We're setting up a router in a building that will house a few company tenants, each with their own router. (which are managed by the tenants) Our router connects to the Internet, and we have been assigned a few public IP addresses, which we in turn will assign to each of our tenants. We're going to set up a bridge on the router, so that the tenants are directly connected to the Internet, using the ISP as their gateway. So far, so good. The problem that arises is that we'll want to make sure that each tenant only ever uses a specific IP address, not to conflict with each other. How can I achieve this?

I've seen suggestions to configure interfaces for ARP replies only, but I think this is only relevant when the router (or "switch", in this case) itself acts as the gateway.

Whether we need to use a DHCP server or have the tenants set addresses statically doesn't matter.

By using arp=reply-only on the gateway & DHCP server combo you effectively prevent the tenants from using any other address than the one assigned to them by DHCP, as there will be no ARP record for them, so they can send packets with that incorrect IP address as source but the responses will never reach them due to the missing ARP record. But this doesn't prevent them from sending from these addresses if they don't care about responses.

On a switch or wherever the gateway and the DHCP server are not colocated, the solution is ingress filtering by IP address. The specific commands depend on the switch model - CRX1xx/CRS2xx swiches and CRS3xx switches use different switch chips with different way of configuring things like this.

Consider distributing the tenant IPs by static DHCP leases (no dynamic pool) based on the MAC addresses of tenant upstream interfaces. This gives you control over the IP/MAC relations. But MAC addresses can be changed easily, so a tenant could in theory use a MAC address registered for another tenant.

If this is not acceptable, the ROS bridge filtering feature (->Bridge->Filters) can be used to drop all packets not going to / coming from the correct MAC address of the tenant belonging to a physical bridge port. (Requires each tenant connected to different physical port of the bridge). This effectively ties a physical port to a predefined MAC address. Be sure not to block Layer2 broadcasts (used for DHCP and ARP).

On some Router models enabling bridge filtering disables Layer2 HW acceleration.

If the bridging of the tenants to the ISP is the only thing the box does, a manageable switch running SWOS might be the better choice than a ROS router box. Manageable switches can filter MAC addresses at wire speed.

Sounds like vlans will segregate traffic securely