Generally, the implementation technologies of each company's products are different. The software system used by Cisco switches is Catalyst IOS. CLI is called "Command-Line Interface". To execute a Command, you must first enter the corresponding configuration mode.
In network management, users often encounter this situation: some users violate management regulations and modify their own IP addresses without permission to access restricted resources. Such behavior not only undermines information security rules, but may also cause network communication Faults due to address conflicts.
The network administrator may try to solve this problem by using various technical means described in the following article, but the effect is not necessarily satisfactory: first, the technical means cannot completely prevent this phenomenon, the second step is to increase the complexity and cost of management. Therefore, the most effective way to curb this phenomenon is administrative means, which cannot be replaced by technical means.
Before introducing these management methods, let's look at a simulated environment: the workstation PC and SERVER are connected to a Cisco Catalyst 3550 switch, which belong to different VLANs, use the 3550 route function for Communication (with the MAC address configuration of the switch ):
If you do not need permission restrictions, but want to prevent IP address conflicts, the best solution may be to use DHCP. The DHCP server can set parameters such as IP address, subnet mask, gateway, and DNS for users, which is convenient to use and saves IP addresses.
For details about how to set DPCP on a Cisco device, refer to http://mize.netbuddy.org/021011.html. Static allocation and configuration require a lot of management overhead. If users do not mess up, the user names and IP addresses correspond one by one to make maintenance easier. The following assumes that static management is used.
- hostname Cisco3550
- !
- interface GigabitEthernet0/11 description Connect to PC
- !
- interface GigabitEthernet0/12 description Connect to SERVER switchport access vlan 2
- !
- interface Vlan1
- ip address 1.1.1.254 255.255.255.0
- !
- interface Vlan2
- ip address 2.1.1.254 255.255.255.0
Breakthrough method: If the MAC address of the vswitch is invalid, you can change the IP address to 1.1.1.1 to access the Server. An invalid user preemptible address 1.1.1.1 may cause an IP address conflict. If you set the IP address to the IP address of the gateway, the communication of the entire VLAN will also be affected. By modifying Windows Settings, you can prevent users from modifying the "network" attribute, but this method is also easy to break through.
Discussion update: after reading this article, a friend named Maying sent a post to BBS asking: "How to set the traffic to filter out a specific mac address on the router? You do not want the host with this mac address to go through the router !". This requirement is fresh.
When you filter a MAC address, this action takes place on the second layer. Vrouters generally perform layer-3 routing tasks. They only filter the MAC addresses that enter when bridging in rare cases, therefore, it is best to set such filtering on a L2 switching device.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
