Network management benefits! Several difficult problems and solutions for LAN

As a qualified network administrator, I believe that everyone has encountered various difficult problems in the LAN, and everyone has their own way of dealing with them. Welcome to discuss with us those little episodes of youth that you have "dealt with" over the years.

1. IP conflict caused by privately changing IP

Problem description: The company has been using a static IP to access the Internet. Suddenly one day, the leader got mad and said that his computer could not access the Internet. As the network administrator, Xiao Li was still worried. Why could it suddenly not access the Internet when all other computers were working fine? He thought that someone must have set up an IP privately, which caused a conflict. How can I find a solution? Is there any good way?

[[250278]]

Solution:

Regarding the phenomenon of random changes of IP in LAN, we can start from the following aspects.

1. For simple networks

The structure is simple with only dozens of computers, and no network management switches are used.

First, we will impose administrative penalties and explain the rules to employees, but for us administrators, we must eliminate it technically.

(1) IP and MAC binding can be performed on the router

First check your computer's MAC and IP

Or learned through the router

Bind IP and MAC address.

(2) Set the computer to prohibit modifying LAN properties, run, and enter gpedit.msc to enter the group policy editing interface

Select by image: Disable access to LAN connection properties

Open

(3) Close the service and hide the network icon

Or use the command to modify the registry to hide

Unhide

2. Small and medium-sized networks with aggregation switches but no Layer 3 switching

(1) Dividing VLANs: Different VLANs for different departments can effectively isolate IP conflicts, reduce the scope of impact, and narrow the scope of fault location, which is conducive to troubleshooting.

(2) Bind the IP and MAC on the Layer 2 network management switch, and bind the port number at the same time.

Huawei Order

 user-bind static ip-address*.*.*.* mac-address************ interface Ethernet0/0/1

3. For large networks

In addition to the above methods, there are more advanced methods.

(1) Use audit behavior management equipment to make policies in the firewall

(2) Use software to deploy domain servers, and the client logs in to the domain server to implement access control.

2. Privately connected router, causing DHCP conflict

Problem description: The small hotel has a single network. One day, the guests complained that the network was down and they could not access the Internet. They went to the rooms to check and found that some rooms could access the Internet, but some rooms could not. After much effort, they finally found the real culprit behind the scenes. It turned out to be a small router. As network administrators, we hate privately connected routers. So how can we avoid it?

Solution: Of course, we first impose administrative penalties and explain the rules to employees, but for those tenants who do not understand technology, we must eliminate them technically.

• Simple networks can use static IPs, and the network architecture should be reasonable. If conditions permit, VLANs can be divided, departments can be isolated, the impact range can be reduced, and the scope of troubleshooting can be reduced.
• Using the DHCP snooping function of a managed switch

When the switch turns on DHCP-Snooping, it will snoop on DHCP messages and can extract and record IP address and MAC address information from the received DHCP Request or DHCP Ack messages. In addition, DHCP-Snooping allows a physical port to be set as a trusted port or an untrusted port. Trusted ports can receive and forward DHCP Offer messages normally, while untrusted ports will discard received DHCP Offer messages. In this way, the switch can shield fake DHCP servers and ensure that clients obtain IP addresses from legitimate DHCP servers.

DHCP Snooping configuration steps, taking H3C as an example:

 [H3C]dhcp-snooping //Enable the dhcp-snooping function globally 
 
 [H3C] interface Ethernet 1/0/4 //Enter port E1/0/4 
 
 [H3C-Ethernet1/0/4]dhcp-snooping trust //Configure port E1/0/4 as a trust port

3. Privately plugging in network cables causes network loops

Problem description: A small company has several new employees and needs to add several office locations, network interfaces and switching equipment. Since there is no network management, the employees take care of it by themselves and insert an extra jumper. This causes a network loop and paralysis of the LAN. How can we prevent this situation?

Solution:

Conventional methods regulate construction standards, crystal heads are constructed strictly in accordance with national standards, cables are marked, and the cable sequence is clear.

Add managed switches that can detect loops

1. Loopback-detection command monitoring

The loopback-detection command is used to detect port loopbacks.

After loopback-detection is enabled, the port sends detection data every 30 seconds by default. When an external loopback is detected, the Access port is closed.

For a Trunk port or Hybrid port, after loopback-detection is enabled, only reporting is performed. For related configurations, refer to the command loopback-detection control enable.

H3C port is open

 loopback-detection enable  
 interface gigabitethernet 0/0/1  
 [H3C-GigabitEthernet0/0/1] loopback-detection enable

2. Spanning Tree Protocol

When a loop occurs in the network, the protocol can use the spanning tree algorithm to logically disconnect one of the connections and make it a backup line. When a network break occurs, the protocol automatically starts the above backup line to ensure the normal operation of the network. A technology used to detect loops in the network and logically block redundant paths to ensure that there is only one path between any two nodes. To improve reliability, redundant connections are often required between devices in the network. However, the logical topology of Ethernet is star or bus, so loops are not allowed in the link. Spanning Tree can solve the above contradiction.

Enable spanning tree protocol

 stp enable  
 [H3C] interface GigabitEthernet 1/0/1  
 [H3C-GigabitEthernet1/0/1] stp enable

The RSTP protocol is enabled by default, which converges faster than the STP protocol and can be modified.

The STP protocol takes more than 50 seconds to take effect, so it is not suitable for use in scenarios with high network requirements.

Finished, if there are any deficiencies, please let me know. Welcome to discuss with us!