Note that I also created an LibreNMS alert to monitor explicitly the mgmt network:
%syslog.msg ~ "KERN_ARP_ADDR_CHANGE" && %devices.hostname ~ "mr" && %devices.hardware ~ "SRX" && %syslog.timestamp >= %macros.past_30m
mgmt only as "KERN_ARP_ADDR_CHANGE" is only for SRX.

Above Gerrit patch is waiting for reviews, so reassigning to Faidon
It has the advantage of being simple and easy to deploy.
Limitations are:

• increase of traffic, both ARP and Icinga
• risking the race condition where the rogue server would take the IP and not letting the Icinga run properly on the host

Counter argument is that the ping check will still succeed, but other checks, including the duplicated MAC one would fail as the Icinga/NRPE tcp session would break, indicating a possible IP conflict

An ideal system, in my mind, would listen on all vlans and keep track of IP/mac bindings then alert on collisions, but would be heavy to build and trunk to all vlans.

On the enforcing side, a few solutions are (or will be) possible:

• enable the build in DHCP snooping feature of the switches, which will enforce that servers connected to access ports, only use the IP address assigned by the DHCP (prevent any manually assigned IPs).
• manually configure the allowed IP/MAC addresses on the switch (heavy to do manually, easier with automation).

We have a working solution for the mgmt network (until it's time to split mgmt into smaller subnets).
And for production, automation and per rack subnets are/will be enough.