I've just taken over the management of webhosting within a small web desgin company who managed to pick up a few dedicated/colo clients along the way from some loyal customers. However all these dedicated servers (there's only a hand full) are on the same subnet etc. with very little isolation.

Clearly VLAN's are they way to go to stop them talking to each other and I planning on putting that in to practice shortly. But the question of IP theft has come up.

What the best method of stopping clients adding another ip to their interfaces without permission?

I've seen a couple of people suggesting hardcoding the ARP on the switch, some say ACL's. Other people say those ideas are unmanageable large scale (this worries me).

What the best way to approach this? We are planning on expanding our hosting out over the next couple of years, so I want something that's going to be easily manageable long term.