How to prevent broadband network IP address from being embezzled

With the rapid development of network technology in China, the broadband network has emerged in many buildings and communities. But in the enjoyment of a variety of multimedia information at the same time, there is a problem often plagued the network administrator and users, that is, broadband network allocation of IP addresses are often embezzled, authorized users with their own IP address in the network conflict, can not access the network. This phenomenon leads to the confusion of network management, affects the benefit of authorized users, and also brings great influence to the broadband network with network traffic.

Open System Interconnection Model structure

To understand the method of IP address embezzlement, we must first know the structure level of the Open System Interconnection model (OSI) as stipulated by ITU. The data to be transmitted is segmented and reorganized into a data string (segment) at the transport layer, the source and destination IP addresses are then added to the network layer, encapsulated into a package (packet), and then the data link layer is appended with the frame head and frame end of the data link, and the packet is put into frame. Finally, the physical layer is converted to bits-per-unit data. Therefore, the IP address is the network layer used to identify the logical address of different locations, its length is 32 bits, and at the data link layer is the MAC (media access control) address to identify the location of the network node, its length is 48 bits, it is also the physical address of the device.

Ii. several ways to steal IP addresses

1. Modify static IP Address

When you modify the TCP/IP protocol property configuration, you are using a known authorized IP address instead of the IP address assigned by the network administrator. Because the IP address is a logical address, a value that needs to be set by the user, you cannot restrict the user's static changes to the IP address, and when the attacker modifies the IP address, it can also access the extranet through the gateway.

2. Modify IP address and MAC address in pairs

In order to prevent static IP address from being modified, static routing technology is generally used to solve the problem. For static routing technology, IP theft Technology has a new road, that is, to modify the Ip-mac address. MAC address is the physical address of the device, for our commonly used Ethernet, commonly known as the computer network card address. The MAC address of each network card must be unique in all Ethernet devices, it is distributed by IEEE, it is cured on the network card, and can not be changed arbitrarily. However, some of the current compatible network cards, their MAC address can be modified using the NIC configuration program. If you change the IP address and MAC address of a computer to a legitimate host IP address and MAC address, then static routing technology is powerless. In addition, for those MAC address can not directly modify the network card, smart users can also use the software to modify the MAC address.

Three methods of preventing IP address from being stolen

1. Lock Switch Port

For each Ethernet port on the switch, the port is locked using a MAC Address Table (mac-address-table). Only the MAC address of the NIC specified by the network administrator in the MAC Address table can be connected to the network through the port, and the other network card address is not reachable through the port. We can run the ping on the computer first, and then use the ARP-A command to see the corresponding IP address of network users corresponding to the MAC address, so that the MAC address and physical order, so that a network cable, a port corresponding to a MAC address. This method is more suitable for the broadband users of a single building, placing a switch on each floor or unit, limiting each Ethernet port of the switch, allowing each user to occupy a single port, and if someone steals the IP address, it will be useless. The following is a procedure for example to specify the E0/9 port of the switch corresponding to the MAC address 083c.0000.0002, only this MAC address can access the network through the port.

Switch#config Terminal

Switch (CONF) #mac-address-table permanent 083c.0000.0002 E0/9

Switch (conf) #int E0/9

Switch (conf-if) #port secure max-mac-count1

Switch (conf-if) #exit

Switch (conf) #exit

2. Apply ARP binding IP address and MAC address

ARP (Address resolution Protocol) is a protocol for addressing resolution, which corresponds to the IP address and the network physical address one by one. The MAC address of each computer's NIC is unique. In the three-tier switch and router, there is a table called ARP, which supports the one by one correspondence between the IP address and the MAC address, which provides a reciprocal conversion between the two, specifically to resolve the network layer address to the address of the data link layer.

We can bind the IP address of the legitimate user and the MAC address of the network card in the ARP table. When someone steals an IP address, although the user modifies the IP address, the network cannot be accessed because the MAC address of the NIC is inconsistent with the corresponding MAC address in the ARP table. For Cisco switches, for example, on the Cisco Catalyst 5000 network switch, there are several commands for setting up and removing the ARP table:

Set ARP [dynamic | static] {IP_ADDR hw_addr} (setting the active or static ARP table);

IP_ADDR (IP address), HW_ADDR (MAC address);

Set arp static 20.89.21.1 00-80-1c-93-80-40 (bind IP address 20.89.21.1 and Nic MAC address 00-80-1c-93-80-40);

Set ARP static 20.89.21.3 00-00-00-00-00-00 (binding to unused IP, setting MAC address to 0);

Set ARP agingtime seconds (setting the refresh time of the ARP table, such as set ARP Agingtime 300);

Show ARP (used to display the contents of the ARP table);

Clear ARP [dynamic | static] {IP_ADDR HW_ADDR} (clears the contents of the ARP table).

Other brands of the three-tier switch also has similar commands and functions, the use of other switches to build broadband network, you can also use this set of ARP table to prevent the misappropriation of IP addresses to limit the flow of each IP address and network traffic to the purpose of billing. This approach is better suited for community broadband users, but it can only prevent users from statically modifying IP addresses.