Added support for counters, using the show address locking counters and clear address locking counters commands.

EOS Release 4.23.2F:

Added support for static lease command, lease <V4ADDR> mac <MACADDR>.

EOS Release 4.23.1F:

Added support for clear address locking lease command.

EOS Release 4.23.0F:
  • Initial release.
  • Supports IPv4 address locking.

IPv4 Locking Configuration Commands

Configure IP Locking commands in the address locking configuration mode.

Example
switch# configure
switch(config)# address locking
switch(config-address-locking)#
To enable IP Locking, you must configure
  • the DHCP servers from which hosts are expected to acquire leases. IP Locking communicates with these DHCP servers to learn the IP addresses that must be authorized on the switch.
    switch(config-address-locking)# dhcp server ipv4 10.1.1.1
switch(config-address-locking)# dhcp server ipv4 10.30.1.3
  • a local L3 interface to communicate with the DHCP server(s). This could be the management interface, a routed interface, or a Switch Virtual Interface (SVI). This interface requires a valid IP address assigned, routable to the configured DHCP server(s), and can reside in non-default VRF. The interface IP is used as the source IP in the switch’s packets to the DHCP server.
    switch# configure
switch(config)# interface Vlan2160
switch(config-if-Vl2160)# ip address 10.10.1.2/16

switch# configure
switch(config)# address locking
switch(config-address-locking)# local-interface Vlan2160

To activate IP Locking on ports connected to clients, IP Locking must be enabled in the interface configuration mode. Running this command only activates IPv4 Locking and overrides the previous configuration for the interface.

Example
switch(config)# interface Ethernet27/1
switch(config-if-Et27/1)# address locking ipv4

It is possible to disable IP Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port.

Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# disabled

Clear Commands

The clear address locking lease... command removes the lease from hardware. This enable mode command removes lease bindings at different granularities.
  • The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
  • The clear address locking lease ipv6 V6ADDR removes a single lease associated with an IPv6 address.
  • The clear address locking lease intf ethernet slot removes all leases associated with the specified interface.
  • The clear address locking lease all removes all leases on the switch.

Static Lease Commands

The lease mac command within address locking configuration mode installs a lease into hardware for the configured IP address on the interface the configured MAC address is associated with. If the MAC address is not in the MAC table or the MAC address is on an interface that is not configured with IP Locking feature, the lease is not installed until the MAC address is added to an interface that is configured with IP Locking.

Note: Any lease from the DHCP server that matches either the same IP or MAC as a statically configured lease is removed from the switch.
switch# configure
switch(config)# address locking
switch(config-address-locking)# lease 1.1.1.1 mac a.b.c

Locked Address Expiration Commands

The IP addresses remain authorized and installed even after their corresponding MAC addresses have aged out. IP Locking, by default, deauthorizes leases after their corresponding MAC addresses age out. The locked-address expiration mac disabled command configures IP Locking to keep leases installed, even after their corresponding MAC addresses have aged out.

Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address expiration mac disabled

IP Locking Counters

The show address locking counters command displays DHCP lease query messages sent, received, and dropped. There are two sets of counters: first, the number of packets sent to and received from each DHCP server; and second, the number of packets sent and received for each locked interface. There are separate counters for the different kinds of messages communicated between the switch and the DHCP server.

Example
switch# show address locking counters
                  Lease Active Lease Unknown Lease Unassigned    	 
DHCP Server Query  Rcvd   Drop   Rcvd   Drop Rcvd     Drop    Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860  8002 34     8001   32     13423     134    3234


Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2  1747 1234         189           324

The clear address locking counters command resets all the counters associated with IP Locking to zero.

IPv6 Locking

IPv6 Locking Configuration Commands

To enable IPv6 locking, you must:

Disable enforcement of IPv6 address locking.
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv6 enforcement disabled

To activate IPv6 Locking on ports connected to clients, IPv6 Locking must be enabled in the interface configuration mode. Running this command only activates IPv6 Locking and overrides the previous configuration for the interface.

Example
switch(config)# interface ethernet 27/1
switch(config-if-Et27/1)# address locking ipv6
Both IPv4 and IPv6 locking can be activated on a port by running commands similar to the following:
switch(config)# interface ethernet 27/1
switch(config-if-Et27/1)# address locking ipv4 ipv6

It is possible to disable IPv6 Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port. Note that this will also disable IP Locking as well.

Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# disabled

Locked Address IP Enforcement Commands

The locked-address ipv4 enforcement disabled command disables address filtering for all ports that have IPv4 Locking enabled. This permits IPv4 packets while still keeping all other drop rules.

Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled

The locked-address ipv6 enforcement disabled command disables address filtering for all ports that have IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.

Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv6 enforcement disabled

Show Commands

Use the show address locking command to display the status of IP and IPv6 locking.

Example
switch# show address locking
IP Locking is active
Interface        IPv4	           IPv6
--------------- -------------------   ---------------------------
Ethernet27/1     yes 	           no (not configured) 
Ethernet31/1     no (not configured)   no (not a layer 2 interface)
The show address locking command also displays the reason as to why IP Locking is not enabled for an interface. For an interface, the following priority (highest at top) is imposed on the output when IP Locking is not enabled for an interface:
  • not configured
  • not a Layer 2 interface
  • no local interface
  • no dhcp server

The show address locking table ipv4 command displays all the DHCP leases that IP Locking knows about, whether or not those leases are installed and the interfaces on which these IP addresses are authorized.

Example
switch# show address locking table ipv4
IP Address     MAC Address      Interface  Installed    Expiration Time
-------------- ---------------- ---------- ------------ --------------- 
10.30.4.4      ba76.a467.7ff8   Et27/1     installed     in 0:01:57

Limitations

The IP Locking feature contains the following limitations:
  • IP Locking is supported for IPv4 but has limited functionality for IPv6.
  • IP Locking works only with DHCP servers that support RFC 4388 (LeaseQuery) and are configured to allow lease queries. ISC DHCPD and BlueCat are currently known servers that support LeaseQuery.
  • IP Locking can only be configured on Ethernet interfaces, excluding sub-interfaces.
  • IP Locking and DHCP relay cannot be configured on the same switch. When both are configured, IP Locking is disabled.
  • IP Locking and DHCP snooping cannot be configured on the same switch. When both are configured, IP Locking is disabled.
  • IP Locking and DHCP server cannot be configured on the same switch. When both are configured, IP Locking is disabled.
  • Do not configure IP Locking and the ARP inspection feature on the same switch.
  • Do not configure IP Locking and the IP source guard feature on the same switch.
  • IP Locking may not immediately invalidate a lease on an access port if the host moves to another port on a different access switch.
  • IP Locking supports up to 3400 hosts on the DCS-7050X3 platform, and up to 3800 hosts on the CCS-720XP platform. This scale may reduce further with other features using TCAM resources.
  • IPv6 Locking currently only allows disabling address filtering for IPv6 packets while keeping all packet type specific drop rules such as ND:RA, ND:RD, and DHCP Server-to-Client.
  • Some DHCP server implementations (such as ISC DHCPD) do not respond to lease query if the fixed-address configuration is used. Use reserved leases instead.
  • CVP Endpoint Identification is not able to identify hosts connected to an IP Locking enabled switch.

IP Locking Commands

IPv4 Clear Commands
IPv4 Static Lease Commands
IPv4 Lock Address Expiration Commands
IP Locked Show Commands

clear address locking lease

Use the clear address locking lease command to remove lease bindings at different granularities.

Support beginning with EOS Release 4.23.1F:
  • The clear address locking lease... command removes the lease from the hardware.
    • The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
    • The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
    • The clear address locking lease intf ethernet slot commandremoves all leases associated with the specified interface.
    • The clear address locking lease all command remove all leases on the switch.

Command Mode

Address locking mode

Command Syntax

clear address locking lease [ all | interface [ ethernet slot ] | ipv4 V4ADDR | ipv6 V6ADDR ]

Parameters
  • allThe entire lease table.
  • interfaceThe interface of the lease to be cleared.
    • ethernet slotEthernet interface slot number.
  • ipv4 V4ADDRIPv4 address of the lease to be cleared.
  • ipv6 V6ADDRIPv6 address of the lease to be cleared.

Example

switch(config-address-locking)# clear address locking lease all

lease mac

The lease mac command within the address locking configuration mode installs a lease into hardware for the configured IP address on the interface the configured MAC address is associated with. If the MAC address is not in the MAC table or the MAC address is on an interface that is not configured with IP Locking feature, the lease is not installed until the MAC address is added to an interface that is configured with IP Locking. The no and default forms of the command removes the lease into hardware for the configured IP address on the interface the configured MAC address is associated with.

Command Mode

Address locking configuration mode

Command Syntax

lease V4ADDR mac MACADDR

no lease V4ADDR mac MACADDR

default lease V4ADDR mac MACADDR

Parameters
  • lease V4ADDRThe lease IP address.
  • mac MACADDRThe configured mac address for static lease.
Example
Arista# config t
Arista(config)# address locking
Arista(config-address-locking)# lease 1.1.1.1 mac a.b.c

locked-address expiration mac disabled

IP Locking, by default, deauthorizes leases after their corresponding MAC addresses age out. Use the locked-address expiration mac disabled command to configure IP Locking to keep leases installed, even after their corresponding MAC addresses have aged out.

Command Mode

Address locking configuration mode

Command Syntax

locked-address expiration mac disabled

no locked-address expiration mac disabled

default locked-address expiration mac disabled

Parameters
  • expirationConfigures expiration mode for locked addresses.
  • macConfigures deauthorizing locked addresses upon MAC aging out.
  • disabledDisables deauthorizing locked address upon MAC aging out.
Example
switch# configure t
switch(config)# address locking
switch(config-address-locking)# locked-address expiration mac disabled

locked-address ipv4 enforcement disabled

The locked-address ipv4 enforcement disabled command disables address filtering for all ports that have IPv4 Locking enabled. This permits IPv4 packets while still keeping all other drop rules.

Command Mode

Address locking Configuration Mode

Command Syntax

locked-address ipv4 enforcement disabled

no locked-address ipv4 enforcement disabled

default locked-address ipv4 enforcement disabled

Parameters
  • ipv4 IPv4 address configuration.
  • enforcement Configure enforcement for locked addresses.
  • disabled Disable enforcement for locked addresses.
Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled

locked-address ipv6 enforcement disabled

The locked-address ipv6 enforcement disabled command disables address filtering for all ports that have IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.

Command Mode

Address locking Configuration Mode

Command Syntax

locked-address ipv6 enforcement disabled

no locked-address ipv6 enforcement disabled

default locked-address ipv6 enforcement disabled

Parameters
  • ipv6 IPv6 address configuration.
  • enforcement Configure enforcement for locked addresses.
  • disabled Disable enforcement for locked addresses.
Example
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv6 enforcement disabled

show address locking

Use the show address locking command to display the status of IP and IPv6 locking.

The show address locking command also displays the reason as to why IP Locking is not enabled for an interface. For an interface, the following priority (highest at top) is imposed on the output when IP Locking is not enabled for an interface:
  • not configured
  • not a Layer 2 interface
  • no local interface
  • no dhcp server

Command Mode

EXEC

Command Syntax

show address locking

Example
switch# show address locking
IP Locking is active
   Interface    IPv4	            IPv6
--------------- -------------------   ---------------------------
  Ethernet27/1  yes 	            no (not configured) 
  Ethernet31/1  no (not configured)    no (not a layer 2 interface)

show address locking counters

The show address locking counters command displays DHCP lease query messages sent, received, and dropped. There are two sets of counters: first, the number of packets sent to and received from each DHCP server; and second, the number of packets sent and received for each locked interface. There are separate counters for the different kinds of messages communicated between the switch and the DHCP server.

Command Mode

EXEC

Command Syntax

show address locking counters

Related Commands

The clear address locking counters command resets all the counters associated with IP Locking to zero.

Example
switch# show address locking counters
                  Lease Active Lease Unknown Lease Unassigned    	 
DHCP Server Query  Rcvd   Drop   Rcvd   Drop Rcvd     Drop    Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860  8002 34     8001   32     13423     134    3234


Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2  1747 1234         189           324

show address locking table ipv4

Use the show address locking table ipv4 command to display all the DHCP leases that IP Locking knows about, whether or not those leases are installed and the interfaces on which these IP addresses are authorized.

Command Mode

EXEC

Command Syntax

show address locking table ipv4 [ dynamic [ installed | [ interface Ethernet slot ] | installed | interface [ Ethernet [ slot ] | static [ installed | interface [ Ethernet slot ]]]

Parameters
  • dynamicOnly display the dynamic leases.
    • installedOnly display the leases that are installes in the hardware.
    • interfaceOnly display the leases belonging to a specified interface.
  • installedOnly display the leases that are installes in the hardware.
  • interfaceOnly display the leases belonging to a specified interface.
    • Ethernet slot Specified Ethernet sub-interface.
  • staticOnly display the static leases.
    • installedOnly display the leases that are installes in the hardware.
    • interfaceOnly display the leases belonging to a specified interface.
      • EthernetslotSpecified Ethernet sub-interface.
Example
switch# show address locking table ipv4
IP Address     MAC Address      Interface  Installed    Expiration Time
-------------- ---------------- ---------- ------------ --------------- 
10.30.4.4      ba76.a467.7ff8   Et27/1     installed     in 0:01:57