解决IP地址冲突的方法--DHCP SNOOPING

　　使用的方法是采用DHCP方式为用户分配IP，然后限定这些用户只能使用动态IP的方式，如果改成静态IP的方式则不能连接上网络；也就是使用了DHCP SNOOPING功能。

　　例子：

　　version 12.1

　　no service pad

　　service timestamps debug uptime

　　service timestamps log uptime

　　no service p assword-encryption

　　service compress-config

　　!

　　hostname C4-2_4506

　　!

　　enable password xxxxxxx!

　　clock timezone GMT 8

　　ip subnet-zero

　　no ip domain-lookup

　　!

　　ip dhcp snooping vlan180-181 // 对哪些VLAN 进行限制

　　ip dhcp snooping

　　ip arpinspectionvlan 180-181

　　ip arp inspection validate src-mac dst-mac ip

　　errdisable recovery cause udld

　　errdisable recovery cause bpduguard

　　errdisable recovery cause security-violation

　　errdisable recovery cause channel-misconfig

　　errdisable recovery cause pagp-flap

　　errdisable recovery cause dtp-flap

　　errdisable recovery cause link-flap

　　errdisable recovery cause l2ptguard

　　errdisable recovery cause psecure-violation

　　errdisable recovery cause gbic-invalid

　　errdisable recovery cause dhcp-rate-limit

　　errdisable recovery cause unicast-flood

　　errdisable recovery cause vmps

　　errdisable recovery cause arp-inspection

　　errdisable recovery interval 30

　　spanning-tree extend system-id

　　!

　　!

　　interface GigabitEthernet2/1 // 对该端口接入的用户进行限制，可以下联交换机

　　ip arp inspection limit rate 100

　　arp timeout 2

　　ip dhcp snooping limit rate 100

　　!

　　interface GigabitEthernet2/2

　　ip arp inspection limit rate 100

　　arp timeout 2

　　ip dhcp snooping limit rate 100

　　!

　　interface GigabitEthernet2/3

　　ip arp inspection limit rate 100

　　arp timeout 2

　　ip dhcp snooping limit rate 100

　　!

　　interface GigabitEthernet2/4

　　ip arp inspection limit rate 100

　　arp timeout 2

　　ip dhcp snooping limit rate 100

　　--More--

　　编者注：对不需要明确地址的所有人的时候是一个很好的解决办法。另外，可以查看www.cisco.com的

　　IP Source Guard

　　Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN AccessControl List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.