Weak current College】 【using switch control IP address conflict skills.

Whenever you encounter network virus or system crash, Internet users may have to reinstall the system, and modify the IP address, if the user is not in accordance with the provisions of the set IP address, IP address conflict is inevitable and, once this phenomenon occur frequently, not only affect the efficiency of the Internet users surf the Web, but also detrimental to the stability of the LAN network. In order to improve the LAN running stability, we cannot wait for IP address conflicts occur when trying to deal with, but rather offense, let Internet users cannot get with other LAN IP address; therefore, this article is from a practical perspective, cleverly set the switch to control the IP address conflict failed recurring!

Networking situation

The author is located approximately 150 LAN network node and the network node evenly distributed in six floors and each floor in the network node by 100M twisted pairs and common layer II switch protection connection and each common layer 2 switches with fiber-optic cable attached to 1000M QuidWayS8500 series routing switch; to ensure that network access security, all network nodes are passed Venus hardware firewalls and Internet network interconnection. Currently, the unit LAN using 10.168.163.0 segments of the IP address of the segment using the default gateway address for 10.168.163.1, subnet mask address 255.255.255.0; since this segment has a maximum of 250 multiple IP addresses, the actual work in peacetime to 150 only in more than one address, obviously sufficiently large address space allowance which is totally suitable for workstation number increasing demand.

But because the unit LAN using a static address assignment method, sudden whenever workstation system crash or encounter virus attack does not start properly, the Internet user to, feel free to reinstall the system, modify the Internet address that results in frequent LAN IP address conflicts, this would not only severely affected others normal Internet access, but also increased the network administrator's maintenance workload. In order to effectively prevent Internet users of any changes to the IP address, I intend to use address binding method, the workstation's IP address and the corresponding network device bound to a physical address; however, this approach has not been formally implemented, would be the same as the network administrator of colleagues to oppose, in his view this approach temporary solution, because Internet users still can be used to modify network adapter physical address of the method, to steal other people's IP address, it is obvious that this is not the most effective solutions.

Response programme

After Internet access to relevant information and in-depth analysis, the author and another network administrator decides in the core switch on conventional workstation's IP address and network adapter physical address to the bind operation, but a simple bind operation, cannot resolve Internet users free to set the IP address of the phenomenon, because once an IP address is set binding, while Internet users are unable to continue fighting with the IP address, but he still can grab used LAN idle's IP address, IP address conflict is still likely to occur, which is a lot of network administrators understand the problem: in the core switch will all workstations using the IP address bound to the corresponding network device, still cannot effectively prevent address conflicts.

To resolve the IP address conflict, not only do we need to go out on a local area network has been assigned the IP address bound to the corresponding network device, but also on those idle IP address bindings so that Internet users can neither use already networking workstation's IP address, and you cannot use LAN IP address in idle, so long as LAN Internet users free to change the IP address, he would not be normal access to the LAN network. However, this configuration has also brought another trouble, that is, if the LAN is new users need to access the Internet, you can choose by himself as the primary IP address, which must be obtained in advance from the network administrator for the Internet separately, the network administrator to accept an application needs to log into switch background management system put on free addresses, Internet users can connect to the LAN. Practice has proved that this method not only can effectively avoid IP address conflicts occur, but also can effectively prevent the virus spreading via LAN illegal, so you can effectively guarantee the stable operation of LAN!

The implementation process

In accordance with the above analysis, I intend to be a local area network in the default gateway address 10.168.163.1 bound to the corresponding physical address, which can effectively control LAN ARP virus outbreaks; then try to have the IP address of the Internet workstation to perform a bind operation, then those idle IP address set to bind to a virtual network adapter physical address, so we can achieve the effect of the birds.

In-bound gateway address, I first logged on as an administrator to enter QuidWayS8500 series routing switch background management system, the system's command line State holds string command "system", the system switches to the Exchange configuration global state; the following in the global configuration mode, enter the string command "arp10.168.163.10215.9cae.1156arpa", click the Enter key, the default gateway address 10.168.163.1 is successfully bound to 0215.9cae.1156MAC address, and other workstation if Rob future Internet use 10.168.163.1 address, there will be no Internet access in the symptom, so the entire LAN running stability can be ensured.

In order to prevent the user from the IP address with other snatching, we need to have Internet access150 + network node addresses bound together; due to the number of addresses bound more purely rely on manual method to obtain each workstation network adapter physical address and an IP address, the effort will be very great, as this author in switch background system of global configuration, do the "displayarp" string command, and then displayed switches the ARP table of contents to be copied to the local chronicle the editing window, through a simple edit modify, then modify the contents of the ARP table after copy and paste to the ARP table of the switch, so you can quickly accomplish has Internet workstation address binding tasks.

For the rest of the 100 or so free IP addresses, we can use the manual method, in turn, each free IP address bound to the virtual MAC address, for example to bind 071e.33ea.8975 10.168.163.156 address on it, we can switch the background system global configuration, do string command "arp10.168.163.156071e.33ea.8975arpa", after we then by the same method to other free IP address bound to the virtual MAC address 071e.33ea.8975.

Complete the above address binding task, no user can freely change the IP address; if you have new users need to use the free Internet Access 10.168.163.156 addresses, network administrators can use the following steps to bind 10.168.163.156 addresses from your address list is released:

First QuidWayS8500 series routing switch background management system implementation of the "system" command, the System State to switch to a global configuration state, in which the input string command "displayarp", click the return key, then the ARP list check 10.168.163.156 address is in the idle state, if the destination IP address is in an idle state, we can continue to perform the following steps: released

Second input string command "noarp10.168.163.156071e.33ea.8975arpa", click the Enter key, the destination IP address from the address 10.168.163.156 bound list is released;

The following will need to address to 10.168.163.156 Internet user, let him be the IP address set to the corresponding workstation system, so new users can easily access to the local area network in the unit;

After the core switch background management system, continued to perform string command "displayarp in10.168.163.156", then the returned results interface we can view the resulting correspondence address of the NIC 10.168.163.156 physical address 00bb.ebc3.c6d0;

Get the MAC address, we can continue to perform string command "arp10.168.163.15600bb.ebc3.c6d0arpa", a new Internet user's IP address and network adapter physical address will be successfully bound together; final string command executed sequentially "quit," "save" to save the configuration to switch the system to end switch configuration tasks.

Final conclusion

Through the above configuration, the LAN IP address in all were successful control, any user without changes to the IP address, will not be able to access the network; the entire control process although a bit complicated, but is a good way to control network access security to avoid the unknown truth workstation network virus or Trojan horse into a LAN environment. Of course, the above control programme also cannot ensure foolproof, there is a situation in thrown address conflicts occur, that is, illegal user stolen switch the content of the ARP list, he simultaneously modify their own workstation network adapter physical address and an IP address, and the stolen user is not online, we will be able to successfully grab with others to address Internet access, but this possibility is quite low, unless the network administrators from intentionally.