Q：解决 IP 地址冲突de完美方法
  A：使用的方法是采用DHCP方式为用户分配IP，然后限定这些用户只能使用动态IP的方式，如果改成静态IP的方式则不能连接上网络；也就是使用了DHCP SNOOPING功能。
    例子：
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    service compress-config
    !
    hostname C4-2_4506
    !
    enable password xxxxxxx!
    clock timezone GMT 8
    ip subnet-zero

    no ip domain-lookup
    !
    ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
    ip dhcp snooping
    ip arp inspection vlan 180-181
    ip arp inspection validate src-mac dst-mac ip

    errdisable recovery cause udld
    errdisable recovery cause bpduguard
    errdisable recovery cause security-violation
    errdisable recovery cause channel-misconfig
    errdisable recovery cause pagp-flap
    errdisable recovery cause dtp-flap
    errdisable recovery cause link-flap
    errdisable recovery cause l2ptguard
    errdisable recovery cause psecure-violation
    errdisable recovery cause gbic-invalid
    errdisable recovery cause dhcp-rate-limit
    errdisable recovery cause unicast-flood
    errdisable recovery cause vmps
    errdisable recovery cause arp-inspection
    errdisable recovery interval 30
    spanning-tree extend system-id
    !
    !

    interface GigabitEthernet2/1 // 对该端口接入的用户进行限制，可以下联交换机
    ip arp inspection limit rate 100
    arp timeout 2
    ip dhcp snooping limit rate 100
    !

    interface GigabitEthernet2/2
    ip arp inspection limit rate 100
    arp timeout 2
    ip dhcp snooping limit rate 100
    !
    interface GigabitEthernet2/3
    ip arp inspection limit rate 100
    arp timeout 2
    ip dhcp snooping limit rate 100
    !
    interface GigabitEthernet2/4
    ip arp inspection limit rate 100
    arp timeout 2
    ip dhcp snooping limit rate 100

    注：DHCP Snooping

    DAI，Dynamic ARP Inspection

    IP Source Guard

    DHCP Interface Tracker (Option 82)

    设备局限很大,3550---4000系列之间能用,用来防止基于内部的2层攻击,同一VLAN防止私自建立DHCP SERVER

找到好贴不容易，我顶你了，谢了

谢谢分享

好啊楼主，没想到啊，太好了

了解了这些知识很有用，顶楼主！

谢谢分享0 0