I am a network administrator of a building. My main task at ordinary times is to maintain the secure and stable operation of the LAN network in the building. In the recent period, the LAN of the building may suffer from some faults: Sometimes a working subnet can access the Internet normally, but another working subnet cannot access the Internet normally; in the same work subnet, some workstations can access the Internet normally, while some workstations cannot access the Internet. Sometimes, all work subnets in the unit building cannot access the external network. In addition to complaints from colleagues in the organization, the leaders of the organization often "Ask" to give lessons and make me feel overwhelmed.
One fault after another
In the past, the network in the unit building occasionally experienced the failure that some workstations could access the Internet and some workstations could not access the Internet. In this case, I used professional data packet capture tools for packet capture analysis, however, after careful analysis, we did not find the root cause of the fault. Each time we simply restarted the switch equipment and firewall equipment of the building LAN, the network access status of all workstations can be restored to normal. However, it is not an effective way to solve network faults by restarting switches and firewalls so frequently. After all, important network devices such as switches are often restarted frequently, this will not only reduce the stability of the LAN network in the building, but also shorten the service life of network devices such as switches with a long time. Even more seriously, even if some network devices such as switches are restarted, the network failure will occur again in a few minutes. Obviously, if the root cause of network failure is not found from the source, the network failure will occur one after another, and the network operation efficiency of the unit building will be greatly reduced.
Initial troubleshooting
The lan network topology of the building is mainly a hardware firewall that is directly connected to the local ISP through a broadband optical fiber, and a core route switch that maintains connection with the hardware firewall, the core route switch is divided into 70 VLANs. to find the root cause of network faults, I first click the "Start"/"run" command in any common workstation on the LAN, and enter the "cmd" command in the pop-up system running dialog box, click the Enter key to switch the system to the doscommand line status. At the command line prompt, enter the string command "ping 10.176.1.2" (10.176.1.2 is the gateway address of the local lan network ), after you click the Enter key, the screen returns the Test Result (1) that the gateway address of the local lan network can be pinged properly. Then, at the command line prompt, enter the string command "ping 10.176.1.3" (10.176.1.3 is the firewall address of the local lan network) and click the Enter key, the screen also returns the test result that the firewall address of the local lan network can be pinged normally. Through the above test, I believe that the network connection between the building intranet and the network egress is normal.
To check whether the broadband connection line between the firewall and the local ISP is smooth, I remotely log on to the firewall device using the telnet command, ping the gateway address of the local ISP in the remote login status of the device. The test result shows that the gateway address of the local ISP can also be pinged normally, this indicates that the network of the building can normally access the local ISP. I cannot explain the above test results. The gateway address of the local LAN can be pinged normally, and the network connection between the local network and the local ISP is also smooth, however, some workstations in the LAN cannot access the Internet. Is the problem caused by the LAN workstation? However, it is unlikely that only one or more workstations can access the Internet without network problems, however, sometimes a single workstation cannot access the Internet. This indicates that the network is definitely faulty! After careful analysis of the fault phenomenon and comparison of the test results, the author initially believes that this fault is probably caused by the ARP virus in the network, because once the LAN is infected with the ARP virus, when a LAN workstation accesses the internet, it will forward all the Internet request information to a false gateway device, which will eventually cause failure of the workstation to be unable to access the Internet. In-depth troubleshooting In order to confirm whether the ARP virus is the final root cause of failure, I open the MS-DOS window in a common workstation on the LAN, enter the "arp-a" string command at the command line prompt of the window, after clicking the Enter key, I found that the physical address of the local gateway device has changed to 000d-87f8-36d3. This address is completely different from the actual physical address of the gateway set on the core route switch, this indicates that ARP virus exists in the LAN. Which workstation in the LAN is infected with the ARP virus? Because the LAN in the building contains 10 VLANs, the number of computers connected to each VLAN is constantly changing, therefore, relying solely on traditional methods, it is difficult to quickly find the target workstation system infected with the ARP virus. When building a LAN, the staff created a VLAN data table from which the network administrator can quickly query the network connection ports contained in each VLAN, which room is the unit of the network connection port. For this reason, the author intends to first find out which VLANs contain ARP viruses, and then based on the found false gateway physical address information, find the port from which the workstation infected with the ARP virus comes from the specific workstation, find the reference table, find the number of the room where the workstation is located, and then call the room owner to isolate the virus. Because the vswitch used by my organization supports the diagnosis function, I plan to use this function to find the ARP virus in the LAN. The author first uses the Super Terminal Program to connect to the core switch of the Organization and enters the privileged mode. In the privileged mode command line state, enter the string command "dis dia" (display diagnostic information ), after you click the Enter key, the system asks if you want to perform a diagnosis. To view all the diagnostic information, before answering the questions, click the "capture"/"capture to text" command on the Super Terminal interface, set the path for saving the diagnostic information and the file name, and click "y" (2 ), start the diagnosis check. The diagnosis check results are automatically captured and saved to the specified text file.
After the diagnosis, I immediately open the specified text file, from which I can see that the physical address of the gateway device in VLAN61 has changed to 000d-87f8-36d3. then, I use the telnet command to log on to the vswitch where VLAN61 is located, enter the "dis mac" string command at the command line prompt, and click the Enter key, I have seen the physical addresses of all workstation NICs connected to VLAN61, from which I found that the workstation corresponding to the 000d-87f8-36d3 address is connected to port e0/9 of VLAN61 (3 ); in order to prevent the workstation infected with ARP virus from continuing to affect normal network access, the author immediately manages the interface on the background of the corresponding switch, execute the string commands "inter e0/9" (entering the port modification mode), "shutdown" (Closing the port ), isolate the ARP-infected workstation from the building network. Finally, I checked the VLAN data table of the organization. Based on VLAN numbers, port numbers, and other information, I found that the faulty workstation was located in the text printing room on the fourth floor and called them, they were asked to use the latest version of anti-virus software for anti-virus operations, so far the ARP virus was finally pulled out.
