cisco3550---4000系列解决IP地址冲突的一种方法
使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。例子:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname C4-2_4506
!
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id
!
!
interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
注:DHCP Snooping
DAI,Dynamic ARP Inspection
IP Source Guard
DHCP Interface Tracker (Option 82)
设备局限很大,3550---4000系列之间能用,用来防止基于内部的2层攻击,同一VLAN防止私自建立DHCP SERVER
[[i] 本帖最后由 iamshiyu 于 2006-11-13 10:56 编辑 [/i]] cisco设备吗?保留一下,顺便帮你改个标题…… 谢谢!:handshake cisco的
不错,偶喜欢:lol
希望楼主继续努力。。:handshake 好东西,收下了,谢谢!~~ 有做过测试吗?我试了,好像不可行哦!(也许是我没设好吧)可以指点一下 :handshake 顶,非常好,谢谢了!!!! 谢谢。。顶顶 好贴! 保存了,谢谢
页:
[1]
