Vswitch port short circuit causes abnormal Internet access

Bkjia.com exclusive Article] a switch is an important network device in a LAN. Its performance directly affects the stability of network operation. However, after a long period of work, the switch is prone to damage, so that the LAN working status will be affected; because the switch usually has a low probability of failure, in the event of a fault that causes abnormal Internet access, it is easy to take a detour when troubleshooting the fault. The fault below in this article is caused by a short circuit of the switch port. Due to the fact that the network management did not pay much attention to this detail, it took a lot of effort to resolve the fault.

Fault symptom

A lan of a certain organization has a moderate scale. About 100 common clients are distributed in a layer-4 building. All client systems on each floor use cat5e Network cables, in the H3C S3050 floor switch, each floor switch is connected to the core switch of the LAN through a m optical fiber cable. The LAN is connected to the Internet through the hardware firewall, at ordinary times, all client systems can access the Internet normally. To ensure the security of LAN operation, the network management specially divides the computers on each floor into the same virtual work subnet, each virtual working subnet cannot access each other. I don't know why recently. Some client systems in the LAN suddenly fail to access the Internet. The specific phenomenon is that the Internet access speed is very slow, and there are often strange faults that can access the Internet for a while and cannot be accessed for a while; after the on-site survey of the network management system, it was found that the client systems with abnormal Internet access were almost all located on the same floor, while the client systems on the other floor were able to access the Internet normally.

Troubleshooting Process

1. View physical connections

Because the fault is only confined to the same floor, and this phenomenon is very similar to the poor network contact, the network management subconsciously believes that the switch in the corresponding floor and the core switch of the LAN, physical connections may be insecure. As a result, the network administrator immediately pulled out the network cables between the faulty switch and the core switch, and tested the connectivity of the cables using a professional cable tester. It was found that there was no problem with the physical cables, then, the two ends of the network cable are re-inserted into the switching port, and the contact between the crystal head and the switching port is ensured. However, when the network management system tries to use the ping command to test the LAN gateway address in any client system, it finds that the test results are still unstable and data packet loss is also serious, obviously, physical connections are not the cause of failure.
　
2. View ARP viruses

Considering that the IP address used by the client system and the IP address used by the floor switch are located in the same work network segment, and the latest ARP virus is very popular, therefore, the network administrator began to suspect that ARP virus exists in the working subnet of the corresponding floor. Since the working subnet of the faulty computer contains dozens of online hosts, how can we quickly determine the location of the ARP virus source, it also isolates the agent system from the virtual working subnet to ensure the security and stable Internet access of other client systems.

Although there is no ARP virus monitoring tool at hand, the network administrator can view the LAN topology and find that switches on each floor support network management and enable log memory, this function tracks the IP address conflicts caused by ARP viruses under the vswitch. Based on this, the network management system is ready to log on to the faulty switch background system, check the system log records, and see if there is any related address conflict information. To achieve this, the network management system immediately controls the port through the console, log on to the backend Management System of the faulty switch, and run the "display logbuf" command in global configuration mode of the system. From the displayed result interface, the network management does not find the address conflict record caused by the ARP virus, which indicates that there is no ARP virus in the corresponding virtual working subnet.

3. view broadcast storms

Since no ARP virus exists in the working subnet of the fault, and the physical connection between the floor switch and the core switch is normal, broadcast storms may exist in the LAN, this causes a blockage of the network transmission channel. In this way, when the client system in the working subnet accesses the Internet, there will be a strange failure in the speed of surfing the Internet, the ability to access the Internet in a short time, and the inability to access the Internet in a short time. To check whether a broadcast storm exists in the corresponding virtual working subnet, the network administrator enters the core switch background System of the LAN and uses the interface command to enter the cascade port between the faulty floor switch and the core switch, run the "display interface xxx" command to check the working status of the specified cascade port. The result shows that the working status of the cascade port is sometimes "up, sometimes it is in the "down" status. What's more strange is that the size of the input and output data packets on the cascade port is obviously abnormal, and the data traffic is more than 10 times larger than usual, why does the data traffic in the working subnet suddenly become so large? Is there a malicious BT download phenomenon in the corresponding virtual work subnet? However, when the network manager repeatedly runs the "display interface xxx" command, it finds that the traffic of broadcast packets on the port is constantly increasing. Obviously, broadcast storms exist in the virtual working subnet under the port.

4. view port Loops

After figuring out that a broadcast storm exists in the faulty Virtual Work subnet, the next task is to find the specific "category" that causes the broadcast storm ". There are many factors that cause the broadcast storm, such as network device damage, network connection forming loops, and network viruses. However, the most common factors are users' carelessness, inadvertently forming a network loop in the Virtual Work subnet.

Considering that all switches in the LAN have enabled the network loop test function, to eliminate the network loop, the network management immediately enters the switch background system on the faulty floor, run the "display logbuf" command in the command line of the system to view the log records of the switch. It is found that the log records clearly indicate that the No. 8 switching port has a network loop. When arriving at the scene of the faulty switch, the network management system found that the switch port signal light on the 8th was shining, indicating that the port was working. When trying to unplug the network cable connected to the switch port, the network manager was surprised. When the network connection was disconnected, the switch port was still shining. Why? Is hardware damaged on the switch port?

Troubleshooting

Since the switch port has a network loop, the network management decides to disable the switch port first to check whether the working subnet status of the corresponding switch is normal. Once said, the network administrator immediately logs on to the faulty switch background system and runs the "interface e0/8" command to enter the view mode status of the e0/8 switch port, in this status, continue to run the string command "shutdown" and disable the working status of the e0/8 switching port.

Then, the network management system tries to run the ping command on the faulty client system to test the gateway address of the corresponding virtual working subnet. The ping command is normal, is the faulty client system able to access the Internet normally now? During the online test, the network management system saw the previous slow speed of surfing the Internet. The strange fault that was able to access the Internet in a short time and could not access the Internet in a short time has disappeared. Obviously, the network fault has been successfully solved.

Fault reflection

Although the above fault has disappeared, the network management is very puzzled why the e0/8 switch port of the faulty switch is disconnected from the network, can it still be lit and the port still has a network loop? After careful analysis, the network management determines that a short circuit may occur inside the switch port, which directly causes the target switch port to be properly lit without network connection; when the switch's switching port is short-circuited, it is equivalent to forming a network loop in the corresponding virtual working subnet. This loop causes a broadcast storm and eventually leads to a failure in the switch's performance, the fault is that the Internet access speed is slow and the Internet access is unstable.

Of course, this type of network failure occurs on a switch with loop test function. As long as the network administrator can quickly find the specific loop location from the switch background system log record; however, if the fault occurs on a switch that does not support loop testing, troubleshooting is troublesome. At this time, we can try to restart the switch background system once when all the network connections of the switch are disconnected, and observe the signal lights of each switch port carefully, if we find that a switching port is still flashing without any connection, we can be sure that the switching port has a short circuit.