How to configure a switch to control IP address conflicts

How to configure a switch to control IP address conflicts

When a network virus or system crash occurs, Internet users may need to reinstall the system and modify the IP address. If the user does not set an IP address as required, IP address conflict is inevitable, frequent occurrence of this phenomenon will not only affect the surfing efficiency of Internet users, but also affect the stable operation of LAN networks. In order to improve the stability of LAN operation, we cannot try to cope with IP address conflicts when they occur. Instead, we should take the initiative to prevent Internet users from using other IP addresses in the LAN. Therefore, this article is based on the actual situation, by cleverly setting vswitches to control IP address conflicts and repeated failures!

Networking

There are about 150 network nodes in my local area network. These nodes are evenly distributed on six floors. The network nodes on each floor are connected to normal L2 switches through M twisted pair wires, each common L2 Switch is connected to the QuidWay S8500 series route switch through a m optical fiber cable. To ensure network access security, all network nodes are interconnected with the Internet through the Starling hardware firewall. Currently, the IP address of the 10.168.163.0 network segment is used in the LAN. The default gateway address used in the network segment is 10.168.163.1, And the subnet mask address is 255.255.255.0; because this CIDR block can have up to 250 IP addresses, you only need to use more than 150 IP addresses in your daily work, obviously, the address space margin is large enough to meet the increasing number of workstations.

However, because the LAN uses the static address allocation method, when the workstation system suddenly crashes or fails to start Normally when a virus attack occurs, the Internet users are self-reliant. They are free to reinstall the system and modify the Internet address, as a result, IP address conflicts frequently occur in the LAN, which not only seriously affects the normal internet access of others, but also increases the maintenance workload of the network administrator. To effectively prevent users from arbitrarily changing IP addresses, I intend to bind the IP address of the workstation to the physical address of the corresponding Nic device. However, this method has not been formally implemented yet, he has been opposed by colleagues from network administrators. He believes that this method is not a permanent cure, because online users can still use the method of modifying the physical address of the network card to steal others' IP addresses, obviously, this is not the most effective solution.

Solution

After Internet access to relevant information and in-depth analysis, the author and another Network Administrator decided to bind the IP address of the common workstation and the physical address of the network card on the core switch, however, the simple binding operation does not solve the problem of randomly setting IP addresses for Internet users, because once an IP address is bound, even though internet users cannot continue to use this IP address, however, he can still use an idle IP address in the LAN. As a result, IP address conflicts may still occur, which is also a problem that many network administrators cannot solve: after binding the IP addresses used by all workstations to the corresponding Nic device in the core switch, address conflict still cannot be effectively avoided.

To completely resolve IP address conflicts, we not only need to bind the allocated IP addresses in the LAN to the corresponding Nic device, but also need to bind those IP addresses in idle status, in this way, the Internet users can neither use the IP address of the connected workstation, nor use the idle IP address in the LAN, so as long as the Internet users in the LAN modify the IP address at will, he cannot access the LAN normally. However, this configuration also brings about another problem: if a new user in the LAN needs to access the Internet, the IP address cannot be selected by the user, however, you must apply for Internet access from the network administrator in advance. After receiving the application, the network administrator must log on to the vswitch background management system and place a number on the idle address so that the Internet user can connect to the LAN normally. Practice has proved that this method can not only effectively avoid IP address conflicts and faults, but also effectively prevent illegal spread of Network viruses through the LAN, so as to effectively ensure the stable operation of the LAN!

Implementation Process

According to the above theoretical analysis, the author intends to first bind the default gateway address 10.168.163.1 in the LAN to the corresponding physical address, which can effectively control the ARP virus outbreak in the LAN; then try to bind the IP addresses of the online workstation, and then bind the idle IP addresses to a virtual physical IP address, in this way, we can achieve the effect of one stone and two birds.

When binding a gateway address, I first log on to the background management system of the QuidWay S8500 series route switch as a system administrator, and run the "system" command in the command line status of the system ", switch the system to the global status of the switch configuration. In the following global configuration status, enter the string command "arp 10.168.163.1 0215.9cae.1156 arpa" and click the Enter key, the default gateway address 10.168.163.1 is successfully bound to the 0215.9cae.1156MAC address. If the address 10.168.163.1 is used when other workstations access the internet in the future, the Internet may fail, this ensures the stability of the entire LAN.

To prevent users from using other IP addresses, We need to bind about 150 network node addresses that have already accessed the Internet. because the number of addresses to be bound is large, it takes a lot of work to obtain the physical address and IP address of the network card of each workstation by hand. Therefore, in the global configuration of the switch background system, run the "display arp" string command, copy the content in the displayed switch ARP table to the local chronicle editing window, copy and paste the modified ARP table content to the switch ARP table, so that you can quickly bind the IP address of the online workstation.

For the remaining 100 idle IP addresses, We can manually bind each idle IP address to a virtual MAC address in sequence. For example, we need to bind the 10.168.163.156 address to 071e. 33ea. 8975, we can execute the string command "arp 10.168.163.156 071e. 33ea. 8975 arpa ", and then bind other idle IP addresses to the virtual MAC address 071e in the same way. 33ea. on the 8975.

After the preceding Address binding task is completed, no user can change the IP address at will. If a new user needs to access the Internet using the idle 10.168.163.156 address, the network administrator can follow the steps below, release the 10.168.163.156 address from the bound address list:

First, run the "system" command in the background management system of the QuidWay S8500 series route switches to switch the system status to the global configuration status. In this status, enter the string command "display arp" and click the Enter key, check whether the 10.168.163.156 address is idle from the ARP list that appears later. If the target IP address is idle, we can continue with the following release steps:

Then, enter the string command "no arp 10.168.163.156 071e. 33ea. 8975 arpa" and click the Enter key. The destination IP address 10.168.163.156 is released from the address binding list;

Next, we will tell the 10.168.163.156 address to the user who needs to access the Internet, so that he can set the IP address to the corresponding workstation system, so that the new user can smoothly access the LAN;

Then run the "display arp in 10.168.163.156" string command in the background management system of the core switch ", from the returned results page, we can see that the physical address of the NIC corresponding to 10.168.163.156 is 00bb. ebc3.c6d0;

After obtaining the MAC address, we can continue to execute the string command "arp 10.168.163.156 00bb. ebc3.c6d0 arpa ", so that the IP address of the new Internet user and the physical address of the network card are successfully bound together. Finally, run the string commands" quit "and" save "in sequence ", save the preceding configuration operation to the vswitch system to complete the vswitch configuration task.

Conclusion

Through the above configuration, all IP addresses in the LAN are successfully controlled, and no user can change the IP address without permission to access the network. Although the entire control process is a bit complicated, however, the security of network access can be well controlled, so as to prevent workstations that do not know the truth from bringing Network viruses or Trojans into the LAN working environment. Of course, the above control scheme cannot be guaranteed, and an address conflict may occur, that is, the illegal user steals the content in the ARP list of the switch, he only needs to modify the physical address and IP address of the network card of his workstation at the same time, and when the stolen user is not online, he will be able to access the Internet with another address, however, this situation may be quite low unless the network administrator intentionally does.