A major feature of the local area network is that it has a certain number of end users. For example, in a key middle school, there are more than 600 terminal users on the school's local area network. In order to distinguish different users, we use the method of terminal fixed IP settings. Like the network management of many other schools, we have been plagued by network conflicts caused by end users privately changing their IP addresses. Consult relevant network companies, they also provide many solutions, but most of them are expensive. There is no way, but I have to rack my brains to find a way.
Similarly, the "not enough IP address" in the LAN is also a common problem in network planning and maintenance. Today’s article will solve these two problems for everyone: so the two-level management method based on firewall-based IP address and MAC address binding + switch-based MAC address and port binding is adopted, and the two-pronged approach has solved this better. problem.
1. Firewall-based IP address and MAC address binding
1. Do a good job in naming the entire LAN terminal user computer, specify the IP address and name the computer uniformly according to the user's category, and give the IP address. By looking at the machine name, you can know which department and which machine it is, which is easy to manage. For example, the No. 1 machine in the Chinese group of the first grade, we named it "gaoyiyuwen01". At the same time, a unified plan to assign IP addresses to each terminal machine, and to establish an IP address allocation registration form (see attached table).
2. Count the MAC address of the network card of each terminal machine and establish the IP address and MAC address correspondence table. We know that by typing the command "Winipcfg" in MS-DOS mode, you can get the local IP address and MAC address (under Windows 98). We can publish this method, and then ask relevant users to report the local MAC address copy to the network management center, and then the registration summary. You can also make statistics when setting the machine name and IP address. The network administrator can also use the Nbtstat command to remotely obtain the MAC address of the specified machine. Type the command "Nbtstat -a remote computer name" in MS-DOS mode to obtain the IP address and MAC address of the specified machine.
3. Binding the IP address and the MAC address requires different methods according to the different ways the LAN accesses the Internet. If you use a proxy server to access the Internet, use the command: ARP -s IP address MAC address Example: ARP -s 192.168.1.4 00-EO-4C-6C-08-75 In this way, the static IP address 192.168.1.4 It is bound to the computer with the network card address 00-EO-4C-6C-08-75, even if someone else steals your IP address 192.168.1.
4. It is also unable to access the Internet through a proxy server. If you access the Internet directly through a router, it is best to use a hardware firewall to achieve the binding of IP and MAC addresses. General hardware firewalls have this function, and the specific operation is also very simple. At this point it seems to be done, but things are not as simple as we thought. It took a lot of energy to build the line of defense, and the conflict continued within a month. It turned out that some end users changed the MAC address of the machine without much effort by modifying the registry, downloading special gadgets, etc., and even changed the MAC address and IP address of the machine to be exactly the same as the main server. It's getting restless in the local area network.
2. Switch-based MAC address and port binding
In order to further solve this problem, I thought of the switch-based MAC address and port binding. In this way, if a terminal user arbitrarily changes the MAC address of the machine's network card, the machine's network access will be unavailable because its MAC address is deemed illegal by the switch, and naturally it will not cause interference to the LAN. If it is in a small LAN, it may not be necessary to consider insufficient IP addresses, but in a large LAN with more than 255 computers, it is necessary to consider how to solve the problem of insufficient computer IP addresses. In many cases, the private network address 192.168.1.x-255 is not enough in the corporate LAN. After removing a broadcast address and a network address, it may not be enough. (0 is the network address is not available, 255 is the broadcast address, excluding these two, 254 addresses are available). So how to solve it? First of all, let's take a look at the IP address: "XXXX" x represents any natural number between 0 and 255. However, in the local area network, the number setting here is regular, usually divided by the subnet mask. For example, 255.255.255.0. Explain that the last X can be changed at will from 0 to 255. When the gateway is 192.168.1.1, we can set it to 192.168.1.1–192.168.1.254. What to do when the number of ip addresses exceeds the number in a local area network? This usually occurs in C-type ip address local area networks. There are three ways to solve this problem.
1. Change the subnet mask. Therefore, when the subnet mask is set to 255.255.255.0, the LAN under the router can only assign relatively independent IP addresses to "254" computers at most. If you want to increase the LAN IP, you can modify the subnet mask. For example, if the subnet mask is changed from 255.255.255.0 to 255.255.0.0, then the computer IP in our LAN is equivalent to 254 times 254 computers. , There are 64516 IP addresses. The third X of the IP can also be changed from any number between 0 to 255 to 192.168.XX. If you need more, you can set it to 255.0.0.0, and the local area network can have 254 254 254 computers. However, this setting is equivalent to that all these computers are in a local area network and can access each other, which is likely to cause a "network storm".
2. The method of adding a router can also be divided into multiple network segments by connecting a router behind the router, but this method is not very large. If the original network segment is 192.168.1.1. Then you can add a new network segment, 192.168.X.1. Operation steps: just add a new router! Assign an IP address to the static IP binding of the newly added router, and then if you want to save trouble, you can enable DHCP, if you don't want to save trouble, set your own IP address. The gateway of the router must be changed!
Generally, the default is 192.168.0.1 or 192.168.1.1, the gateway of your newly added network segment should be 192.168.X.1 Remember! If you set the new IP address to 192.168.2.1. The IP address pool of the new router can be between 192.168.2.2~~~192.168.2.254. Connection method: The LAN port of the previous router is connected to the WAN port of the current router. Then your new router can go online. You can connect another switch to the LAN port of the new router.
Third, the best way to divide VLANs is to divide the computers in the LAN into multiple virtual LANs by setting up a virtual local area network "VLAN", which can reduce network storms and improve the efficiency of switches and routers. Some switches have their own VLAN interfaces, so just connect the network cables to the corresponding network segments as needed. Divided by subnet! You can set the IP address to 192.168.0.0/23 so you can divide the two network segments 192.168.0.x and 192.168.1.x, which increases the number of IPs. Of course, you can continue to divide multiple network segments. Network segment 1: 192.168.0.x, 192.168.0.1——192.168.0.254, subnet mask 255.255.254.0. Network segment two: 192.168.1.x, 192.1681.1——192.168.1.254, 255.255.254.0. In this way, 192.168.0.x and 192.168.1.x can communicate without other devices.
END
In order to better help you learn and understand network engineers, and other related content, I deliberately organized all the information in a systematic manner, and I also share it here for free. Necessary materials for network workers, including:
Huawei certification mind map (super fine);
Huawei certification necessary knowledge documents (pdf);
collection of necessary knowledge documents for
network workers ; necessary tool kits for
network workers ; Prepare experiment package;
necessary video interview package for net workers.
……The
information is a bit too much, I won’t list all of them. I will write here first. If you need information or have any questions, you can leave a message or private message to discuss.