IP Address Locking Configuration
This section describes IP Locking configuration tasks. Topics in this section include:
IP Address Locking Overview
EOS provides IP Address Locking capabilities when configured on an Ethernet Layer 2 port.
After enabling IP Address Locking on a Layer 2 (L2) port, the port only permits IP and ARP packets with authorized IP source addresses. Configure IP Address Locking in one of two modes:
- IPv4
- IPv6
IP Address Locking prevents a host on a different interface from claiming ownership of an IP address through ARP spoofing. IPv6 Locking extends this behavior to IPv6 packets, including ICMPv6 Neighbor Discovery Router Advertisement and Redirect and DHCP server-to-client packets.
- Probing with the IPv4 address 0.0.0.0 as the Sender Protocol Address (SPA).
- Permit Duplicate Address Detection (DAD).
- Drop incoming DHCP server response packets to avoid any rogue devices acting as DHCP servers.
- Permit incoming DHCP client request packets on devices to complete the DHCP handshake and obtain a DHCP lease.
On an IPv6 Locked Port, the ARP protocol performs the following actions on the network:
- Drop incoming DHCPv6 server response packets.
- Permit incoming DHCPv6 client request packets.
- On an incoming ICMPv6 network device, perform the following actions:
- Drop Router Advertisement packets since only routers should send these packets.
- Permit Router Solicitation packets.
- Drop redirect packets as only routers should send these packets.
IP Address Locking relies on DHCP LeaseQuery and MAC address learning to determine if an IP address is authorized on a particular port. Ensure that DHCP servers used in the network allow LeaseQuery messages.
Release Updates
Refer to the release updates for IP Locking.
EOS Release 4.25.1F:
Added support for disabling address filtering for IPv6 packets while still keeping all packet type specific drop rules such as ICMPv6 ND:RA, and ICMPv6 ND:Redirect and DHCPv6 (server-to-client) packets, using the locked-address ipv6 enforcement disabled command.
EOS Release 4.24.0F:
- Added support for expiration modes of locked addresses, using the locked-address expiration mac disabled command.
- Added support for counters, using the show address locking counters and clear address locking counters commands.
EOS Release 4.23.2F:
Added support for static lease command, lease <V4ADDR> mac <MACADDR>.
EOS Release 4.23.1F:
Added support for clear address locking lease command.
- Initial release.
- Supports IPv4 address locking.
Preparing a Switch for IP Address Locking
Before enabling IPv4 Address Locking, you must configure a DHCP Server and a Local Layer 3 interface.
Enabling a DHCP Server for IPv4 Address Locking
Add the DHCP servers used by hosts to acquire leases. IPv4 Address Locking communicates with the DHCP servers to learn the authorized IP addresses on the switch.
Example
The following commandsenable DHCP servers with an IPv4 address of 10.1.1.1, and another DHCP server with the IP address, 10.30.1.3:
switch(config-address-locking)#dhcp server ipv4 10.1.1.1
switch(config-address-locking)#dhcp server ipv4 10.30.1.3
Adding a Local Layer 3 Interface
Add a local L3 interface to communicate with the DHCP server. This could be the management interface, a routed interface, or a Switch Virtual Interface (SVI). This interface requires an assigned valid IP address, routable to the configured DHCP server, and can reside in a non-default VRF. The switch packets sent to the DHCP Server use the interface IP address as the source IP address.
Example
The following commandsconfigure an interface with a valid IP address, 10.10.1.2/16, on VLAN2160:
switch#configure
switch(config)#interface Vlan2160
switch(config-if-Vl2160)#ip address 10.10.1.2/16
The following commands add the interface to the IP Address Locking configuration:
switch#configure
switch(config)#address locking
switch(config-address-locking)#local-interface Vlan2160
Clearing Leases
- The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
- The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
- The clear address locking lease intf ethernet slot command removes all leases associated with the specified interface.
- The clear address locking lease all removes all leases on the switch.
Configuring IP Locking Static Leases
The lease mac command within address locking configuration mode installs a lease into hardware for the configured IP address on the interface with the configured associated MAC address. If the MAC address does not appear in the MAC table or the MAC address on an interface without a configured IP Locking feature, the lease does not install until the interface adds the MAC address to an interface configured with IP Locking.
Example
Use the following commands to configure an IP address, 172.21.13.11, and MAC Address, a0:ce:c8:b1:78:d3, with a static lease:
switch#configure
switch(config)#address locking
switch(config-address-locking)#lease 172.21.13.11 mac a0:ce:c8:b1:78:d3
Configuring Locked Address Expiration
The IP addresses remain authorized and installed after the corresponding MAC addresses age out. IP Address Locking, by default, removes authorized leases after the corresponding MAC addresses age out. The locked-address expiration mac disabled command configures IP Address Locking to keep leases installed, after the corresponding MAC addresses age out.
The following commands keep leases installed on the IP address:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled
Displaying IP Address Locking Counters
The show address locking counters command displays DHCP lease query messages sent, received, and dropped. The output provides two sets of counters:
- The number of packets sent and received from each DHCP server.
- The number of packets sent and received for each locked interface.
The output displays separate counters for the different types of messages communicated between the switch and the DHCP server.
switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860 8002 34 8001 32 13423 134 3234
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2 1747 1234 189 324
The clear address locking counters command resets all the counters associated with IP Locking to zero.
Enabling IP Address Locking
Configure IP Address Locking for either IPv4 or IPv6 addresses, and both types of IP addresses can be enabled for IP Address Locking. IPv6 Address Locking requires a different approach outlined in this section.
Enabling IP Address Locking
Configure IPv4 Address Locking commands in the configuration mode.
Example
Use the following commands to enter IP Address Locking configuration mode and add IPv4 Address Locking:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4
Enabling IPv6 Address Locking
To enable IPv6 locking, disable the enforcement of IPv6 Address Locking.
Example
Use the following commands to disable IPv6 Address Locking enforcement, and then enable IPv6 for IP Address Locking:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
switch(config-address-locking)#locked-address ipv6
Disabling IP Address Locking
Disable IP Address Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port.
Example
switch#configure
switch(config)#address locking
switch(config-address-locking)#disabled
Enabling IP Address Locking on Ports
To enable IPv4 Address Locking on ports connected to clients, IP Address Locking must be enabled in the interface configuration mode. Running this command only enables IPv4 Locking and overrides the previous configuration for the interface.
Example
Use the following commands to enable IP Address Locking for the interface, Ethernet27/1:
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4
Use the following commands to enable IPv6 Address Locking on ports connected to clients, use the address-family ipv6 parameter.
Example
To activate IPv6 Address Locking on interface Ethernet53 and port 4, use the following syntax:
switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking
switch(config-if-Et53/4-address-locking)#address-family ipv6
Enabling IP Address Locking on All Ports of a VLAN
To activate IP Address Locking on all VLAN port members, use the VLAN address locking configuration submode.
Examples
The following commands activate IPv4 Address Locking on VLAN 20:
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv4
To exclude a VLAN port member, disable IP Address Locking on that port using the interface configuration submode.
The following commands exclude port 25 on Ethernet2:
switch(config)#interface Ethernet2/25
switch(config-if-Et2/25)#address locking
switch(config-if-Et2/25)#address-family ipv4 disabled
To configure IPv6 Address Locking on all ports, use the same commands, but designate the address-family as ipv6.
The following commands enable IPv6 Address Locking and override the previous configuration for the interface.
switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv6
To enable IPv6 Address Locking on all members of a port for VLAN 20, use the IPv6 Locking commands in the VLAN address locking configuration sub-mode.
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv6
Use the following command to enable both IPv4 and IPv6 Address Locking on a port:
switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4
switch(config-if-Et27/1-address-locking)#address-family ipv6
Blocking IPv4 and ARP Packets
Use the deny ip_address on IPv4 Address Locking ports to block all IPv4 and ARP packets with a specific source IPv4 address. The port denies the packet and affects only IPv4 enforcement modes. This action deauthorizes the addresses on the port and can be configured with multiple IPv4 addresses. You must configure this on an interface already configured with IPv4 Address Locking.
Example
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-addr-lock)#deny 172.21.16.25
IPv6 Locking
Configuring IPv6 Address Locking
Example
To activate IPv6 Address Locking on all members of a port for VLAN 20, enable IPv6 Locking on the VLAN address locking configuration sub-mode.
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv6
Disable IPv6 Address Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port. This also disables IPv4 Address Locking as well.
Example
Use the following syntax to disable IP Address Locking on the switch:
switch# configure
switch(config)# address locking
switch(config-address-locking)# disabled
Enforcing Locked IP Addresses
The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 Address Locking enabled. This permits IPv4 packets while still keeping all other drop rules. When configured, IP Address Locking does not drop IP or ARP packets, and does not send out lease queries to configured DHCP servers.
Examples
The following commands disable IPv4 Address Locking globally:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4 enforcement disabled
The following commands configure locked address enforcement for an interface:
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv4 enforcement disabled
The following commands configure locked address enforcement for a VLAN:
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv4 enforcement disabled
The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
To configure locked address enforcement for an interface, use the following commands:
switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv6 enforcement disabled
To configure locked address enforcement for VLAN 20, use the following commands:
switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv6 enforcement disabled
Displaying IP Address Locking
Use the show address locking command to display the status of IPv4 and IPv6 locking.
Example
switch# show address locking
IP Locking is active
Interface IPv4 IPv6
--------------- ------------------- ---------------------------
Ethernet27/1 yes no (not configured)
Ethernet31/1 no (not configured) no (not a layer 2 interface)
- Unconfigured.
- Not a Layer 2 interface.
- No local interface configured.
- No DHCP server configured.
The show address locking table ipv4 command displays all the DHCP leases that IP Address Locking knows about, current status of installed leases, and the authorized interfaces for these IP addresses.
Example
switch# show address locking table ipv4
IP Address MAC Address Interface Installed Expiration Time
-------------- ---------------- ---------- ------------ ---------------
10.30.4.4 ba76.a467.7ff8 Et27/1 installed in 0:01:57
Limitations
- IP Locking supports IPv4 but with limited functionality for IPv6.
- IP Locking works only with DHCP servers that support RFC 4388 (LeaseQuery) and configured to allow lease queries. ISC DHCPD and BlueCat are currently known servers that support LeaseQuery.
- IP Locking can only be configured on Ethernet interfaces, excluding sub-interfaces.
- IP Locking and DHCP relay cannot be configured on the same switch. When both are configured, IP Locking is disabled.
- IP Locking and DHCP snooping cannot be configured on the same switch. When both are configured, IP Locking is disabled.
- IP Locking and DHCP server cannot be configured on the same switch. When both are configured, IP Locking is disabled.
- Do not configure IP Locking and the ARP inspection feature on the same switch.
- Do not configure IP Locking and the IP source guard feature on the same switch.
- IP Locking may not immediately invalidate a lease on an access port if the host moves to another port on a different access switch.
- IP Locking supports up to 3400 hosts on the DCS-7050X3 platform, and up to 3800 hosts on the CCS-720XP platform. This scale may reduce further with other features using TCAM resources.
- IPv6 Locking currently only allows disabling address filtering for IPv6 packets while keeping all packet type specific drop rules such as ND:RA, ND:RD, and DHCP Server-to-Client.
- Some DHCP server implementations (such as ISC DHCPD) do not respond to lease query if the fixed-address configuration is used. Use reserved leases instead.
- CVP Endpoint Identification is not able to identify hosts connected to an IP Locking enabled switch.
IP Address Locking Commands
IP Address Locking Global Configuration Commands
IP Address Locking Configuration Commands
- address locking deny
- address locking dhcp
- address locking lease query
- address locking local-interface
address locking
Use the address locking command to enter the IP Address Locking configuration submode and then use any of the following commands:
- dhcp - Configuration options related to DHCP.
- disabled - Disable IP Address Locking on configured ports.
- lease - Configuration options related to leases.
- local-interface - Configure a local interface for IP Address Locking
- locked-address - Configuration options for locked addresses.
Command Mode
Global Configuration
Command Syntax
address locking
Parameters
address locking
Example
To enter the IP Address Locking mode, use the following command:
switch(config)# address locking
switch(config-address-locking)#
address locking deny
Use the address locking command to block IPv4 and ARP packets with specific IPv4 addresses on the switch. You must perform this command from an interface configured for IP Address Locking on the switch.
Command Mode
Interface Configuration
Address Locking Configuration
Command Syntax
address locking deny ip_address
Parameters
- deny ip_address - Specify the IPv4 address to block packets.
Example
Use the following command to deny IPv4 and ARP packets from IPv4 address, 172.16.21.131, from Ethernet interface, Ethernet53/4:
switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking
switch(config-address-locking)#deny 172.16.21.131
address locking dhcp
Use the address locking command to enter address locking mode and then dhcp to configure the DHCP server.
Command Mode
Address Locking Configuration
Command Syntax
address locking dhcp server ipv4 ip_address
Parameters
- dhcp server - configure a DHCP server to assign IP addresses and assign static addresses using a MAC address.
- ipv4 ip_address - Specify the IP address for the DHCP server.
- mac mac_address - Specify the MAC address of the DHCP server.
Example
To configure a DHCP server with an IPv4 address. 172.13.21.3, use the following command:
switch(config)#address locking
switch(config-address-locking)#dhcp server ipv4 172.13.21.3
address locking lease
Use the address locking command to enter the IPv4 and IPv6 locking mode and then on the switch, use the lease to configure DHCP leases.
The lease mac command within the address locking configuration mode installs a lease onto hardware for the configured IP address on the interface with the associated configured MAC address. If the MAC address does not exist in the MAC table or the MAC address appears on an interface with an IP Locking configuration feature, the lease does not install until you add the MAC address to an interface configured with IP Locking.
Command Mode
Address Locking Configuration
Command Syntax
switch(config-address-locking)#lease ip_address mac ip_address
Parameters
- lease
- V4ADDR - Specify the IPv4 address to assign the lease.
- mac MACADDR - Configure the MAC address for a static lease.
- no lease V4ADDR mac MACADDR - Removes the retry and timeout configuration.
- default lease V4ADDR mac MACADDR - Configures the lease with the default IPv4 address and MAC address.
Example
To configure a lease with the IPv4 address, 1.1.1.1, and the MAC address, a.b.c, use the following command:
switch(config)#address locking
switch(config-address-locking)#lease 1.1.1.1 mac a.b.c
address locking lease query
Use the address locking command to enter the IPv4 and IPv6 locking mode and then use the lease query retry interval to configure DHCP leases.
The no lease query retry command removes the retry interval and timeout configuration.
Command Mode
Address Locking Configuration
Command Syntax
switch(config-address-locking)#lease query retry interval interval-time
Parameters
- lease query retry interval interval - Configure thequery retry interval and timeout. The interval can be from 1 - 4294967295 seconds.
Example
To configure a lease with the retry interval, 5 seconds, and a timeout, 100, use the following command:
switch(config)#address locking
switch(config-address-locking)#lease query retry interval 5 timeout 100
address locking local-interface
Use the address locking local-interface command to configure a local interface for IPv4 and IPv6 locking IP addresses on the switch.
Command Mode
Address Locking Configuration
Command Syntax
address locking local-interface [Ethernet | Loopback | Management | Port Channel | Tunnel | Vlan]
Parameters
- local-interface
- Ethernet slot_number - Configure an Ethernet subinterface for IPv4 and IPv6 locking IP addresses on the switch.
- Loopback loopback_interface_number - Configure a Loopback interface for IPv4 and IPv6 locking IP addresses on the switch.
- Management management_interface slot_number - for IPv4 and IPv6 locking IP addresses on the switch.
- Port-Channel lag_group port_channel_subinterface - Configure a Port-Channel interface for IPv4 and IPv6 locking IP addresses on the switch.
- Tunnel tunnel_interface - Configure a Tunnel interface for IPv4 and IPv6 locking IP addresses on the switch.
- Vlan vlan_interface_number - Configure a VLAN interface for IPv4 and IPv6 locking IP addresses on the switch.
Example
To configure an Ethernet interface, Ethernet53/4, use the following command:
switch(config)#address locking
switch(config-address-locking)#local-interface Ethernet53/4
clear address locking lease
Use the clear address locking lease command to remove lease bindings at different granularities.
- The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
- The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
- The clear address locking lease intf ethernet slot commandremoves all leases associated with the specified interface.
- The clear address locking lease all command remove all leases on the switch.
Command Mode
Address Locking mode
Command Syntax
clear address locking lease [ all | interface [ ethernet slot ] | ipv4 V4ADDR | ipv6 V6ADDR ]
- all- View the entire lease table.
- interface- interface to clear the lease.
- ethernet slot- Ethernet interface slot number.
- ipv4 V4ADDR- IPv4 address of the lease
- ipv6 V6ADDR - IPv6 address of the lease
Example
Use the following command to clear all IP Address Locking leases from the switch:
switch(config-address-locking)#clear address locking lease all
lease mac
The lease mac command within the address locking configuration mode installs a lease into hardware for the configured IP address on the interface the configured MAC address is associated with. If the MAC address is not in the MAC table or the MAC address is on an interface that is not configured with IP Locking feature, the lease is not installed until the MAC address is added to an interface that is configured with IP Locking. The no and default forms of the command removes the lease into hardware for the configured IP address on the interface the configured MAC address is associated with.
Command Mode
Address locking configuration mode
Command Syntax
lease V4ADDR mac MACADDR
no lease V4ADDR mac MACADDR
default lease V4ADDR mac MACADDR
- lease V4ADDRThe lease IP address.
- mac MACADDRThe configured mac address for static lease.
Arista# config t
Arista(config)# address locking
Arista(config-address-locking)# lease 1.1.1.1 mac a.b.c
locked-address expiration mac disabled
IP Address Locking, by default, removes authorization from leases after the corresponding MAC addresses age out. Use the locked-address expiration mac disabled command to configure IP Address Locking to keep the leases installed, even after the corresponding MAC addresses age out.
Command Mode
Address Locking Configuration
Command Syntax
locked-address expiration mac disabled
no locked-address expiration mac disabled
default locked-address expiration mac disabled
- expiration - Configures expiration mode for locked addresses.
- mac - Configures deauthorizing locked addresses when MAC addresses age out.
- disabled - Disables deauthorizing locked address when MAC addresses age out.
Example
Use this command to disable locked address expiration:
switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled
locked-address ipv4 enforcement disabled
The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 Locking enabled. This permits IPv4 packets while still keeping all other drop rules.
Command Mode
Address Locking Configuration
Command Syntax
locked-address ipv4 enforcement disabled
no locked-address ipv4 enforcement disabled
default locked-address ipv4 enforcement disabled
- ipv4 - Configure the IP address family.
- enforcement - Configure enforcement for locked addresses.
- disabled - Disable enforcement for locked addresses.
Example
Use the following command to disable locking address enforcement for IPv4 addresses:
switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled
locked-address ipv6 enforcement disabled
The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while retaining all other drop rules.
Command Mode
Address Locking Configuration
Command Syntax
locked-address - IPv6 enforcement disabled.
no locked-address - IPv6 enforcement disabled.
default locked-address - IPv6 enforcement disabled.
- ipv6 - IPv6 address configuration.
- enforcement - Configure enforcement for locked addresses.
- disabled - Disable enforcement for locked addresses.
Example
Use the following command to disable locking address enforcement for IPv6 addresses:
switch# configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
show address locking
Use the show address locking command to display the status of IP and IPv6 locking.
- Interface not configured.
- Interface is not a Layer 2 interface.
- No local interface configured.
- No DHCP server configured.
Command Mode
EXEC
Command Syntax
show address locking
Example
To display information about IP locking, use the show address locking command:
switch# show address locking
IP Locking is active
Interface IPv4 IPv6
--------------- ------------------- ---------------------------
Ethernet27/1 yes no (not configured)
Ethernet31/1 no (not configured) no (not a layer 2 interface)
show address locking counters
- Number of packets sent and received from each DHCP server.
- Number of packets sent and received for each locked interface.
Command Mode
EXEC
Command Syntax
show address locking counters
Related Commands
The clear address locking counters command resets all the counters associated with IP Locking to zero.
Example
The following command displays IP Address Locking Counters:
switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860 8002 34 8001 32 13423 134 3234
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2 1747 1234 189 324
show address locking table ipv4
Use the show address locking table ipv4 command to display all DHCP leases with IP Locking, and the interfaces with authorized the IP addresses.
Command Mode
EXEC
Command Syntax
show address locking table ipv4 [ dynamic [ installed | [ interface Ethernet slot ] | installed | interface [ Ethernet [ slot ] | static [ installed | interface [ Ethernet slot ]]]
- dynamic - Display the dynamic leases.
- installed-Display the leases installed on the hardware.
- interface - Display the leases on a specified interface.
- installed - Display installed leases.
- interface - Display the leases on a specified
interface.
- Ethernet slot Specified Ethernet sub-interface.
- static - Display static leases.
- installed - Display the leases on the hardware.
- interface - Display the leases on a specified
interface.
- Ethernetslot Specified Ethernet sub-interface.
switch#show address locking table ipv4
IP Address MAC Address Interface Installed Expiration Time
-------------- ---------------- ---------- ------------ ---------------
AC 10.30.4.4 ba76.a467.7ff8 Et27/1 installed in 0:01:57
IP Address Action
--------------- --------
10.30.4.4 permit