If the network user does not set the IP address according to the regulations, the IP address conflict phenomenon is inevitable. Once this phenomenon occurs frequently, it will not only affect the surfing efficiency of the Internet users, but also is not conducive to the stable operation of the LAN network.
In order to improve the stability of the LAN operation, we can't wait for the IP address conflict to occur, but we should find a way to deal with it, but we should take the initiative to make the Internet users unable to grab other IP addresses in the LAN. For this reason, this article starts from the actual point of view. By cleverly setting up the switch, the IP address conflicts are controlled repeatedly.
Networking situation
For example, there are about 150 network nodes in the LAN. These network nodes are evenly distributed on six floors. The network nodes in each floor are connected to the common Layer 2 switches through 100M twisted pair cables, and each common Layer 2 switch passes through. The 1000M fiber-optic cable is connected to the QuidWay S9300 series routing switch. To ensure network access security, all network nodes are interconnected with the Internet through the Venus hardware firewall.
Currently, the unit LAN uses the IP address of the 10.168.163.0 network segment. The default gateway address used in this network segment is 10.168.163.1, and the subnet mask address is 255.255.255.0. Because the network segment can have more than 250 IP address, in practice usually only use more than 150 addresses, obviously enough address space margin can fully meet the increasing number of workstations.
However, since the unit LAN uses a static address allocation method, whenever the workstation system suddenly crashes or encounters a virus attack and cannot be started normally, the Internet users are free to reinstall the system and modify the Internet address. As a result, IP address conflicts frequently occur in the LAN. This not only seriously affects the normal online access of others, but also increases the maintenance workload of the network administrator.
In order to effectively prevent the Internet users from arbitrarily changing the IP address, the author intends to use the address binding method to bind the IP address of the workstation to the physical address of the corresponding NIC device; however, this method has not been formally implemented, and it has been the same. The opposition of the network administrator colleagues, he believes that this method is not a cure, because Internet users can still modify the physical address of the network card to steal other people's IP address, obviously this is not the most effective solution.
Response plan
After checking the relevant information on the Internet and in-depth analysis, the author and another network administrator decided to bind the IP address of the ordinary workstation and the physical address of the network card on the core switch, but simply bind the operation and cannot solve the problem. The user randomly sets the IP address phenomenon. Once an IP address is set and bound, although the Internet user cannot continue to use this IP address, he can still use the idle IP address in the LAN, thus the IP address. Conflicts may still occur. This is a problem that many network administrators are puzzling: after the IP addresses of all workstations are bound to the corresponding NIC devices in the core switch, the address conflict cannot be effectively avoided.
In order to solve the IP address conflict problem, we need not only bind the IP address that has been assigned in the LAN to the corresponding NIC device, but also bind the IP addresses that are in the idle state, so that the Internet users can neither By using the IP address of the already connected workstation, you cannot use the free IP address in the LAN. Therefore, as long as the Internet user in the LAN changes the IP address arbitrarily, he cannot access the LAN network normally.
However, after this configuration, it also brings another trouble, that is, if there are new users in the LAN that need to access the Internet, they cannot choose the IP address by their own director, but must separately apply to the network administrator for online access. After receiving the application, the administrator needs to log in to enter the switch background management system to assign a number to the idle address, and the Internet user can connect to the LAN normally.
Practice has proved that this method can not only effectively avoid the IP address conflict failure, but also effectively prevent the network virus from illegally spreading through the LAN, thus effectively ensuring the stable operation of the LAN!
Implementation process
According to the above theoretical analysis, the author intends to first bind the default gateway address 10.168.163.1 in the local area network to the corresponding physical address, which can effectively control the outbreak of ARP virus in the local area network; then find a way to bind the IP address of the already connected workstation. After the operation, the IP addresses in the idle state are finally bound to the address, so that the effect of one stone and two birds can be achieved.
When binding the gateway address, the administrator first logs in to the QuidWay S9300 series routing switch background management system as the system administrator. In the command line state of the system, the string command "system" is executed to switch the system to the global state of the switching configuration.
In the global configuration state, enter the string command "arp 10.168.163.1 0215.9cae.1156 arpa". After clicking the Enter key, the default gateway address 10.168.163.1 is successfully bound to the 0215.9cae.1156 MAC address. If other workstations use the 10.168.163.1 address when they go online in the future, there will be a failure phenomenon that the Internet cannot be accessed, so that the stability of the entire LAN can be guaranteed.
In order to prevent users from robbing other IP addresses, we need to bind the 150 network node addresses that have been connected to the Internet. Because of the large number of addresses to be bound, we simply rely on manual methods to obtain the physical address and IP address of each workstation's network card. The workload will be very large. For this reason, the display arp string command is executed in the global configuration state of the switch background system, and then the contents of the displayed switch ARP table are copied and copied to the local chronicle edit window. After simple editing and modification, the modified ARP table content is copied and pasted into the switch ARP table, so that the binding task of the Internet workstation address can be quickly completed.
For the remaining 100 or so free IP addresses, we can manually bind each idle IP address to the virtual MAC address manually, for example, when binding the 10.168.163.156 address to 071e.33ea.8975. We can execute the string command "arp 10.168.163.156 071e.33ea.8975 arpa" in the global configuration state of the switch backend system. Then we bind the other free IP addresses to the virtual MAC address 071e in the same way. 33ea.8975.
After the above address binding task, no user can change the IP address at will; if there is a new user who needs to use the idle 10.168.163.156 address to access the Internet, the network administrator can follow the steps below, 10.168. The 163.156 address is released from the list of bound addresses:
First, execute the “system†command on the QuidWay S8500 series routing switch background management system to change the system state to the global configuration state. In this state, enter the string command “display arp†and click the Enter key to appear from the back. In the ARP list, check if the 10.168.163.156 address is idle. If the destination IP address is idle, we can continue with the following release steps:
Then enter the string command "no arp 10.168.163.156 071e.33ea.8975 arpa", click the Enter key, the target IP address 10.168.163.156 is released from the address binding list;
Next, the address of 10.168.163.156 is told to the user who needs to access the Internet, so that he can set the IP address to the corresponding workstation system, so that the newly added user can smoothly access the unit LAN network;
Then, in the background management system of the core switch, continue to execute the string command “display arp in 10.168.163.156â€. From the result interface returned later, we can view the physical address of the network card corresponding to the address 10.168.163.156 as 00bb.ebc3.c6d0. ;
After obtaining the MAC address, we can continue to execute the string command "arp 10.168.163.156 00bb.ebc3.c6d0 arpa", so that the IP address of the new Internet user and the physical address of the network card are successfully bound together; Run the quit command "save" to save the configuration to the switch system and end the switch configuration task.
Through the above configuration, all IP addresses in the LAN are successfully controlled. Any user who changes the IP address privately will not be able to access the network. Although the entire control process is a bit complicated, it can well control the access security of the network. Avoid workstations that don't know the truth. Bring network viruses or Trojans into the LAN working environment.
Of course, the above control scheme can not guarantee foolproof, and there is another situation that causes address conflicts, that is, the illegal user steals the contents of the switch ARP list, and he only needs to modify the physical address and IP address of the NIC of his workstation at the same time, and In the case that the stolen user is not online, the user's address can be successfully accessed for Internet access, but the possibility of this situation is quite low, unless the network administrator intentionally.
Single Valve,Single Water Valve,Magnetic Valve Water Valve,Top Loading Washing Machine Parts
Zhejiang Hongchang Electrical Technology Co.,Ltd , https://www.hongchangelectrical.com