IP address Locking
eos provides IP address Locking capabilities when configured on an Ethernet Layer 2 port.
After enabling IP address Locking on a Layer 2 (L2) port, the port only permits IP and ARP packets with authorized IP source addresses. Configure IP address Locking in one of two modes:
- IPv4
- IPv6
IP address Locking prevents a host on a different interface from claiming ownership of an IP address through ARP spoofing. IPv6 Locking extends this behavior to IPv6 packets, including ICMPv6 Neighbor Discovery Router Advertisement and Redirect and DHCP server-to-client packets.
- Probing with the IPv4 address 0.0.0.0 as the Sender Protocol address (SPA).
- Permit Duplicate address Detection (DAD).
- Drop incoming DHCP server response packets to avoid any rogue devices acting as DHCP servers.
- Permit incoming DHCP client request packets on devices to complete the DHCP handshake and obtain a DHCP lease.
On an IPv6 Locked Port, the ARP protocol performs the following actions on the network:
- Drop incoming DHCPv6 server response packets.
- Permit incoming DHCPv6 client request packets.
- On an incoming ICMPv6 network device, perform the following actions:
- Drop Router Advertisement packets since only routers should send these packets.
- Permit Router Solicitation packets.
- Drop redirect packets as only routers should send these packets.
IP address Locking relies on DHCP LeaseQuery and mac address learning to determine if an IP address is authorized on a particular port. Ensure that DHCP servers used in the network allow LeaseQuery messages.
IP address Locking Configuration
This section describes IP Locking configuration tasks. Topics in this section include:
- Preparing a Switch for IP address Locking
- Enabling IP address Locking
- Disabling IP address Locking
- Enabling IP address Locking on Ports
- Enabling IP address Locking on All Ports of a VLAN
- Blocking IPv4 and ARP Packets
- Configuring IP Locking Static Leases
- Configuring IP address Locking Lease Query Timeout
- Configuring Locked address Expiration
- Enforcing Locked IP addresses
- Displaying IP address Locking Counters
- Displaying IP address Locking
Preparing a Switch for IP address Locking
Before enabling IPv4 address Locking, you must configure a DHCP Server and a Local Layer 3 interface.
Enabling a DHCP Server for IPv4 address Locking
Add the DHCP servers used by hosts to acquire leases. IPv4 address Locking communicates with the DHCP servers to learn the authorized IP addresses on the switch.
Example
The following commandsenable DHCP servers with an IPv4 address of 10.1.1.1, and another DHCP server with the IP address, 10.30.1.3:
switch(config-address-locking)#dhcp server ipv4 10.1.1.1
switch(config-address-locking)#dhcp server ipv4 10.30.1.3
Adding a Local Layer 3 Interface
Add a local L3 interface to communicate with the DHCP server. This could be the management interface, a routed interface, or a Switch Virtual Interface (SVI). This interface requires an assigned valid IP address, routable to the configured DHCP server, and can reside in a non-default VRF. The switch packets sent to the DHCP Server use the interface IP address as the source IP address.
Example
The following commandsconfigure an interface with a valid IP address, 10.10.1.2/16, on VLAN2160:
switch#configure
switch(config)#interface Vlan2160
switch(config-if-Vl2160)#ip address 10.10.1.2/16
The following commands add the interface to the IP address Locking configuration:
switch#configure
switch(config)#address locking
switch(config-address-locking)#local-interface Vlan2160
Enabling IP address Locking
Configure IP address Locking for either IPv4 or IPv6 addresses, and both types of IP addresses can be enabled for IP address Locking. IPv6 address Locking requires a different approach outlined in this section.
Enabling IP address Locking
Configure IPv4 address Locking commands in the configuration mode.
Example
Use the following commands to enter IP address Locking configuration mode and add IPv4 address Locking:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4
Enabling IPv6 address Locking
To enable IPv6 locking, disable the enforcement of IPv6 address Locking.
Example
Use the following commands to disable IPv6 address Locking enforcement, and then enable IPv6 for IP address Locking:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
switch(config-address-locking)#locked-address ipv6
Disabling IP address Locking
Disable IP address Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port.
Example
switch#configure
switch(config)#address locking
switch(config-address-locking)#disabled
Enabling IP address Locking on Ports
To enable IPv4 address Locking on ports connected to clients, IP address Locking must be enabled in the interface configuration mode. Running this command only enables IPv4 Locking and overrides the previous configuration for the interface.
Example
Use the following commands to enable IP address Locking for the interface, Ethernet27/1:
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4
Use the following commands to enable IPv6 address Locking on ports connected to clients, use the address-family ipv6 parameter.
Example
To activate IPv6 address Locking on interface Ethernet53 and port 4, use the following syntax:
switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking
switch(config-if-Et53/4-address-locking)#address-family ipv6
Enabling IP address Locking on All Ports of a VLAN
To activate IP address Locking on all VLAN port members, use the VLAN address locking configuration submode.
Examples
The following commands activate IPv4 address Locking on VLAN 20:
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv4
To exclude a VLAN port member, disable IP address Locking on that port using the interface configuration submode.
The following commands exclude port 25 on Ethernet2:
switch(config)#interface Ethernet2/25
switch(config-if-Et2/25)#address locking
switch(config-if-Et2/25)#address-family ipv4 disabled
To configure IPv6 address Locking on all ports, use the same commands, but designate the address-family as ipv6.
The following commands enable IPv6 address Locking and override the previous configuration for the interface.
switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv6
To enable IPv6 address Locking on all members of a port for VLAN 20, use the IPv6 Locking commands in the VLAN address locking configuration sub-mode.
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv6
Use the following command to enable both IPv4 and IPv6 address Locking on a port:
switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4
switch(config-if-Et27/1-address-locking)#address-family ipv6
Blocking IPv4 and ARP Packets
Use the deny ip_address on IPv4 address Locking ports to block all IPv4 and ARP packets with a specific source IPv4 address. The port denies the packet and affects only IPv4 enforcement modes. This action deauthorizes the addresses on the port and can be configured with multiple IPv4 addresses. You must configure this on an interface already configured with IPv4 address Locking.
Example
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-addr-lock)#deny 172.21.16.25
Configuring IP Locking Static Leases
The lease mac command within address locking configuration mode installs a lease into hardware for the configured IP address on the interface with the configured associated mac address. If the mac address does not appear in the mac table or the mac address on an interface without a configured IP Locking feature, the lease does not install until the interface adds the mac address to an interface configured with IP Locking.
Example
Use the following commands to configure an IP address, 172.21.13.11, and mac address, a0:ce:c8:b1:78:d3, with a static lease:
switch#configure
switch(config)#address locking
switch(config-address-locking)#lease 172.21.13.11 mac a0:ce:c8:b1:78:d3
Clearing Leases
- The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
- The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
- The clear address locking lease intf ethernet slot command removes all leases associated with the specified interface.
- The clear address locking lease all removes all leases on the switch.
Configuring IP address Locking Lease Query Timeout
The command, lease query retry interval interval timeout minutes configures sending lease queries at specific retry intervals. The no lease query retry command removes the retry interval and timeout configuration.
Example
Use the following commands to configure an interval, 5, and timeout of 100 minutes :
switch(config)#address locking
switch(config-address-locking)#lease query retry interval 5 timeout 100
IP address Locking sends out DHCP LeaseQuery requests to all configured DHCP servers in the following cases:
- When an IP address Locking enabled port learns a mac address, IP address Locking sends out a LeaseQuery request for the learned mac address. After learning the mac address, IP address Locking waits one (1) second for the DHCP.
- When an IP address Locking enabled port removes a mac address after enabling the locked-address expiration mac disabled feature, IP address Locking sends a LeaseQuery request for the removed mac address.
- When the IP address Locking agent restarts, eos sends LeaseQuery requests for all mac addresses on all IP address Locking interfaces and for all mac addresses in the IP address Locking table.
- When you add a new DHCP configuration, eos sends new LeaseQuery requests to the new DHCP for all mac addresses learned on all IP address Locking interfaces and for all mac addresses in the IP address Locking leases table.
- When you configure an interface with IP address Locking, IP address Locking sends LeaseQuery requests for all mac addresses learned on that interface.
- When an IP or ARP packet with a source IP address that does not exist in the IP address Locking table arrives at an interface, eos sends LeaseQuery requests for all mac addresses on that interface. If the host already has a valid DHCP lease and the DHCP server sends a LeaseActive reply, IP address Locking sends at least one (1) request every 50 seconds for that host as a result of dropped ARP or IP packets.
- When the DHCP Lease reaches the last known expiration time, IP address Locking sends out a LeaseQuery request for the mac address associated with the lease. Note that this may be different from the actual expiration time. For example, if the host renewed the lease before the actual lease expires and received no LeaseQuery requests sent for the mac address, IP address Locking sends out a query at the original expiration time.
- After a LeaseActive reply receives a matching mac address of a previously received lease, IP address Locking sends out a LeaseQuery request for the previous IP address associated with the updated mac address.
- After a LeaseActive reply receives a matching mac address of a previously received lease, IP address Locking sends out a LeaseQuery request for the previous mac address associated with the updated IP address.
When IP address Locking sends out a LeaseQuery request, and does not receive a LeaseActive reply, IP address Locking sends six (6) additional retries over 64 seconds using an exponential backoff algorithm. A 0-25% delay sending requests which may take up to 80 seconds to send out all seven (7) requests.
Every LeaseQuery request includes a transaction ID. After sending the last request, and for an additional 10 seconds, IP address Locking accepts any LeaseActive reply matching the transaction ID and then queries for the mac address of a sent LeaseQuery request.
If a LeaseActive reply contains multiple IP addresses, IP address Locking begins a query process for the additional IP addresses using the same retry mechanisms. However, if you configure the LeaseQuery retry interval and timeout but do not receive LeaseActive replies, IP address Locking sends continuous lease query requests at the configured retry interval until reaching the specified timeout period.
Configuring Locked address Expiration
The IP addresses remain authorized and installed after the corresponding mac addresses age out. IP address Locking, by default, removes authorized leases after the corresponding mac addresses age out. The locked-address expiration mac disabled command configures IP address Locking to keep leases installed, after the corresponding mac addresses age out.
The following commands keep leases installed on the IP address:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled
Enforcing Locked IP addresses
The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 address Locking enabled. This permits IPv4 packets while still keeping all other drop rules. When configured, IP address Locking does not drop IP or ARP packets, and does not send out lease queries to configured DHCP servers.
Examples
The following commands disable IPv4 address Locking globally:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4 enforcement disabled
The following commands configure locked address enforcement for an interface:
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv4 enforcement disabled
The following commands configure locked address enforcement for a VLAN:
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv4 enforcement disabled
The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
To configure locked address enforcement for an interface, use the following commands:
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv6 enforcement disabled
To configure locked address enforcement for VLAN 20, use the following commands:
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv6 enforcement disabled
Displaying IP address Locking Counters
The show address locking counters command displays DHCP lease query messages sent, received, and dropped. The output provides two sets of counters:
- The number of packets sent and received from each DHCP server.
- The number of packets sent and received for each locked interface.
The output displays separate counters for the different types of messages communicated between the switch and the DHCP server.
switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860 8002 34 8001 32 13423 134 3234
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2 1747 1234 189 324
The clear address locking counters command resets all the counters associated with IP Locking to zero.
Displaying IP address Locking
Use the show address locking command to display the status of IPv4 and IPv6 locking.
Example
switch# show address locking
IP Locking is active
Interface IPv4 IPv6
--------------- ------------------- ---------------------------
Ethernet27/1 yes no (not configured)
Ethernet31/1 no (not configured) no (not a layer 2 interface)
- Unconfigured.
- Not a Layer 2 interface.
- No local interface configured.
- No DHCP server configured.
The show address locking table ipv4 command displays all the DHCP leases that IP address Locking knows about, current status of installed leases, and the authorized interfaces for these IP addresses.
Example
switch# show address locking table ipv4
IP address mac address Interface Installed Expiration Time
-------------- ---------------- ---------- ------------ ---------------
10.30.4.4 ba76.a467.7ff8 Et27/1 installed in 0:01:57
IP address Locking Commands
IP address Locking Configuration Commands
- address locking deny
- address locking dhcp
- address-locking disable
- address locking lease query
- address locking local-interface
address locking deny
Use the address locking command to block IPv4 and ARP packets with specific IPv4 addresses on the switch. You must perform this command from an interface configured for IP address Locking on the switch.
Command Mode
Interface Configuration
address Locking Configuration
Command Syntax
address locking deny ip_address
Parameters
- deny ip_address - Specify the IPv4 address to block packets.
Example
Use the following command to deny IPv4 and ARP packets from IPv4 address, 172.16.21.131, from Ethernet interface, Ethernet53/4:
switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking
switch(config-address-locking)#deny 172.16.21.131
address locking dhcp
Use the address locking command to enter address locking mode and then dhcp to configure the DHCP server.
Command Mode
address Locking Configuration
Command Syntax
address locking dhcp server ipv4 ip_address
Parameters
- dhcp server - configure a DHCP server to assign IP addresses and assign static addresses using a mac address.
- ipv4 ip_address - Specify the IP address for the DHCP server.
- mac mac_address - Specify the mac address of the DHCP server.
Example
To configure a DHCP server with an IPv4 address. 172.13.21.3, use the following command:
switch(config)#address locking
switch(config-address-locking)#dhcp server ipv4 172.13.21.3
address-locking disable
The address-locking disable command disables IP address Locking on a switch.
Command Mode
address Locking Configuration
Command Syntax
address-locking disable
Parameters
- disable
Use the address-locking command to enter address locking mode and then disable
to disable the configuration.switch(config)#address-locking
switch(config-address-locking)#disable
address locking lease
Use the address locking command to enter the IPv4 and IPv6 locking mode and then on the switch, use the lease to configure DHCP leases.
The lease mac command within the address locking configuration mode installs a lease onto hardware for the configured IP address on the interface with the associated configured mac address. If the mac address does not exist in the mac table or the mac address appears on an interface with an IP Locking configuration feature, the lease does not install until you add the mac address to an interface configured with IP Locking.
Command Mode
address Locking Configuration
Command Syntax
switch(config-address-locking)#lease ip_address mac ip_address
Parameters
- lease
- V4ADDR - Specify the IPv4 address to assign the lease.
- mac macADDR - Configure the mac address for a static lease.
- no lease V4ADDR mac macADDR - Removes the retry and timeout configuration.
- default lease V4ADDR mac macADDR - Configures the lease with the default IPv4 address and mac address.
Example
To configure a lease with the IPv4 address, 1.1.1.1, and the mac address, a.b.c, use the following command:
switch(config)#address locking
switch(config-address-locking)#lease 1.1.1.1 mac a.b.c
address locking lease query
Use the address locking command to enter the IPv4 and IPv6 locking mode and then use the lease query retry interval to configure DHCP leases.
The no lease query retry command removes the retry interval and timeout configuration.
Command Mode
address Locking Configuration
Command Syntax
switch(config-address-locking)#lease query retry interval interval-time
Parameters
- lease query retry interval interval - Configure thequery retry interval and timeout. The interval can be from 1 - 4294967295 seconds.
Example
To configure a lease with the retry interval, 5 seconds, and a timeout, 100, use the following command:
switch(config)#address locking
switch(config-address-locking)#lease query retry interval 5 timeout 100
address locking local-interface
Use the address locking local-interface command to configure a local interface for IPv4 and IPv6 locking IP addresses on the switch.
Command Mode
address Locking Configuration
Command Syntax
address locking local-interface [Ethernet | Loopback | Management | Port Channel | Tunnel | Vlan]
Parameters
- local-interface
- Ethernet slot_number - Configure an Ethernet subinterface for IPv4 and IPv6 locking IP addresses on the switch.
- Loopback loopback_interface_number - Configure a Loopback interface for IPv4 and IPv6 locking IP addresses on the switch.
- Management management_interface slot_number - for IPv4 and IPv6 locking IP addresses on the switch.
- Port-Channel lag_group port_channel_subinterface - Configure a Port-Channel interface for IPv4 and IPv6 locking IP addresses on the switch.
- Tunnel tunnel_interface - Configure a Tunnel interface for IPv4 and IPv6 locking IP addresses on the switch.
- Vlan vlan_interface_number - Configure a VLAN interface for IPv4 and IPv6 locking IP addresses on the switch.
Example
To configure an Ethernet interface, Ethernet53/4, use the following command:
switch(config)#address locking
switch(config-address-locking)#local-interface Ethernet53/4
clear address locking lease
Use the clear address locking lease command to remove lease bindings at different granularities.
- The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
- The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
- The clear address locking lease intf ethernet slot commandremoves all leases associated with the specified interface.
- The clear address locking lease all command remove all leases on the switch.
Command Mode
address Locking mode
Command Syntax
clear address locking lease [ all | interface [ ethernet slot ] | ipv4 V4ADDR | ipv6 V6ADDR ]
- all- View the entire lease table.
- interface- interface to clear the lease.
- ethernet slot- Ethernet interface slot number.
- ipv4 V4ADDR- IPv4 address of the lease
- ipv6 V6ADDR - IPv6 address of the lease
Example
Use the following command to clear all IP address Locking leases from the switch:
switch(config-address-locking)#clear address locking lease all
locked-address expiration mac disabled
IP address Locking, by default, removes authorization from leases after the corresponding mac addresses age out. Use the locked-address expiration mac disabled command to configure IP address Locking to keep the leases installed, even after the corresponding mac addresses age out.
Command Mode
address Locking Configuration
Command Syntax
locked-address expiration mac disabled
no locked-address expiration mac disabled
default locked-address expiration mac disabled
- expiration - Configures expiration mode for locked addresses.
- mac - Configures deauthorizing locked addresses when mac addresses age out.
- disabled - Disables deauthorizing locked address when mac addresses age out.
Example
Use this command to disable locked address expiration:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled
locked-address ipv4 enforcement disabled
The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 Locking enabled. This permits IPv4 packets while still keeping all other drop rules.
Command Mode
address Locking Configuration
Command Syntax
locked-address ipv4 enforcement disabled
no locked-address ipv4 enforcement disabled
default locked-address ipv4 enforcement disabled
- ipv4 - Configure the IP address family.
- enforcement - Configure enforcement for locked addresses.
- disabled - Disable enforcement for locked addresses.
Example
Use the following command to disable locking address enforcement for IPv4 addresses:
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled
locked-address ipv6 enforcement disabled
The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while retaining all other drop rules.
Command Mode
address Locking Configuration
Command Syntax
locked-address - IPv6 enforcement disabled.
no locked-address - IPv6 enforcement disabled.
default locked-address - IPv6 enforcement disabled.
- ipv6 - IPv6 address configuration.
- enforcement - Configure enforcement for locked addresses.
- disabled - Disable enforcement for locked addresses.
Example
Use the following command to disable locking address enforcement for IPv6 addresses:
switch# configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
show address locking
Use the show address locking command to display the status of IP and IPv6 locking.
- Interface not configured.
- Interface is not a Layer 2 interface.
- No local interface configured.
- No DHCP server configured.
Command Mode
EXEC
Command Syntax
show address locking
Example
To display information about IP locking, use the show address locking command:
switch# show address locking
IP Locking is active
Interface IPv4 IPv6
--------------- ------------------- ---------------------------
Ethernet27/1 yes no (not configured)
Ethernet31/1 no (not configured) no (not a layer 2 interface)
show address locking counters
- Number of packets sent and received from each DHCP server.
- Number of packets sent and received for each locked interface.
Command Mode
EXEC
Command Syntax
show address locking counters
Related Commands
The clear address locking counters command resets all the counters associated with IP Locking to zero.
Example
The following command displays IP address Locking Counters:
switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860 8002 34 8001 32 13423 134 3234
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2 1747 1234 189 324
show address locking table ipv4
Use the show address locking table ipv4 command to display all DHCP leases with IP Locking, and the interfaces with authorized the IP addresses.
Command Mode
EXEC
Command Syntax
show address locking table ipv4 [ dynamic [ installed | [ interface Ethernet slot ] | installed | interface [ Ethernet [ slot ] | static [ installed | interface [ Ethernet slot ]]]
- dynamic - Display the dynamic leases.
- installed-Display the leases installed on the hardware.
- interface - Display the leases on a specified interface.
- installed - Display installed leases.
- interface - Display the leases on a specified
interface.
- Ethernet slot Specified Ethernet sub-interface.
- static - Display static leases.
- installed - Display the leases on the hardware.
- interface - Display the leases on a specified
interface.
- Ethernetslot Specified Ethernet sub-interface.
switch#show address locking table ipv4
IP address mac address Interface Installed Expiration Time
-------------- ---------------- ---------- ------------ ---------------
AC 10.30.4.4 ba76.a467.7ff8 Et27/1 installed in 0:01:57
IP address Action
--------------- --------
10.30.4.4 permit