If you have read about any security network topics, you would be familiar with dynamic arp inspection method. Dynamic Arp Inspection prevents man in the middle attack against to arp poisioning.Remember, if an attacker wants to collect of traffic which is destined to spesific IP, he can do it by using Gratuitous Arp. It tries to send arp-reply to victim with “other IP but attacker’s own mac address”.If it is successful, the victim will start to forward the traffic towards mac address of attacker. Arista provides new method, that is IP Locking feature.
Requirements
This method is using relay mechanism. The switch will query lease table of dhcp server. So RFC4388 must be enabled on DHCP server. It is simply “allow leasequery” on centos/windows dhcp server config file. Hence, switch will communicate with DCHP server through given source IP.
Benefits
- A port will permit IP and Arp packets with IP Source addresses that have been authorized.
- It prevents another host on a different interface from claiming ownership of an IP address through Arp spoofing.
- IP Locking prevents hosts from masquerading as a DHCP server by blocking DHCP packets.
- ARP Probes with 0.0.0.0 will be allowed for duplicate address detection.
There is enforcement disables option to allow all arp packets but prevents rogue dhcp packets in network.
Configuration Steps
address locking
local-interface Management1
dhcp server ipv4 172.22.111.2
interface Ethernet1
address locking ipv4Outputs
Arista#show address locking table ipv4
IP Address MAC Address Source Interface Installed Expiration Time
------------------- -------------------- ------------ --------------- --------------- ---------------
172.22.111.12 b445.06b1.6f3d server Et1 installed in 0:03:36
Total IP Address for this criterion: 1Arista#show address locking table ipv4
IP Address MAC Address Source Interface Installed Expiration Time
------------------- -------------------- ------------ --------------- --------------- ---------------
172.22.111.12 b445.06b1.6f3d server Et1 installed in 0:02:37
Total IP Address for this criterion: 1
Arista#show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
------------ ----- ----- ------ ------ ------ ------- -------- -------
172.22.111.2 114 3 0 0 0 0 0 0
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet1 114 3 0 0