Possible to lock an IP to a physical port?

Is there a reliable cheap way to lock an IP address to a physical switch port to prevent the owner of a computer from using other IP addresses in the IP block? Maybe a cheap switch with layer 3 management capabilities? That would be ideal. A firewall could probably do it but I'd rather not have to buy an individual firewall for each server. Hopefully there's a simpler solution.

In my sceneio, the owner has root level access. So, unless I am wrong, nothing is forcing the owners to use DHCP to configure their NIC.

your first thought: access list on the port with a managed switch. Thought it would be a pain to maintain for a ton of them.

If it's a Windows domain, maybe a static IP. The machine can't change names without leaving the domain, and if it changes IP's, the static DNS will screw it over.


If it's Linux, if you know what he does with root, take away root access and give him sudo instead.

All I can think of is Cisco's physical port security......but does it do IP addresses? shiza....

ehh....hmmm

Switches generally= L2 so mac lock is what they do. That is what cico's port security does BTW, as well as extreme's lock learning.

If they have root there is NOTHING to stop them from changing the IP on the server side. To restrict at the switch you can break out PVLAN's within a VLAN and use a VACL to restrict traffic from the PVLAN (1 pvlan per port) to that IP only. But its an awful lot of work so I hope its worth it. ;)

Why does this person have root access if you can't trust them?  I'd fix that problem before making all the work for myself ...

 

 

cbgrappler - Why does this person have root access if you can't trust them? I'd fix that problem before making all the work for myself ...


It's a dedicated server setup. I am providing the hardware and IP and installing the OS. User gets full root access to install whatever and do whatever.

bartos - 
cbgrappler - Why does this person have root access if you can't trust them? I'd fix that problem before making all the work for myself ...


It's a dedicated server setup. I am providing the hardware and IP and installing the OS. User gets full root access to install whatever and do whatever.

 

Well then, reducing privileges is not an option ... lol

As the other posters ( big_slacker, asdf ) said, do it at the switch with ACLs

 

----------------------------------------------

Port ACLs

You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical interfaces and EtherChannel interfaces.


The following access lists are supported on Layer 2 interfaces:



Standard IP access lists using source addresses



Extended IP access lists using source and destination addresses and optional protocol type information



MAC extended access lists using source and destination MAC addresses and optional protocol type information