cancel
Showing results for 
Search instead for 
Did you mean: 

How can I prevent a user from assigning a duplicate static IP?

How can I prevent a user from assigning a duplicate static IP?

Jared_Sabin
New Contributor
Recently a student assigned a static IP to their personal device connected to our network. The IP they chose was the default gateway IP of the vlan. This caused alot of problems as there was now an IP conflict.

I was wondering what kind of configuration I could put on my extreme 440/450s on the edge to prevent this. On reddit someone said on cisco this would be called " ip arp inspection and ip source guard". I looked on Gtac and saw something like this. If this is a solution, could I see an sample configuration to stop an edge port from using a static IP of say 10.18.96.1?

Thanks
11 REPLIES 11

This was actually my thought. I wanted to see if on the edge I could just create an ACL that banned incoming traffic from the IP for the vlan gateway (10.18.96.1). I could just do all the user ports like 1-47, and not apply it to port 48.

Jared_Sabin
New Contributor
I was reading through the Source IP Lockdown and saw:

Note: Source IP lockdown feature only works when hosts are assigned IP addresses using DHCP; source IP lockdown does not function for statically configured IP Addresses.

So a student brings in their own laptop and ethernet cord. Finds an open port on the wall, connects to it. The receive a DHCP address from our server. They do an IPCONFIG /all and see what the default gateway IP is. They go into their network connection settings, change their IP to that default gateway address. They now have a static IP and have created an IP conflict with the default gateway.

So, is there a way to FORCE clients on the edge to only work if they have a DHCP address? This would mean anyone setting a static IP address would be blocked. Or maybe there is a different way. Am I understanding this wrong?

Someone had posted but removed using ARP Validation / Gratitious ARP on the ports to protect. Would enabling that have the same effect but without forcing all ports to be DHCP?

Thanks

That is essentially what source IP lockdown is doing. It permits DHCP client traffic to the server, and then once the client gets an IP address via DHCP, it allows traffic sourced from the IP address assigned from DHCP.

Before the client gets an IP, no traffic other than DHCP will be allowed. After it gets an IP, only traffic sourced from the IP that client got from DHCP will be allowed on the port.

BrandonC
Extreme Employee
Hi Jared,

It sounds like Source IP Lockdown is what you want. This is part of IP Security, and it builds off of DHCP snooping. Essentially, it starts off with an ACL on the port configured to only allow DHCP traffic from the client. Once the client gets an IP address from DHCP, the ACL is updated to only allow traffic sourced from the IP address that the client got from DHCP (learned from DHCP snooping).

You can find details on it in the user guide section linked below:
http://documentation.extremenetworks.com/exos_22.4/EXOS_21_1/Security/c_source-ip-lockdown.shtml
GTM-P2G8KFN