My LAN requires that some users have the ability to routinely reconfigure their IP addresses for whatever project they are working on. Normally this isn't a problem because if they need access to specific network resources or the internet, they will reconfigure back to the IP's that the admins issued to them originally.
The problem is that when these users create their own subnet out of thin air, I get a ton of firewall logs indicating that their private subnet has been dropped. The reason being is that my core doesn't have a route or subnet setup for the one they created, and thus has been sent up to the firewall via the default route.
This results in having a legitimate LAN address trying to find another legitimate LAN address outside of my core.
Furthermore, how is it possible that in a VLAN, collapsed core architecture, a user can create a subnet out of thin air, and communicate outside of the switch he is directly connected to? I assume that my access layer switches are trunking that IP up to the core which is looking for a destination vlan to forward to. It can't find a VLAN matching the destination address so it forwards via the default route. Is that the case and is there anyway to prevent that behavior such that only subnet traffic "assigned" to that VLAN can communicate on said VLAN?
I believe that it is very safe to assume that the address space was being routed by your core to your firewall.
If you want to prevent this symptom one alternative would be to do reverse path check on the SVIs - ip verify unicast reverse-path. This would prevent the packet getting past the SVI and the firewall would not see it.
I am a bit puzzled why people would invent addresses and subnets like that. It seems to me that since the core has no way to route any response/return traffic that the device would lose its network connectivity and functionality. Is there some aspect of this situation that we do not understand yet?