Enhancing network stability with switch DHCP relay

Source: Internet
Author: User
Tags manual switches valid

In the LAN working environment, encounter network virus attack is always unavoidable things, once the workstation accidentally infected with the network virus, then it can not be normal access to the Internet; In addition, users to change the IP address at will, the local area network is prone to the phenomenon of IP address conflict, once such a failure occurs, Workstations will also not be able to access the Internet properly. In order to control the Internet access stability, this article starts from the actual case, cleverly utilizes the DHCP Relay Agent function in the three layer switch of the unit LAN, lets the ordinary workstation stay away from the ARP virus and the IP address frequent conflict fault!





Case Requirements





a building LAN has about 1000 network nodes, the average distribution of these nodes on the 25 floor, each of the network nodes on each floor using six types of gigabit twisted-pair lines connected to the H3C model of the S3502 series two-tier switches, All two-tier switches are connected directly to the H3C model S8500 series core switches of the unit LAN via gigabit light lines; To facilitate the management and maintenance of the building network, network administrators have divided several VLANs for these 1000 nodes. Because the core switch used by the building network does not support DHCP address assignment, the network administrator deliberately installs the Windows 2003 server and deploys the DHCP server in it.





at the beginning, the building local area network has been able to run normally; but there is not much time, the local area network frequently appear because of ARP virus attacks and IP address conflicts and can not access the phenomenon of the Internet, each occurrence of these phenomena, network administrators are non-stop in the various floors and back shuttle. Obviously, the frequent encounter ARP virus attack and IP address conflict phenomenon, not only will let the network administrator tired of coping, but also will let the building network stability greatly reduced. In view of this, the unit leader requires that the network administrator must find ways to effectively control the IP address of the building network to ensure the stable operation of the building network. 3lian Material





Preliminary Plan





In order to achieve the leadership of the network control requirements, several network managers of the building network split up, consulted a number of units related to the solution, but also on the internet to inquire a lot of content information, but these solutions or content information is not suitable for the unit's building network. Later, the network administrator after careful analysis and discussion, decide to use the static ARP table function on the core switch of the unit network to bind all the IP addresses and the physical addresses of the network cards without any additional investment, so as to prohibit any internet users from arbitrarily changing the IP address of the workstation; But then I thought, for a large LAN with more than 1000 nodes, in addition to manual statistics of all workstations and the physical address of the network card and IP address, but also to their corresponding relationship manually added to the core switch static ARP table, the more troublesome is that these ordinary workstations may be in constant update, Change, so this kind of coping plan is quite troublesome to implement. Moreover, for the core switches of the H3C model S8500 series, the static ARP table feature does not support more than 1000 records, and ultimately this solution is not.





the new scheme





because no additional investment can be made, the network administrator will naturally not expect professional tools or professional equipment to help, can only hope that the building network existing network equipment, so the network administrator began to check the H3C model S8500 core switch operating instructions, after careful review, Network administrator found the switch to support the DHCP Relay Agent function of the thread, from the description of this clue, the network administrator learned that when the normal workstation through the core switch DHCP Relay Agent function, access to the LAN's DHCP server and obtain a valid IP address from the process, The Relay Agent function can automatically record the dynamic correspondence between the IP address of the normal workstation and the physical address of the network card, and automatically generate the dynamic user address record entries.





In addition, the DHCP Relay Agent function of the core switch also allows the user to manually enter the correspondence record of the IP address and the physical address of the network card, and generate the static User address record table entry. To control network access security, the network administrator decides to enable the DHCP Relay Agent function and to enable address matching checking for addresses that support DHCP relay agents to restrict the phenomenon that illegal users or virus-containing computers can access the network freely by configuring an IP address at random; As long as the normal workstation's IP address and the network card physical address relationship record, does not appear in the DHCP relay dynamic address or the static Address record table entry, then this workstation cannot through the DHCP server, the free access to the unit building network, thus can control the building network the Operation stability.





Program Implementation





Choose the right plan, the implementation of natural is not so difficult. Since the DHCP Relay Agent function is only valid for VLANs, we must make the same control settings for each VLAN in order to keep the workstations in the corresponding VLAN stable on the Internet; for the convenience of narration, this paper takes control of VLAN 1 's Internet stability as the operating blueprint, Give your friends a detailed description of the specific implementation steps:





first enters the host system of the DHCP server with system administrator privileges, opens the DHCP console window of the corresponding system, and then enters the Scope Properties dialog box for VLAN 1, in which the VLAN 1 's address pool and other parameters are set according to the number of nodes per virtual network. Here is not the focus of the narrative;





second telnet into the core switch's background management interface, executing the "sys" command at the command line of the interface, switching the background system to the system global configuration state, continuing to execute the "Inter vlan-interface 1" command in that configuration state, switching the system to the VLAN 1 interface mode state;





under the VLAN 1 interface mode State, we enter the string command "DHCP relay Address-check enable", click the Enter key, the VLAN 1 interface will be able to use the DHCP relay address matching check function; Once this feature is enabled, Ordinary workstation can not configure the IP address freely access to the Internet, then the security and stability of the network operation has been effectively guaranteed.





of course, there are some important computers in the LAN must use static IP address to access the Internet, in order to ensure that the address is not at random by other people to use, we can use the manual method of static IP address and important host network card physical address binding to the DHCP relay function of static user address configuration entries , so that the important host can always use static address for stable access to the Internet; For example, to add a 10.176.1.3 Address to a static user address configuration entry for a DHCP relay feature in the 55-66-88-77-33-77 address, you can 1 interface mode state, the "DHCP relay security static 10.176.1.3 55-66-88-77-33-77" command can be performed.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.