解决IP地址冲突的方法--DHCP SNOOPING
2006-10-15 20:58
351 查看
使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。
例子:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service p assword-encryption
service compress-config
!
hostname C4-2_4506
!
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id
!
!
interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
--More--
编者注:对不需要明确地址的所有人的时候是一个很好的解决办法。另外,可以查看www.cisco.com的
IP Source Guard
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.
例子:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service p assword-encryption
service compress-config
!
hostname C4-2_4506
!
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id
!
!
interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
--More--
编者注:对不需要明确地址的所有人的时候是一个很好的解决办法。另外,可以查看www.cisco.com的
IP Source Guard
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.
相关文章推荐
- 解决IP地址冲突的完美方法(管理除外)--DHCP SNOOPING
- DHCP冲突的解决方法
- IP地址冲突问题的解决方法
- 解决IP地址冲突的完美方法
- DHCP冲突的解决方法
- 局域网IP地址冲突的原因及其解决方法
- IP地址冲突问题的解决方法
- 无线网络IP地址冲突的解决方法
- 解决IP地址冲突的方法--DHCP SNOOPING 经实验
- Linux下检测IP地址冲突及解决方法
- IP地址冲突问题的解决方法
- IP地址冲突问题的解决方法
- NetCore连接小区宽带Modem,显示IP地址冲突的解决方法
- IP地址冲突问题的解决方法
- dhcp分配不到IP地址的解决方法
- IP地址冲突问题的解决方法
- 解决IP地址冲突的方法
- IP地址冲突问题的解决方法
- Linux下检测IP地址冲突及解决方法
- 解决IP地址冲突的完美方法