This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How can I prevent a user from assigning a duplicate static IP?

How can I prevent a user from assigning a duplicate static IP?

Jared_Sabin
New Contributor

‎12-08-2017 02:34 PM

Recently a student assigned a static IP to their personal device connected to our network. The IP they chose was the default gateway IP of the vlan. This caused alot of problems as there was now an IP conflict.

I was wondering what kind of configuration I could put on my extreme 440/450s on the edge to prevent this. On reddit someone said on cisco this would be called " ip arp inspection and ip source guard". I looked on Gtac and saw something like this. If this is a solution, could I see an sample configuration to stop an edge port from using a static IP of say 10.18.96.1?

Thanks
0 Kudos
11 REPLIES 11

Jared_Sabin
New Contributor
In response to Terren_Crider

‎12-08-2017 03:25 PM

This was actually my thought. I wanted to see if on the edge I could just create an ACL that banned incoming traffic from the IP for the vlan gateway (10.18.96.1). I could just do all the user ports like 1-47, and not apply it to port 48.
0 Kudos

Jared_Sabin
New Contributor

‎12-08-2017 03:16 PM

I was reading through the Source IP Lockdown and saw:

Note: Source IP lockdown feature only works when hosts are assigned IP addresses using DHCP; source IP lockdown does not function for statically configured IP Addresses.

So a student brings in their own laptop and ethernet cord. Finds an open port on the wall, connects to it. The receive a DHCP address from our server. They do an IPCONFIG /all and see what the default gateway IP is. They go into their network connection settings, change their IP to that default gateway address. They now have a static IP and have created an IP conflict with the default gateway.

So, is there a way to FORCE clients on the edge to only work if they have a DHCP address? This would mean anyone setting a static IP address would be blocked. Or maybe there is a different way. Am I understanding this wrong?
0 Kudos

Jared_Sabin
New Contributor
In response to Jared_Sabin

‎12-08-2017 03:16 PM

Someone had posted but removed using ARP Validation / Gratitious ARP on the ports to protect. Would enabling that have the same effect but without forcing all ports to be DHCP?

Thanks
0 Kudos

BrandonC
Extreme Employee
In response to Jared_Sabin

‎12-08-2017 03:16 PM

That is essentially what source IP lockdown is doing. It permits DHCP client traffic to the server, and then once the client gets an IP address via DHCP, it allows traffic sourced from the IP address assigned from DHCP.

Before the client gets an IP, no traffic other than DHCP will be allowed. After it gets an IP, only traffic sourced from the IP that client got from DHCP will be allowed on the port.
0 Kudos

BrandonC
Extreme Employee

‎12-08-2017 02:42 PM

Hi Jared,

It sounds like Source IP Lockdown is what you want. This is part of IP Security, and it builds off of DHCP snooping. Essentially, it starts off with an ACL on the port configured to only allow DHCP traffic from the client. Once the client gets an IP address from DHCP, the ACL is updated to only allow traffic sourced from the IP address that the client got from DHCP (learned from DHCP snooping).

You can find details on it in the user guide section linked below:
http://documentation.extremenetworks.com/exos_22.4/EXOS_21_1/Security/c_source-ip-lockdown.shtml
0 Kudos
GTM-P2G8KFN