解决IP地址冲突的完美方法

使用的方法是采用DHCP方式为用户分配IP，然后限定这些用户只能使用动态IP的方式，如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。

例子：

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service compress-config

!

hostname C4-2_4506

!

enable password xxxxxxx!

clock timezone GMT 8

ip subnet-zero

no ip domain-lookup

!

ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制

ip dhcp snooping

ip arp inspection vlan 180-181

ip arp inspection validate src-mac dst-mac ip

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause gbic-invalid

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause unicast-flood

errdisable recovery cause vmps

errdisable recovery cause arp-inspection

errdisable recovery interval 30

spanning-tree extend system-id

!

!

interface GigabitEthernet2/1 // 对该端口接入的用户进行限制，可以下联交换机

ip arp inspection limit rate 100

arp timeout 2

ip dhcp snooping limit rate 100

!

interface GigabitEthernet2/2

ip arp inspection limit rate 100

arp timeout 2

ip dhcp snooping limit rate 100

!

interface GigabitEthernet2/3

ip arp inspection limit rate 100

arp timeout 2

ip dhcp snooping limit rate 100

!

interface GigabitEthernet2/4

ip arp inspection limit rate 100

arp timeout 2

ip dhcp snooping limit rate 100

注：DHCP Snooping

DAI，Dynamic ARP Inspection

IP Source Guard

DHCP Interface Tracker (Option 82)

设备局限很大，3550---4000系列之间能用，用来防止基于内部的2层攻击，同一VLAN防止私自建立DHCP SERVER。