Prevent Users from Setting Specific Static IP

arphphp-procurveipv4

I have an HP procurve switching environment in which users are often assigned static IP's. One user changed their IP to 172.17.1.1 which is the core switch VLAN 10 interface. Since all the users in the environment have dynamic ARP tables, the ARP entries were affected and there were spurious outages for as long as that user was connected.

In order to prevent this from happening again, there are 3 approaches we can take:

  • Publish a GPO to prevent users from modifying their own settings, but this won't work for non-domain devices
  • Change existing critical devices on that subnet to use static ARP tables, but doesn't really "solve" the problem, just mitigates it. It will still affect new devices and each device will need to have a static ARP entry added when installed, and changed if/when the switch is replaced.
  • Perhaps the best solution, use the ip source-binding command on the switching infrastructure to ensure that anyone who changes their IP to the gateway(s) on the core switch VLAN interface will not have network access.

My questions are:

  1. Am I correct in my belief that ip source-binding is the best bet here? It will only be used on switches that have an IP in the respective VLAN since otherwise it would have no ARP table for that VLAN.
  2. If so, how is it possible to do ip source-binding that binds the VLAN interface of the switch itself? I want to ensure the switch drops all incoming ARP responses claiming its own IP address of 172.17.1.1

Additional Info: the core switch (where we want to restrict the ARP traffic) is a 5412R Zl2 chassis (model J9851A) running firmware version KB.15.17.0008

Thank you

Best Answer

The 5400 series supports DHCP snooping with ARP protection which is your best option. Those force a client to use the IP address it is assigned by the authorized DHCP server(s). Any other traffic is dropped (with an optional SNMP trap).

Using reservations on your DHCP server allows you to assign and centrally manage specific IP addresses for each client - that is far superior to managing static IPs manually anyway.

Then you force the clients to use DHCP:

    dhcp-snooping authorized server [dhcp-server]
    dhcp-snooping trust [server-port]
    dhcp-snooping vlan [vlid]
    dhcp-snooping verify
    arp-protection vlan [vlid]
  • [dhcp-server] is your DHCP server's IP address
  • [server-port] is the port that DHCP server is located on
  • [vlid] is the VLAN ID from the client network

Caution: With that config, only clients with a valid DHCP lease can communicate. You need to define ports where clients with arbitrary IP addresses are allowed:

arp-protection trust [port list]

Alternatively to DHCP & snooping you could use a static database to feed ARP protection (ip source-binding) - that might be hard to maintain (in addition to the actual client configs) so I'd use DHCP in any case.

Of course, there are other ways to accomplish what you want - removing admin priviledges or using GPO to enforce a configuration are off-topic here however.

Related Topic