Lock down VLAN to only allow specific IP's


I’m running VyOS 1.5 in production for my datacenter equipment, I’m going to be racking a customer for colocation where I’m their upstream. My plan is to put them on an isolated VLAN to connect to my core router. I’m not 100% familiar with policies in VyOS, but is there a way to restrict them to only being able to assign specific IP addresses?

Eg. Their assigned 5 IP addresses, their allowed to use 123.456.7.10 - 123.456.7.15

Thanks in advanced!

Not really, no. (At least that I’m aware of, happy to be corrected!)
This is why you have to be careful with things like this, a misconfiguration of them taking .1 (Assuming a /24 subnet and your default gw is .1) will cause you all sorts of issues.

As long as they’re the only customer on that VLAN though the worst they can do is nuke themselves.

Alternatively you could give them RFC1918 IPs but do a 1:1 NAT to the public IPs you want them to have. That way you can have your whole /24 on the one VLAN but your customer doesn’t have access to that, they only get access to it via NAT on your router.

Those are the only suggestions I can think of, but hopefully those more clever than me will think of another solution.

Interesting, that 1:1 NAT idea does sound interesting. I wish there was a better solution though.

Oh the other thing you could look at doing, I’m not sure how to do it in Vyos but maybe it’s possible, is to disable ARP/install an ARP filter.

You could then statically define your customer’s IPs to their MAC addresses, so they can’t use another IP because the router would ignore ARP.

I haven’t really thought through the detail of that, but looking at 1.4 you can do:

tjh@box# set interfaces ethernet eth1 ip 
Possible completions:
   adjust-mss           Adjust TCP MSS value
   arp-cache-timeout    ARP cache entry timeout in seconds (default: 30)
   disable-arp-filter   Disable ARP filter on this interface
   disable-forwarding   Disable IP forwarding on this interface
   enable-arp-accept    Enable ARP accept on this interface
   enable-arp-announce  Enable ARP announce on this interface
   enable-arp-ignore    Enable ARP ignore on this interface
                        Enable directed broadcast forwarding on this interface
   enable-proxy-arp     Enable proxy-arp on this interface
   proxy-arp-pvlan      Enable private VLAN proxy ARP on this interface
   source-validation    Source validation by reversed path (RFC3704)


The best solution would be to allocate them their own subnet on their vlan, If you are unable to do that you can create firewall rules to allow only a specific mac/IP combo, however other devices on the same layer2 may still receive and accept a malicious / erroneous ARP request for say your gateway IP and there will be a performance bottleneck with any firewall/nat rules on the router. You could also look into another solution such as IP source guard or hardware offloaded ACLs on your switch if they support it.