How can I prevent a user from assigning a duplicate static IP?

  • 0
  • 1
  • Question
  • Updated 8 months ago
  • Answered
Recently a student assigned a static IP to their personal device connected to our network.  The IP they chose was the default gateway IP of the vlan. This caused alot of problems as there was now an IP conflict.

I was wondering what kind of configuration I could put on my extreme 440/450s on the edge to prevent this.  On reddit someone said on cisco this would be called " ip arp inspection and ip source guard".  I looked on Gtac and saw something like this.  If this is a solution, could I see an sample configuration to stop an edge port from using a static IP of say 10.18.96.1?

Thanks
Photo of Jared Sabin

Jared Sabin

  • 170 Points 100 badge 2x thumb

Posted 8 months ago

  • 0
  • 1
Photo of John Romero

John Romero

  • 300 Points 250 badge 2x thumb
Use group policy from letting them change anything locally.
Photo of Jared Sabin

Jared Sabin

  • 170 Points 100 badge 2x thumb
They brought in their own machine / laptop and plugged it into the wall.  GPO is enabled to prevent people using school machines from changing IP address settings.
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,254 Points 10k badge 2x thumb
Hi Jared,

It sounds like Source IP Lockdown is what you want. This is part of IP Security, and it builds off of DHCP snooping. Essentially, it starts off with an ACL on the port configured to only allow DHCP traffic from the client. Once the client gets an IP address from DHCP, the ACL is updated to only allow traffic sourced from the IP address that the client got from DHCP (learned from DHCP snooping).

You can find details on it in the user guide section linked below:
http://documentation.extremenetworks.com/exos_22.4/EXOS_21_1/Security/c_source-ip-lockdown.shtml 
Photo of Jared Sabin

Jared Sabin

  • 170 Points 100 badge 2x thumb
I was reading through the Source IP Lockdown and saw:

Note: Source IP lockdown feature only works when hosts are assigned IP addresses using DHCP; source IP lockdown does not function for statically configured IP Addresses.

So a student brings in their own laptop and ethernet cord.  Finds an open port on the wall, connects to it.  The receive a DHCP address from our server.  They do an IPCONFIG /all and see what the default gateway IP is.   They go into their network connection settings, change their IP to that default gateway address.  They now have a static IP and have created an IP conflict with the default gateway.


So, is there a way to FORCE clients on the edge to only work if they have a DHCP address?  This would mean anyone setting a static IP address would be blocked.  Or maybe there is a different way.  Am I understanding this wrong?
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,254 Points 10k badge 2x thumb
That is essentially what source IP lockdown is doing. It permits DHCP client traffic to the server, and then once the client gets an IP address via DHCP, it allows traffic sourced from the IP address assigned from DHCP.

Before the client gets an IP, no traffic other than DHCP will be allowed. After it gets an IP, only traffic sourced from the IP that client got from DHCP will be allowed on the port.
Photo of Jared Sabin

Jared Sabin

  • 170 Points 100 badge 2x thumb
Someone had posted but removed using ARP Validation / Gratitious ARP on the ports to protect.  Would enabling that have the same effect but without forcing all ports to be DHCP? 

Thanks
Photo of Terren Crider

Terren Crider

  • 1,544 Points 1k badge 2x thumb
This is an interesting problem.  I've never encountered this before.

You could try using network policy to block traffic from that IP (and any other restricted IP) on user ports.
Photo of Jared Sabin

Jared Sabin

  • 170 Points 100 badge 2x thumb
This was actually my thought.  I wanted to see if on the edge I could just create an ACL that banned incoming traffic from the IP for the vlan gateway (10.18.96.1).  I could just do all the user ports like 1-47, and not apply it to port 48.
Photo of Jared Sabin

Jared Sabin

  • 170 Points 100 badge 2x thumb
Well when I read the paragraph it makes it seem like when you enable Source-IP lockdown, it denys all traffic on the port in an ACL.  Then it creates another ACL that allows only DHCP traffic.  So maybe that IS actually forcing the port to be DHCP only.
(Edited)
Photo of Terren Crider

Terren Crider

  • 1,544 Points 1k badge 2x thumb
My next thought was to force a port to only allow DHCP devices.  Though, I'm not sure how to do that at the moment.
Photo of Ahmed Haroun

Ahmed Haroun

  • 932 Points 500 badge 2x thumb
what about using IP duplicate address detection DAD ?