Because our computers use Windows XP and can have more than two IP addresses, you can set the IP addresses of the two CIDR blocks without permission. In this way, the first IP address can be connected to the LAN or the Internet, this is not allowed by the company. The company manager asked to solve the problem immediately, or the bonus for this month would be gone.
The following are some of my solutions and experiences. I hope I can give some tips for solving these problems.
Method 1: Binding IP address to MAC address and Mac filter function of the router (I use TP-LINK router)
Use the ARP-s 192.168.1.2 00-ao-43-e0-6a-84 command to bind the static IP address 192.168.1.2 with the computer with the NIC address 00-ao-43-e0-6a-84 so that others cannot use the IP address. Then, enter the Mac filter function of the vro。 and select allow only the NIC addresses of the following MAC addresses to connect to the Internet. Enter 00-ao-43-e0-6a-84.
However, although the method mentioned above can solve the problem of illegal user network access and network conflict to a certain extent, you can modify the registry and download the dedicated Mac tool, it is easy to change the MAC address of the local machine, and even change the MAC address and IP address of the local machine to the same as the machine that can access the Internet. Illegal users can use the network again. And I use the router Mac filter function can only fill in 16 MAC (I am not saying that TP-LINK Dongdong is not good, but the price we use is too low ).
Method 2: bind the MAC address of the vswitch to the port
After binding the MAC address of the vswitch to the port, illegal users can modify the MAC address of the local Nic without authorization, the network access of the machine will be unable to be implemented because the MAC address is determined by the switch as illegal. In this way, they do not dare to change.
Log on to the switch (Cisco switch is used in our Organization, and I think there are similar vswitches of other brands), and enter the management password to enter the configuration mode:
Run the following command: (config) # mac_address_table permanent [MAC address] [Ethernet port number]
In this way, each port is bound to the MAC address of the corresponding computer one by one. After saving and exiting, the user's modification is completely blocked.
Method 3: Firewall and Proxy Server
I personally feel that the combination of firewall and proxy server can better solve the problem of IP address theft: The firewall is used to isolate the internal network and external network, and users access the external network through the proxy server. The solution is to put the IP address anti-theft at the application layer, and change the IP address management to user identity and password management, because the user's use of the network is ultimately to use the network to enter the internet. The advantage of this solution is that IP address theft can only be used within the subnet, without the significance of IP address theft. Valid users can select any IP host for use and access external network resources through the proxy server, you do not have the permission to use an external network even if you steal an IP address.
The disadvantages of using firewalls and proxy servers are also obvious. The use of proxy servers to access external networks is not transparent to users, which increases user operation troubles. In addition, for a large number of user groups, user management is also a problem.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
