解决IP地址冲突的方法--DHCP SNOOPING

ZDNet软件频道 时间:2009-12-06 作者:论坛整理 | zdnet网络安全 我要评论()
本文关键词:网络协议 DHCP服务器 DHCP协议 DHCP
使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。

  使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。

  例子:

  version 12.1

  no service pad

  service timestamps debug uptime

  service timestamps log uptime

  no service p assword-encryption

  service compress-config

  !

  hostname C4-2_4506

  !

  enable password xxxxxxx!

  clock timezone GMT 8

  ip subnet-zero

  no ip domain-lookup

  !

  ip DHCP snooping vlan180-181 // 对哪些VLAN 进行限制

  ip DHCP snooping

  ip arpinspectionvlan 180-181

  ip arp inspection validate src-mac dst-mac ip

  errdisable recovery cause udld

  errdisable recovery cause bpduguard

  errdisable recovery cause security-violation

  errdisable recovery cause channel-misconfig

  errdisable recovery cause pagp-flap

  errdisable recovery cause dtp-flap

  errdisable recovery cause link-flap

  errdisable recovery cause l2ptguard

  errdisable recovery cause psecure-violation

  errdisable recovery cause gbic-invalid

  errdisable recovery cause DHCP-rate-limit

  errdisable recovery cause unicast-flood

  errdisable recovery cause vmps

  errdisable recovery cause arp-inspection

  errdisable recovery interval 30

  spanning-tree extend system-id

  !

  !

  interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机

  ip arp inspection limit rate 100

  arp timeout 2

  ip DHCP snooping limit rate 100

  !

  interface GigabitEthernet2/2

  ip arp inspection limit rate 100

  arp timeout 2

  ip DHCP snooping limit rate 100

  !

  interface GigabitEthernet2/3

  ip arp inspection limit rate 100

  arp timeout 2

  ip DHCP snooping limit rate 100

  !

  interface GigabitEthernet2/4

  ip arp inspection limit rate 100

  arp timeout 2

  ip DHCP snooping limit rate 100

  --More--

  编者注:对不需要明确地址的所有人的时候是一个很好的解决办法。另外,可以查看www.cisco.com的

  IP Source Guard

  Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN AccessControl List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host"s ability to attack the network by claiming neighbor host"s IP address.


百度大联盟认证黄金会员Copyright© 1997- CNET Networks 版权所有。 ZDNet 是CNET Networks公司注册服务商标。
中华人民共和国电信与信息服务业务经营许可证编号:京ICP证010391号 京ICP备09041801号-159
京公网安备:1101082134