IP Locking
This section describes IP Locking configuration tasks. Topics in this section include:
IP Locking
IP Locking is an eos feature configured on an Ethernet Layer 2 port.
When enabled, IP Locking ensures that a port will only permit IP and ARP packets with IP source addresses that have been authorized. As of the eos Release 4.25.0F release update, IP locking can run in two modes - ipv4 Locking (which will be referred to as IP Locking) and IPv6 Locking, which is configured using the commands mentioned in the following sections. IP Locking prevents another host on a different interface from claiming ownership of an IP address through ARP spoofing. IPv6 Locking extends this behavior to IPv6 packets, including ICMPv6 Neighbor Discovery (Router Advertisement, Redirect) and DHCP (server-to-client) packets. Mode specific commands are also discussed.
- ARP probes with 0.0.0.0 as Sender Protocol Address (SPA) and is allowed for Duplicate Address Detection (DAD).
- Incoming DHCP server response packets are dropped to avoid rogue device(s) acting as DHCP server(s).
- Incoming DHCP client request packets are allowed for devices to complete DHCP handshake and obtain DHCP leases.
- Incoming DHCPv6 server response packets are dropped and incoming DHCPv6 client request packets are allowed.
- Incoming ICMPv6 ND : Router Advertisement packets are dropped as only routers should send these packets.
- Incoming ICMPv6 ND : Router Solicitation packets are allowed.
- Incoming ICMPv6 ND : Redirect packets are dropped as only routers should send these packets.
IP Locking relies on DHCP LeaseQuery (RFC4388) and MAC address learning to determine that an IP address has been authorized on a particular port. It is necessary to ensure that DHCP servers used in the network allow LeaseQuery messages.
Release Updates
Refer to the release updates for IP Locking.
eos Release 4.25.1F:
Added support for disabling address filtering for IPv6 packets while still keeping all packet type specific drop rules such as ICMPv6 ND:RA, and ICMPv6 ND:Redirect and DHCPv6 (server-to-client) packets, using the locked-address ipv6 enforcement disabled command.
eos Release 4.24.0F:
- Added support for expiration modes of locked addresses, using the locked-address expiration mac disabled command.
- Added support for counters, using the show address locking counters and clear address locking counters commands.
eos Release 4.23.2F:
Added support for static lease command, lease <V4ADDR> mac <MACADDR>.
eos Release 4.23.1F:
Added support for clear address locking lease command.
- Initial release.
- Supports ipv4 address locking.
ipv4 Locking Configuration commands
Configure IP Locking commands in the address locking configuration mode.
switch# configure
switch(config)# address locking
switch(config-address-locking)#
- the DHCP servers from which hosts are expected to acquire leases. IP Locking
communicates with these DHCP servers to learn the IP addresses that must be
authorized on the
switch.
switch(config-address-locking)# dhcp server ipv4 10.1.1.1 switch(config-address-locking)# dhcp server ipv4 10.30.1.3
- a local L3 interface to communicate with the DHCP server(s). This could be the
management interface, a routed interface, or a Switch Virtual Interface (SVI).
This interface requires a valid IP address assigned, routable to the configured
DHCP server(s), and can reside in non-default VRF. The interface IP is used as
the source IP in the switch’s packets to the DHCP
server.
switch# configure switch(config)# interface Vlan2160 switch(config-if-Vl2160)# ip address 10.10.1.2/16 switch# configure switch(config)# address locking switch(config-address-locking)# local-interface Vlan2160
To activate IP Locking on ports connected to clients, IP Locking must be enabled in the interface configuration mode. Running this command only activates ipv4 Locking and overrides the previous configuration for the interface.
switch(config)# interface Ethernet27/1
switch(config-if-Et27/1)# address locking ipv4
It is possible to disable IP Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port.
switch# configure
switch(config)# address locking
switch(config-address-locking)# disabled
Clear commands
- The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an ipv4 address.
- The clear address locking lease ipv6 V6ADDR removes a single lease associated with an IPv6 address.
- The clear address locking lease intf ethernet slot removes all leases associated with the specified interface.
- The clear address locking lease all removes all leases on the switch.
Static Lease commands
The lease mac command within address locking configuration mode installs a lease into hardware for the configured IP address on the interface the configured MAC address is associated with. If the MAC address is not in the MAC table or the MAC address is on an interface that is not configured with IP Locking feature, the lease is not installed until the MAC address is added to an interface that is configured with IP Locking.
switch# configure
switch(config)# address locking
switch(config-address-locking)# lease 1.1.1.1 mac a.b.c
Locked Address Expiration commands
The IP addresses remain authorized and installed even after their corresponding MAC addresses have aged out. IP Locking, by default, deauthorizes leases after their corresponding MAC addresses age out. The locked-address expiration mac disabled command configures IP Locking to keep leases installed, even after their corresponding MAC addresses have aged out.
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address expiration mac disabled
IP Locking Counters
The show address locking counters command displays DHCP lease query messages sent, received, and dropped. There are two sets of counters: first, the number of packets sent to and received from each DHCP server; and second, the number of packets sent and received for each locked interface. There are separate counters for the different kinds of messages communicated between the switch and the DHCP server.
switch# show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860 8002 34 8001 32 13423 134 3234
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2 1747 1234 189 324
The clear address locking counters command resets all the counters associated with IP Locking to zero.
IPv6 Locking
IPv6 Locking Configuration commands
To enable IPv6 locking, you must:
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv6 enforcement disabled
To activate IPv6 Locking on ports connected to clients, IPv6 Locking must be enabled in the interface configuration mode. Running this command only activates IPv6 Locking and overrides the previous configuration for the interface.
switch(config)# interface ethernet 27/1
switch(config-if-Et27/1)# address locking ipv6
switch(config)# interface ethernet 27/1
switch(config-if-Et27/1)# address locking ipv4 ipv6
It is possible to disable IPv6 Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port. Note that this will also disable IP Locking as well.
switch# configure
switch(config)# address locking
switch(config-address-locking)# disabled
Locked Address IP Enforcement commands
The locked-address ipv4 enforcement disabled command disables address filtering for all ports that have ipv4 Locking enabled. This permits ipv4 packets while still keeping all other drop rules.
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled
The locked-address ipv6 enforcement disabled command disables address filtering for all ports that have IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv6 enforcement disabled
Show commands
Use the show address locking command to display the status of IP and IPv6 locking.
switch# show address locking
IP Locking is active
Interface ipv4 IPv6
--------------- ------------------- ---------------------------
Ethernet27/1 yes no (not configured)
Ethernet31/1 no (not configured) no (not a layer 2 interface)
- not configured
- not a Layer 2 interface
- no local interface
- no dhcp server
The show address locking table ipv4 command displays all the DHCP leases that IP Locking knows about, whether or not those leases are installed and the interfaces on which these IP addresses are authorized.
switch# show address locking table ipv4
IP Address MAC Address Interface Installed Expiration Time
-------------- ---------------- ---------- ------------ ---------------
10.30.4.4 ba76.a467.7ff8 Et27/1 installed in 0:01:57
Limitations
- IP Locking is supported for ipv4 but has limited functionality for IPv6.
- IP Locking works only with DHCP servers that support RFC 4388 (LeaseQuery) and are configured to allow lease queries. ISC DHCPD and BlueCat are currently known servers that support LeaseQuery.
- IP Locking can only be configured on Ethernet interfaces, excluding sub-interfaces.
- IP Locking and DHCP relay cannot be configured on the same switch. When both are configured, IP Locking is disabled.
- IP Locking and DHCP snooping cannot be configured on the same switch. When both are configured, IP Locking is disabled.
- IP Locking and DHCP server cannot be configured on the same switch. When both are configured, IP Locking is disabled.
- Do not configure IP Locking and the ARP inspection feature on the same switch.
- Do not configure IP Locking and the IP source guard feature on the same switch.
- IP Locking may not immediately invalidate a lease on an access port if the host moves to another port on a different access switch.
- IP Locking supports up to 3400 hosts on the DCS-7050X3 platform, and up to 3800 hosts on the CCS-720XP platform. This scale may reduce further with other features using TCAM resources.
- IPv6 Locking currently only allows disabling address filtering for IPv6 packets while keeping all packet type specific drop rules such as ND:RA, ND:RD, and DHCP Server-to-Client.
- Some DHCP server implementations (such as ISC DHCPD) do not respond to lease query if the fixed-address configuration is used. Use reserved leases instead.
- CVP Endpoint Identification is not able to identify hosts connected to an IP Locking enabled switch.
IP Locking commands
clear address locking lease
Use the clear address locking lease command to remove lease bindings at different granularities.
- The clear address locking lease... command removes the lease from the hardware.
- The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an ipv4 address.
- The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
- The clear address locking lease intf ethernet slot commandremoves all leases associated with the specified interface.
- The clear address locking lease all command remove all leases on the switch.
Command Mode
Address locking mode
Command Syntax
clear address locking lease [ all | interface [ ethernet slot ] | ipv4 V4ADDR | ipv6 V6ADDR ]
- allThe entire lease table.
- interfaceThe interface of the lease to be cleared.
- ethernet slotEthernet interface slot number.
- ipv4 V4ADDRipv4 address of the lease to be cleared.
- ipv6 V6ADDRIPv6 address of the lease to be cleared.
Example
switch(config-address-locking)# clear address locking lease all
lease mac
The lease mac command within the address locking configuration mode installs a lease into hardware for the configured IP address on the interface the configured MAC address is associated with. If the MAC address is not in the MAC table or the MAC address is on an interface that is not configured with IP Locking feature, the lease is not installed until the MAC address is added to an interface that is configured with IP Locking. The no and default forms of the command removes the lease into hardware for the configured IP address on the interface the configured MAC address is associated with.
Command Mode
Address locking configuration mode
Command Syntax
lease V4ADDR mac MACADDR
no lease V4ADDR mac MACADDR
default lease V4ADDR mac MACADDR
- lease V4ADDRThe lease IP address.
- mac MACADDRThe configured mac address for static lease.
Arista# config t
Arista(config)# address locking
Arista(config-address-locking)# lease 1.1.1.1 mac a.b.c
locked-address expiration mac disabled
IP Locking, by default, deauthorizes leases after their corresponding MAC addresses age out. Use the locked-address expiration mac disabled command to configure IP Locking to keep leases installed, even after their corresponding MAC addresses have aged out.
Command Mode
Address locking configuration mode
Command Syntax
locked-address expiration mac disabled
no locked-address expiration mac disabled
default locked-address expiration mac disabled
- expirationConfigures expiration mode for locked addresses.
- macConfigures deauthorizing locked addresses upon MAC aging out.
- disabledDisables deauthorizing locked address upon MAC aging out.
switch# configure t
switch(config)# address locking
switch(config-address-locking)# locked-address expiration mac disabled
locked-address ipv4 enforcement disabled
The locked-address ipv4 enforcement disabled command disables address filtering for all ports that have ipv4 Locking enabled. This permits ipv4 packets while still keeping all other drop rules.
Command Mode
Address locking Configuration Mode
Command Syntax
locked-address ipv4 enforcement disabled
no locked-address ipv4 enforcement disabled
default locked-address ipv4 enforcement disabled
- ipv4 ipv4 address configuration.
- enforcement Configure enforcement for locked addresses.
- disabled Disable enforcement for locked addresses.
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled
locked-address ipv6 enforcement disabled
The locked-address ipv6 enforcement disabled command disables address filtering for all ports that have IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.
Command Mode
Address locking Configuration Mode
Command Syntax
locked-address ipv6 enforcement disabled
no locked-address ipv6 enforcement disabled
default locked-address ipv6 enforcement disabled
- ipv6 IPv6 address configuration.
- enforcement Configure enforcement for locked addresses.
- disabled Disable enforcement for locked addresses.
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv6 enforcement disabled
show address locking
Use the show address locking command to display the status of IP and IPv6 locking.
- not configured
- not a Layer 2 interface
- no local interface
- no dhcp server
Command Mode
EXEC
Command Syntax
show address locking
switch# show address locking
IP Locking is active
Interface ipv4 IPv6
--------------- ------------------- ---------------------------
Ethernet27/1 yes no (not configured)
Ethernet31/1 no (not configured) no (not a layer 2 interface)
show address locking counters
The show address locking counters command displays DHCP lease query messages sent, received, and dropped. There are two sets of counters: first, the number of packets sent to and received from each DHCP server; and second, the number of packets sent and received for each locked interface. There are separate counters for the different kinds of messages communicated between the switch and the DHCP server.
Command Mode
EXEC
Command Syntax
show address locking counters
Related commands
The clear address locking counters command resets all the counters associated with IP Locking to zero.
switch# show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860 8002 34 8001 32 13423 134 3234
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2 1747 1234 189 324
show address locking table ipv4
Use the show address locking table ipv4 command to display all the DHCP leases that IP Locking knows about, whether or not those leases are installed and the interfaces on which these IP addresses are authorized.
Command Mode
EXEC
Command Syntax
show address locking table ipv4 [ dynamic [ installed | [ interface Ethernet slot ] | installed | interface [ Ethernet [ slot ] | static [ installed | interface [ Ethernet slot ]]]
- dynamicOnly display the dynamic leases.
- installedOnly display the leases that are installes in the hardware.
- interfaceOnly display the leases belonging to a specified interface.
- installedOnly display the leases that are installes in the hardware.
- interfaceOnly display the leases belonging to a specified interface.
- Ethernet slot Specified Ethernet sub-interface.
- staticOnly display the static leases.
- installedOnly display the leases that are installes in the hardware.
- interfaceOnly display the leases belonging to a specified interface.
- EthernetslotSpecified Ethernet sub-interface.
switch# show address locking table ipv4
IP Address MAC Address Interface Installed Expiration Time
-------------- ---------------- ---------- ------------ ---------------
10.30.4.4 ba76.a467.7ff8 Et27/1 installed in 0:01:57