Q:解決 IP 地址沖突de完美方法
A:使用的方法是采用DHCP方式為用戶分配IP,然后限定這些用戶只能使用動(dòng)態(tài)IP的方式�����,如果改成靜態(tài)IP的方式則不能連接上網(wǎng)絡(luò)�����;也就是使用了DHCP SNOOPING功能。
例子:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname C4-2_4506
!
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 180-181 // 對(duì)哪些VLAN 進(jìn)行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id
! www.puercn.com
!
interface GigabitEthernet2/1 // 對(duì)該端口接入的用戶進(jìn)行限制,可以下聯(lián)交換機(jī)
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
注:DHCP Snooping
DAI����,Dynamic ARP Inspection
IP Source Guard
DHCP Interface Tracker (Option 82)
設(shè)備局限很大,3550---4000系列之間能用,用來(lái)防止基于內(nèi)部的2層攻擊,同一VLAN防止私自建立DHCP SERVER
