3.2.3 No Fault Analysis for network Loops

Fault Analysis
A typical network loop fault uses protocol analysis tool Sniffer to capture so many data packets. After some analysis, I did not see the problem. Apparently, the first sight of a large number of SYN packets gave us the illusion that it was a SYN Flood attack. Afterwards, we reviewed the network loop troubleshooting process, re-analyzed the captured data packets carefully, and explained the five common characteristics of the data packets mentioned above, this allows you to respond to similar problems in a timely manner.
First look at the first four features: The aggregation switch is a network-layer device, and the network-layer interface of the VLAN to which the building belongs is set on this aggregation switch. In order to implement the network management policy, you have bound MAC addresses to registered or unregistered IP addresses. TCP connections can only be established after three handshakes. Here, the length of the SYN Packet initiating the connection is 28 bytes, plus a 14-byte Ethernet frame header and a 20-byte IP header, the frame length captured by Sniffer is a total of 62 bytes and does not contain 4 bytes of error detection ). The unicast frame accessing the VLAN comes from the TCP request packet of the Internet. According to the Ethernet bridge forwarding mechanism, after the CRC correctness check, the static ARP configuration has been completed, this aggregation switch will convert the source MAC address of the unicast frame to the MAC address of the machine. The destination MAC address will be changed based on the binding parameter, and the CRC value will be recalculated to update the FCS domain, after this re-encapsulation, it is then forwarded to the access switch of the building.
Let's look at the last feature again: we abstract the topology shown in Figure 2 to the Topology 3 composed of bridges A, B, C, and D. A bridge is a storage and forwarding device used to connect to a similar LAN. These bridges listen to each transmitted data frame on all ports and use the bridge table as the basis for forwarding the data frame. The bridge table is a MAC address and a "MAC address-port number" list used to reach the address. It refresh the source MAC address of the data frame and the port number that receives the frame. The bridge uses the bridge table in this way: when the bridge receives a data frame from a port, it refreshes the bridge table first, and then searches for the target MAC address of the frame in the bridge table. If it is found, the frame will be forwarded from the port corresponding to the MAC address. If the forwarding port is the same as the receiving port, the frame will be discarded ). If the frame cannot be found, the frame is forwarded to the port other than the receiving port, that is, the frame is broadcast. It is assumed that the target MAC address of the data frame cannot be found in the bridge table of the bridge A, B, C, and D during the whole forwarding process, that is, these bridges do not know which port to forward the frame. When bridge A receives A unicast frame from the upstream network from the uplink port, it broadcasts the frame. After receiving the frame, bridge B and C also broadcast the frame, bridge D receives this unicast frame from bridge B and Bridge C, and transmits it back to bridge A through Bridge C and bridge B, respectively, by now, bridge A receives two copies of the unicast frame. In this loop forwarding process, bridge A continuously receives the same frame on different ports, because the receiving port is changing, the bridge table is also changing the list of "source MAC-port number. Previously, assume that the bridge table does not have the target MAC address of the frame. After receiving the two unicast frames, the frame can only be broadcast to other ports except the receiving port again, so the frame will also be forwarded to the uplink port.

Figure 3 abstract Topology

For each unicast frame, bridge A repeats the process mentioned above. Theoretically, 21 frames will be received once broadcast, and 22 frames will be received twice broadcast ...... A 2n frame is received after the nth frame is broadcast. In short, as A result, bridge A will soon form A broadcast storm, and the copy of this unicast frame will eventually consume 100BASE-X port bandwidth. Although during this period, many data frames on the uplink port may not be completely captured by Sniffer due to the collision, we can imagine that, this unicast frame will still appear frequently. We re-check the captured packets, and almost all of them found the duplicate mark Retransmission of Frame n that was not noticed at the time. Here n is an integer, indicating the received frames, see Figure 1 ). Based on the 64-byte length, the 100BASE-FX port forwarding speed of the Ethernet switch can reach 144000pps. In this network loop state, Sniffer may capture more than 0.1 million packets with a length of 66 bytes per second.
For the above reason, because the four vswitches 2 at that time do not have the target MAC address of the package in the bridge table, after the aggregation switch in the upstream network sends a TCP request packet to the building, it will continuously receive a copy of the TCP packet forwarded by the access switch of the building, however, it does not resend the received packets. Internet applications are based on the request/response mode, end-to-End communication can be performed only when both the transmission and receipt channels are smooth. Once a channel in this network application is blocked, the application will end because it cannot be implemented. After the network application ends, the requester party will not automatically send a request packet for the application again. Therefore, in the network loop state, there is a channel with large traffic and the other channel has almost no traffic. Because VLANs have the function of isolating broadcast domains, these large traffic will not go through the network layer, so it will not put a lot of pressure on the aggregation switch.
In fact, because this network loop is a fault on the data link layer, it only involves the source MAC address and the target MAC address. No matter what type of packets encapsulated by the upper layer, it may cause a broadcast storm. That is to say, it is possible to capture all kinds of data packets with Sniffer at that time.

BibliographyPrevious sectionNext section