返回首页

解决IP地址冲突的完美方法--DHCP SNOOPING

时间:2006-10-14 来源: 作者: 点击:
使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。 例子: version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no ser
  

  使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。
  例子:
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  service compress-config
  !
  hostname C4-2_4506
  !
  enable password xxxxxxx!
  clock timezone GMT 8
  ip subnet-zero


  no ip domain-lookup
  !
  ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
  ip dhcp snooping
  ip arp inspection vlan 180-181
  ip arp inspection validate src-mac dst-mac ip


  errdisable recovery cause udld
  errdisable recovery cause bpduguard
  errdisable recovery cause security-violation
  errdisable recovery cause channel-misconfig
  errdisable recovery cause pagp-flap
  errdisable recovery cause dtp-flap
  errdisable recovery cause link-flap
  errdisable recovery cause l2ptguard
  errdisable recovery cause psecure-violation
  errdisable recovery cause gbic-invalid
  errdisable recovery cause dhcp-rate-limit
  errdisable recovery cause unicast-flood
  errdisable recovery cause vmps
  errdisable recovery cause arp-inspection
  errdisable recovery interval 30
  spanning-tree extend system-id
  !
  !

  interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机
  ip arp inspection limit rate 100
  arp timeout 2
  ip dhcp snooping limit rate 100
  !


  interface GigabitEthernet2/2
  ip arp inspection limit rate 100
  arp timeout 2
  ip dhcp snooping limit rate 100
  !
  interface GigabitEthernet2/3
  ip arp inspection limit rate 100
  arp timeout 2
  ip dhcp snooping limit rate 100
  !
  interface GigabitEthernet2/4
  ip arp inspection limit rate 100
  arp timeout 2
  ip dhcp snooping limit rate 100
  --More--

  编者注:对不需要明确地址的所有人的时候是一个很好的解决办法。另外,可以查看www.cisco.com的
  IP Source Guard
  Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.

------分隔线----------------------------
顶一下
(12)
75%
踩一下
(4)
25%
------分隔线----------------------------
最新评论 查看所有评论
发表评论 查看所有评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
用户名: 密码: 验证码:
推荐内容