使用的方法是采用DHCP方式为用户分配IP，然后限定这些用户只能使用动态IP的方式，如果改成静态IP的方式则不能连接上网络；也就是使用了DHCP SNOOPING功能。例子：version 12.1no service padservice timestamps debug uptimeservice timestamps log uptimeno service pas sword-encryptionservice compress-config!hostname C4-2_4506!enable password xxxxxxx!clock timezone GMT 8ip subnet-zero no ip domain-lookup!ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制ip dhcp snoopingip arp inspection vlan 180-181ip arp inspection validate src-mac dst-mac ip   errdisable recovery cause udlderrdisable recovery cause bpduguarderrdisable recovery cause security-violationerrdisable recovery cause channel-misconfigerrdisable recovery cause pagp-flaperrdisable recovery cause dtp-flaperrdisable recovery cause link-flaperrdisable recovery cause l2ptguarderrdisable recovery cause psecure-violationerrdisable recovery cause gbic-invaliderrdisable recovery cause dhcp-rate-limiterrdisable recovery cause unicast-flooderrdisable recovery cause vmpserrdisable recovery cause arp-inspectionerrdisable recovery interval 30spanning-tree extend system-id!! interface GigabitEthernet2/1 // 对该端口接入的用户进行限制，可以下联交换机ip arp inspection limit rate 100arp timeout 2ip dhcp snooping limit rate 100!   interface GigabitEthernet2/2ip arp inspection limit rate 100arp timeout 2ip dhcp snooping limit rate 100!interface GigabitEthernet2/3ip arp inspection limit rate 100arp timeout 2ip dhcp snooping limit rate 100!interface GigabitEthernet2/4ip arp inspection limit rate 100arp timeout 2ip dhcp snooping limit rate 100--More-- 简单介绍一下这个解决方案的来历:我是某个高校的网络管理员（ 假假的 ），我校所有学生宿舍区、教学区都使用了CISCO的设备接入了网络（有 8台 CISCO6509 , 2台CISCO 7613 ，30多台的CISCO 4506 , 二百多台的各系列的CISCO2950 ，学生入网数目 > 10000 ），与其他人的问题一样，我们的最大问题就IP地址冲突的问题，以前我们的解决办法是在2950上把IP与端口绑定，但是，在2004年的时候，我们又购买了一大批的CISCO2950T-48-SI，而这些设备不支持二层的ACL，所以上述的方法失效了。就这个问题，我们和网络集成商、思科的技术人员讨论了许久的以求解决方案，虽然他们好几个都是什么CCIE的，但就是没有什么好的方案。直到在04年底我参加了思科在北京的用户大会，与思科总部的一个鬼佬CCIE讨论，他给出了上诉的解决方案。回来后立即实施，效果非常理想。 IP Source GuardSimilar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.

评论