IP address Locking

eos provides IP address Locking capabilities when configured on an Ethernet Layer 2 port.

After enabling IP address Locking on a Layer 2 (L2) port, the port only permits IP and ARP packets with authorized IP source addresses. Configure IP address Locking in one of two modes:

  • IPv4
  • IPv6

IP address Locking prevents a host on a different interface from claiming ownership of an IP address through ARP spoofing. IPv6 Locking extends this behavior to IPv6 packets, including ICMPv6 Neighbor Discovery Router Advertisement and Redirect and DHCP server-to-client packets.

On an IPv4 Locked Port, the ARP protocol performs the following actions on the network:
  • Probing with the IPv4 address 0.0.0.0 as the Sender Protocol address (SPA).
  • Permit Duplicate address Detection (DAD).
  • Drop incoming DHCP server response packets to avoid any rogue devices acting as DHCP servers.
  • Permit incoming DHCP client request packets on devices to complete the DHCP handshake and obtain a DHCP lease.

On an IPv6 Locked Port, the ARP protocol performs the following actions on the network:

  • Drop incoming DHCPv6 server response packets.
  • Permit incoming DHCPv6 client request packets.
  • On an incoming ICMPv6 network device, perform the following actions:
    • Drop Router Advertisement packets since only routers should send these packets.
    • Permit Router Solicitation packets.
    • Drop redirect packets as only routers should send these packets.
    Figure 1. IP address Locking

IP address Locking relies on DHCP LeaseQuery and mac address learning to determine if an IP address is authorized on a particular port. Ensure that DHCP servers used in the network allow LeaseQuery messages.

This chapter describes IP address Locking configuration tasks and associated commands.

IP address Locking Configuration

Preparing a Switch for IP address Locking

Before enabling IPv4 address Locking, you must configure a DHCP Server and a Local Layer 3 interface.

Enabling a DHCP Server for IPv4 address Locking

Add the DHCP servers used by hosts to acquire leases. IPv4 address Locking communicates with the DHCP servers to learn the authorized IP addresses on the switch.

Example

The following commandsenable DHCP servers with an IPv4 address of 10.1.1.1, and another DHCP server with the IP address, 10.30.1.3:

switch(config-address-locking)#dhcp server ipv4 10.1.1.1
switch(config-address-locking)#dhcp server ipv4 10.30.1.3

Adding a Local Layer 3 Interface

Add a local L3 interface to communicate with the DHCP server. This could be the management interface, a routed interface, or a Switch Virtual Interface (SVI). This interface requires an assigned valid IP address, routable to the configured DHCP server, and can reside in a non-default VRF. The switch packets sent to the DHCP Server use the interface IP address as the source IP address.

Example

The following commandsconfigure an interface with a valid IP address, 10.10.1.2/16, on VLAN2160:

switch#configure
switch(config)#interface Vlan2160
switch(config-if-Vl2160)#ip address 10.10.1.2/16

The following commands add the interface to the IP address Locking configuration:

switch#configure 
switch(config)#address locking
switch(config-address-locking)#local-interface Vlan2160

Enabling IP address Locking

Configure IP address Locking for either IPv4 or IPv6 addresses, and both types of IP addresses can be enabled for IP address Locking. IPv6 address Locking requires a different approach outlined in this section.

Enabling IP address Locking

Configure IPv4 address Locking commands in the configuration mode.

Example

Use the following commands to enter IP address Locking configuration mode and add IPv4 address Locking:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4

Enabling IPv6 address Locking

To enable IPv6 locking, disable the enforcement of IPv6 address Locking.

Example

Use the following commands to disable IPv6 address Locking enforcement, and then enable IPv6 for IP address Locking:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
switch(config-address-locking)#locked-address ipv6

Disabling IP address Locking

Disable IP address Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port.

Example

switch#configure
switch(config)#address locking
switch(config-address-locking)#disabled

Enabling IP address Locking on Ports

To enable IPv4 address Locking on ports connected to clients, IP address Locking must be enabled in the interface configuration mode. Running this command only enables IPv4 Locking and overrides the previous configuration for the interface.

Example

Use the following commands to enable IP address Locking for the interface, Ethernet27/1:

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4
            

Use the following commands to enable IPv6 address Locking on ports connected to clients, use the address-family ipv6 parameter.

Example

To activate IPv6 address Locking on interface Ethernet53 and port 4, use the following syntax:

switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking
switch(config-if-Et53/4-address-locking)#address-family ipv6

Enabling IP address Locking on All Ports of a VLAN

To activate IP address Locking on all VLAN port members, use the VLAN address locking configuration submode.

Examples

The following commands activate IPv4 address Locking on VLAN 20:

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv4

To exclude a VLAN port member, disable IP address Locking on that port using the interface configuration submode.

The following commands exclude port 25 on Ethernet2:

switch(config)#interface Ethernet2/25
switch(config-if-Et2/25)#address locking
switch(config-if-Et2/25)#address-family ipv4 disabled

To configure IPv6 address Locking on all ports, use the same commands, but designate the address-family as ipv6.

The following commands enable IPv6 address Locking and override the previous configuration for the interface.

switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv6

To enable IPv6 address Locking on all members of a port for VLAN 20, use the IPv6 Locking commands in the VLAN address locking configuration sub-mode.

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv6

Use the following command to enable both IPv4 and IPv6 address Locking on a port:

switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4 
switch(config-if-Et27/1-address-locking)#address-family ipv6

Blocking IPv4 and ARP Packets

Use the deny ip_address on IPv4 address Locking ports to block all IPv4 and ARP packets with a specific source IPv4 address. The port denies the packet and affects only IPv4 enforcement modes. This action deauthorizes the addresses on the port and can be configured with multiple IPv4 addresses. You must configure this on an interface already configured with IPv4 address Locking.

Note: Use only IPv4 addresses with this configuration.

Example

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-addr-lock)#deny 172.21.16.25

Configuring IP Locking Static Leases

The lease mac command within address locking configuration mode installs a lease into hardware for the configured IP address on the interface with the configured associated mac address. If the mac address does not appear in the mac table or the mac address on an interface without a configured IP Locking feature, the lease does not install until the interface adds the mac address to an interface configured with IP Locking.

Note: IP Locking removesfrom the switch any lease from the DHCP server that matches either the same IP or mac as a statically configured lease.

Example

Use the following commands to configure an IP address, 172.21.13.11, and mac address, a0:ce:c8:b1:78:d3, with a static lease:

switch#configure
switch(config)#address locking
switch(config-address-locking)#lease 172.21.13.11 mac a0:ce:c8:b1:78:d3

Clearing Leases

The clear address locking lease command removes the lease from hardware. The command removes lease bindings at different granularities.
  • The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
  • The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
  • The clear address locking lease intf ethernet slot command removes all leases associated with the specified interface.
  • The clear address locking lease all removes all leases on the switch.

Configuring IP address Locking Lease Query Timeout

The command, lease query retry interval interval timeout minutes configures sending lease queries at specific retry intervals. The no lease query retry command removes the retry interval and timeout configuration.

Example

Use the following commands to configure an interval, 5, and timeout of 100 minutes :

switch(config)#address locking
switch(config-address-locking)#lease query retry interval 5 timeout 100

IP address Locking sends out DHCP LeaseQuery requests to all configured DHCP servers in the following cases:

  • When an IP address Locking enabled port learns a mac address, IP address Locking sends out a LeaseQuery request for the learned mac address. After learning the mac address, IP address Locking waits one (1) second for the DHCP.
  • When an IP address Locking enabled port removes a mac address after enabling the locked-address expiration mac disabled feature, IP address Locking sends a LeaseQuery request for the removed mac address.
  • When the IP address Locking agent restarts, eos sends LeaseQuery requests for all mac addresses on all IP address Locking interfaces and for all mac addresses in the IP address Locking table.
  • When you add a new DHCP configuration, eos sends new LeaseQuery requests to the new DHCP for all mac addresses learned on all IP address Locking interfaces and for all mac addresses in the IP address Locking leases table.
  • When you configure an interface with IP address Locking, IP address Locking sends LeaseQuery requests for all mac addresses learned on that interface.
  • When an IP or ARP packet with a source IP address that does not exist in the IP address Locking table arrives at an interface, eos sends LeaseQuery requests for all mac addresses on that interface. If the host already has a valid DHCP lease and the DHCP server sends a LeaseActive reply, IP address Locking sends at least one (1) request every 50 seconds for that host as a result of dropped ARP or IP packets.
  • When the DHCP Lease reaches the last known expiration time, IP address Locking sends out a LeaseQuery request for the mac address associated with the lease. Note that this may be different from the actual expiration time. For example, if the host renewed the lease before the actual lease expires and received no LeaseQuery requests sent for the mac address, IP address Locking sends out a query at the original expiration time.
  • After a LeaseActive reply receives a matching mac address of a previously received lease, IP address Locking sends out a LeaseQuery request for the previous IP address associated with the updated mac address.
  • After a LeaseActive reply receives a matching mac address of a previously received lease, IP address Locking sends out a LeaseQuery request for the previous mac address associated with the updated IP address.

When IP address Locking sends out a LeaseQuery request, and does not receive a LeaseActive reply, IP address Locking sends six (6) additional retries over 64 seconds using an exponential backoff algorithm. A 0-25% delay sending requests which may take up to 80 seconds to send out all seven (7) requests.

Every LeaseQuery request includes a transaction ID. After sending the last request, and for an additional 10 seconds, IP address Locking accepts any LeaseActive reply matching the transaction ID and then queries for the mac address of a sent LeaseQuery request.

If a LeaseActive reply contains multiple IP addresses, IP address Locking begins a query process for the additional IP addresses using the same retry mechanisms. However, if you configure the LeaseQuery retry interval and timeout but do not receive LeaseActive replies, IP address Locking sends continuous lease query requests at the configured retry interval until reaching the specified timeout period.

Configuring Locked address Expiration

The IP addresses remain authorized and installed after the corresponding mac addresses age out. IP address Locking, by default, removes authorized leases after the corresponding mac addresses age out. The locked-address expiration mac disabled command configures IP address Locking to keep leases installed, after the corresponding mac addresses age out.

Example

The following commands keep leases installed on the IP address:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled

Enforcing Locked IP addresses

The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 address Locking enabled. This permits IPv4 packets while still keeping all other drop rules. When configured, IP address Locking does not drop IP or ARP packets, and does not send out lease queries to configured DHCP servers.

Examples

The following commands disable IPv4 address Locking globally:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4 enforcement disabled

The following commands configure locked address enforcement for an interface:

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv4 enforcement disabled 

The following commands configure locked address enforcement for a VLAN:

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv4 enforcement disabled

The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled

To configure locked address enforcement for an interface, use the following commands:

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv6 enforcement disabled 

To configure locked address enforcement for VLAN 20, use the following commands:

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv6 enforcement disabled

Displaying IP address Locking Counters

The show address locking counters command displays DHCP lease query messages sent, received, and dropped. The output provides two sets of counters:

  • The number of packets sent and received from each DHCP server.
  • The number of packets sent and received for each locked interface.

The output displays separate counters for the different types of messages communicated between the switch and the DHCP server.

Example
switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned    	 
DHCP Server Query  Rcvd   Drop   Rcvd   Drop Rcvd     Drop    Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860  8002 34     8001   32     13423     134    3234
            
            
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2  1747 1234         189           324

The clear address locking counters command resets all the counters associated with IP Locking to zero.

Displaying IP address Locking

Use the show address locking command to display the status of IPv4 and IPv6 locking.

Example

switch# show address locking
IP Locking is active
Interface        IPv4	                 IPv6
--------------- -------------------   ---------------------------
Ethernet27/1     yes 	                 no (not configured) 
Ethernet31/1     no (not configured)   no (not a layer 2 interface)
The show address locking command also displays interfaces with the reason IP address Locking may not be enabled. For an interface without IP address Locking enabled, the following priority (highest at top) imposes on the output:
  • Unconfigured.
  • Not a Layer 2 interface.
  • No local interface configured.
  • No DHCP server configured.

The show address locking table ipv4 command displays all the DHCP leases that IP address Locking knows about, current status of installed leases, and the authorized interfaces for these IP addresses.

Example

switch# show address locking table ipv4
IP address     mac address      Interface  Installed    Expiration Time
-------------- ---------------- ---------- ------------ --------------- 
10.30.4.4      ba76.a467.7ff8   Et27/1     installed     in 0:01:57 

IP address Locking Commands

IP address Locking Configuration Commands

IP address Locking Clear Commands
IPv4 Static Lease Commands
IP address Locking address Expiration Commands

address locking deny

Use the address locking command to block IPv4 and ARP packets with specific IPv4 addresses on the switch. You must perform this command from an interface configured for IP address Locking on the switch.

Command Mode

Interface Configuration

address Locking Configuration

Command Syntax

address locking deny ip_address

Parameters

  • deny ip_address - Specify the IPv4 address to block packets.

Example

Use the following command to deny IPv4 and ARP packets from IPv4 address, 172.16.21.131, from Ethernet interface, Ethernet53/4:

switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking 
switch(config-address-locking)#deny 172.16.21.131

address locking dhcp

Use the address locking command to enter address locking mode and then dhcp to configure the DHCP server.

Command Mode

address Locking Configuration

Command Syntax

address locking dhcp server ipv4 ip_address

Parameters

  • dhcp server - configure a DHCP server to assign IP addresses and assign static addresses using a mac address.
    • ipv4 ip_address - Specify the IP address for the DHCP server.
    • mac mac_address - Specify the mac address of the DHCP server.

Example

To configure a DHCP server with an IPv4 address. 172.13.21.3, use the following command:

switch(config)#address locking 
switch(config-address-locking)#dhcp server ipv4 172.13.21.3 

address-locking disable

The address-locking disable command disables IP address Locking on a switch.

Command Mode

address Locking Configuration

Command Syntax

address-locking disable

Parameters

  • disable

Use the address-locking command to enter address locking mode and then disable

to disable the configuration.
switch(config)#address-locking
            switch(config-address-locking)#disable

address locking lease

Use the address locking command to enter the IPv4 and IPv6 locking mode and then on the switch, use the lease to configure DHCP leases.

The lease mac command within the address locking configuration mode installs a lease onto hardware for the configured IP address on the interface with the associated configured mac address. If the mac address does not exist in the mac table or the mac address appears on an interface with an IP Locking configuration feature, the lease does not install until you add the mac address to an interface configured with IP Locking.

Command Mode

address Locking Configuration

Command Syntax

switch(config-address-locking)#lease ip_address mac ip_address 

Parameters

  • lease
    • V4ADDR - Specify the IPv4 address to assign the lease.
    • mac macADDR - Configure the mac address for a static lease.
  • no lease V4ADDR mac macADDR - Removes the retry and timeout configuration.
  • default lease V4ADDR mac macADDR - Configures the lease with the default IPv4 address and mac address.

Example

To configure a lease with the IPv4 address, 1.1.1.1, and the mac address, a.b.c, use the following command:

switch(config)#address locking 
switch(config-address-locking)#lease 1.1.1.1 mac a.b.c

address locking lease query

Use the address locking command to enter the IPv4 and IPv6 locking mode and then use the lease query retry interval to configure DHCP leases.

The no lease query retry command removes the retry interval and timeout configuration.

Command Mode

address Locking Configuration

Command Syntax

switch(config-address-locking)#lease query retry interval interval-time

Parameters

  • lease query retry interval interval - Configure thequery retry interval and timeout. The interval can be from 1 - 4294967295 seconds.

Example

To configure a lease with the retry interval, 5 seconds, and a timeout, 100, use the following command:

switch(config)#address locking
switch(config-address-locking)#lease query retry interval 5 timeout 100
       

address locking local-interface

Use the address locking local-interface command to configure a local interface for IPv4 and IPv6 locking IP addresses on the switch.

Command Mode

address Locking Configuration

Command Syntax

address locking local-interface [Ethernet | Loopback | Management | Port Channel | Tunnel | Vlan]

Parameters

  • local-interface
    • Ethernet slot_number - Configure an Ethernet subinterface for IPv4 and IPv6 locking IP addresses on the switch.
    • Loopback loopback_interface_number - Configure a Loopback interface for IPv4 and IPv6 locking IP addresses on the switch.
    • Management management_interface slot_number - for IPv4 and IPv6 locking IP addresses on the switch.
    • Port-Channel lag_group port_channel_subinterface - Configure a Port-Channel interface for IPv4 and IPv6 locking IP addresses on the switch.
    • Tunnel tunnel_interface - Configure a Tunnel interface for IPv4 and IPv6 locking IP addresses on the switch.
    • Vlan vlan_interface_number - Configure a VLAN interface for IPv4 and IPv6 locking IP addresses on the switch.

Example

To configure an Ethernet interface, Ethernet53/4, use the following command:

switch(config)#address locking
switch(config-address-locking)#local-interface Ethernet53/4

clear address locking lease

Use the clear address locking lease command to remove lease bindings at different granularities.

  • The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
  • The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
  • The clear address locking lease intf ethernet slot commandremoves all leases associated with the specified interface.
  • The clear address locking lease all command remove all leases on the switch.

Command Mode

address Locking mode

Command Syntax

clear address locking lease [ all | interface [ ethernet slot ] | ipv4 V4ADDR | ipv6 V6ADDR ]

Parameters
  • all- View the entire lease table.
  • interface- interface to clear the lease.
    • ethernet slot- Ethernet interface slot number.
  • ipv4 V4ADDR- IPv4 address of the lease
  • ipv6 V6ADDR - IPv6 address of the lease

Example

Use the following command to clear all IP address Locking leases from the switch:

switch(config-address-locking)#clear address locking lease all

locked-address expiration mac disabled

IP address Locking, by default, removes authorization from leases after the corresponding mac addresses age out. Use the locked-address expiration mac disabled command to configure IP address Locking to keep the leases installed, even after the corresponding mac addresses age out.

Command Mode

address Locking Configuration

Command Syntax

locked-address expiration mac disabled
no locked-address expiration mac disabled
default locked-address expiration mac disabled
Parameters
  • expiration - Configures expiration mode for locked addresses.
  • mac - Configures deauthorizing locked addresses when mac addresses age out.
  • disabled - Disables deauthorizing locked address when mac addresses age out.

Example

Use this command to disable locked address expiration:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled

locked-address ipv4 enforcement disabled

The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 Locking enabled. This permits IPv4 packets while still keeping all other drop rules.

Command Mode

address Locking Configuration

Command Syntax

locked-address ipv4 enforcement disabled
no locked-address ipv4 enforcement disabled
default locked-address ipv4 enforcement disabled
Parameters
  • ipv4 - Configure the IP address family.
  • enforcement - Configure enforcement for locked addresses.
  • disabled - Disable enforcement for locked addresses.

Example

Use the following command to disable locking address enforcement for IPv4 addresses:

switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled

locked-address ipv6 enforcement disabled

The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while retaining all other drop rules.

Command Mode

address Locking Configuration

Command Syntax

locked-address - IPv6 enforcement disabled.

no locked-address - IPv6 enforcement disabled.

default locked-address - IPv6 enforcement disabled.

Parameters
  • ipv6 - IPv6 address configuration.
  • enforcement - Configure enforcement for locked addresses.
  • disabled - Disable enforcement for locked addresses.

Example

Use the following command to disable locking address enforcement for IPv6 addresses:

switch# configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled

show address locking

Use the show address locking command to display the status of IP and IPv6 locking.

The show address locking command also displays the reason as to why IP Locking is not enabled for an interface. For an interface without IP Locking enabled, the following priority (highest at top) apply to the output:
  • Interface not configured.
  • Interface is not a Layer 2 interface.
  • No local interface configured.
  • No DHCP server configured.

Command Mode

EXEC

Command Syntax

show address locking

Example

To display information about IP locking, use the show address locking command:

switch# show address locking
         
IP Locking is active
Interface        IPv4	                 IPv6
--------------- -------------------   ---------------------------
Ethernet27/1     yes 	                 no (not configured) 
Ethernet31/1     no (not configured)    no (not a layer 2 interface)

show address locking counters

The show address locking counters command displays DHCP lease query messages sent, received, and dropped. Two sets of counters display in the output:
  • Number of packets sent and received from each DHCP server.
  • Number of packets sent and received for each locked interface.
IP Locking uses separate counters for different kinds of messages communicated between the switch and the DHCP server.

Command Mode

EXEC

Command Syntax

show address locking counters

Related Commands

The clear address locking counters command resets all the counters associated with IP Locking to zero.

Example

The following command displays IP address Locking Counters:

switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned    	 
DHCP Server Query  Rcvd   Drop   Rcvd   Drop Rcvd     Drop    Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860  8002 34     8001   32     13423     134    3234
            
            
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2  1747 1234         189           324

show address locking table ipv4

Use the show address locking table ipv4 command to display all DHCP leases with IP Locking, and the interfaces with authorized the IP addresses.

Command Mode

EXEC

Command Syntax

show address locking table ipv4 [ dynamic [ installed | [ interface Ethernet slot ] | installed | interface [ Ethernet [ slot ] | static [ installed | interface [ Ethernet slot ]]]

Parameters
  • dynamic - Display the dynamic leases.
    • installed-Display the leases installed on the hardware.
    • interface - Display the leases on a specified interface.
  • installed - Display installed leases.
  • interface - Display the leases on a specified interface.
    • Ethernet slot Specified Ethernet sub-interface.
  • static - Display static leases.
    • installed - Display the leases on the hardware.
    • interface - Display the leases on a specified interface.
      • Ethernetslot Specified Ethernet sub-interface.
Example
switch#show address locking table ipv4
IP address     mac address      Interface  Installed    Expiration Time
-------------- ---------------- ---------- ------------ --------------- 
AC 10.30.4.4   ba76.a467.7ff8   Et27/1     installed     in 0:01:57 

  IP address       Action
---------------   --------
10.30.4.4         permit