解决IP地址冲突的方法--DHCP SNOOPING

使用的方法是采用DHCP方式为用户分配IP，然后限定这些用户只能使用动态IP的方式，如果改成静态IP的方式则不能连接上网络；也就是使用了DHCP SNOOPING功能。 
例子： 
version 12.1 
no service pad 

service timestamps debug uptime 
service timestamps log uptime 
no service p assword-encryption 
service compress-config 
! 
hostname C4-2_4506 
! 
enable password xxxxxxx! 
clock timezone GMT 8 
ip subnet-zero 


no ip domain-lookup 
! 
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制 
ip dhcp snooping 
ip arp inspection vlan 180-181 
ip arp inspection validate src-mac dst-mac ip 

errdisable recovery cause udld 
errdisable recovery cause bpduguard 
errdisable recovery cause security-violation 
errdisable recovery cause channel-misconfig 
errdisable recovery cause pagp-flap 
errdisable recovery cause dtp-flap 
errdisable recovery cause link-flap 
errdisable recovery cause l2ptguard 
errdisable recovery cause psecure-violation 
errdisable recovery cause gbic-invalid 
errdisable recovery cause dhcp-rate-limit 
errdisable recovery cause unicast-flood 
errdisable recovery cause vmps 
errdisable recovery cause arp-inspection 
errdisable recovery interval 30 
spanning-tree extend system-id 
! 
! 

interface GigabitEthernet2/1 // 对该端口接入的用户进行限制，可以下联交换机 
ip arp inspection limit rate 100 
arp timeout 2 
ip dhcp snooping limit rate 100 
! 



interface GigabitEthernet2/2 
ip arp inspection limit rate 100 
arp timeout 2 
ip dhcp snooping limit rate 100 
! 
interface GigabitEthernet2/3 
ip arp inspection limit rate 100 
arp timeout 2 
ip dhcp snooping limit rate 100 
! 
interface GigabitEthernet2/4 
ip arp inspection limit rate 100 
arp timeout 2 
ip dhcp snooping limit rate 100 
--More-- 

编者注：对不需要明确地址的所有人的时候是一个很好的解决办法。另外，可以查看[url]www.cisco.com[/url]的 

IP Source Guard 

Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.

本文转自loveme2351CTO博客，原文链接：http://blog.51cto.com/loveme23/8021 ，如需转载请自行联系原作者