Advanced routing technology to prevent disconnection

This article mainly introduces in detail how to prevent advanced technical operations on routers from being dropped, so what specific operations should we perform? I believe that reading this article will help you.

Currently, Internet-based applications of Internet cafe users have expanded from simple web browsing to more extensive fields such as QQ chat, VOD on demand, online games, education and training, and IP phones, the increasing number of these applications puts forward higher and higher requirements on the speed and stability of the network. Therefore, the performance requirements for routers in Internet cafes are also increasing accordingly: first, more and more functions are required by hardware. Secondly, the routers are required to adopt distributed processing technology to improve the routing processing capability and speed. Third, the shared bus that is easy to cause congestion is gradually abandoned, the exchange routing technology is used to ensure the stability of the network.

It is precisely because of the complexity of Internet cafe applications that make network resources more tight. In such an environment, the disconnection of Internet cafe computers has become a heart problem that troubles Internet cafe owners and administrators. In order to avoid disconnection, major network equipment manufacturers have also made a lot of effort on the internet cafe router products. After long-term research and analysis on the internet cafe network application environment, we have developed a series of optimization measures and advanced functions for network applications in complex application environments. Let's take a look at the special technologies used in Internet cafe routers to prevent disconnection:

Routing prevents the IP address-based speed limit of an internal PC from being dropped

Currently, many network applications, such as BT, e, Thunder, FTP, and online video, all occupy a very high bandwidth. Taking a 200-scale Internet cafe as an example, the outbound bandwidth is 10 Mbps, the average bandwidth of each internal PC is about 50 k. If a few people download resources in a crazy way and all the bandwidth is occupied, the network speed of others will be affected, large files are downloaded, and up to 1518 bytes of IP packets, that is, 1.5 kb. All applications downloaded are large packets. during network transmission, data packets are transmitted in units, if a few users are downloading at the same time, a large amount of bandwidth is occupied. If someone is playing online games at this time, a card may occur.

An IP address-based speed limit function can limit the speed of all PCs in the Internet cafe, and can respectively limit the upload and download speeds, which can limit the speed of all PCs in the Internet, you can also set the speed of a specified internal PC. How much is the speed limit suitable? It has something to do with the specific outbound bandwidth and the size of Internet cafes, but the minimum bandwidth should not be less than 40 kb. It can be set to-kb.

The number of NAT links is limited by the number of NAT links in the internal PC to prevent disconnection.

NAT is the most widely used function in Internet cafes. Due to insufficient IP addresses, carriers generally provide one IP address to Internet cafes, while a large number of PCs exist in Internet cafes, so many pcs use this unique IP address to access the Internet. How can this problem be solved? The answer is NAT (network IP address translation ). When an internal PC accesses the Internet, a corresponding list is created inside the vro. The list contains information such as the internal PCIP address, the external IP address to be accessed, the internal IP port, and the destination IP port to be accessed, therefore, each ping, QQ, download, or WEB access has a list of corresponding links on the vro. If the network link corresponding to the list has data communication, these lists will be retained in the vro. If there is no data communication, it will take 20 to 50 seconds to disappear. (These times can be set for RG-NBR series routers)

There are several kinds of network viruses that will send tens of thousands of consecutive connection requests for different IP addresses in a short time, so that the vro needs to establish more than NAT links for the PC.

Because the NAT links on the vro are limited, if they are all occupied by these viruses and other people access the network, the resources without the NAT link will become inaccessible, this is because all NAT resources are occupied by network viruses.

In this case, many Internet cafe routers provide the ability to set the maximum number of NAT links for the internal PC, and can uniformly set the maximum number of NAT links for the internal PC, you can also restrict each PC.

At the same time, these routers can also view the content of all NAT links to see which PC occupies the largest number of NAT links, and the network virus also has some special ports, you can view the specific content of the NAT link and find out which PC has been poisoned.

Routes prevent dropped ACLs from preventing Network Viruses

Network viruses are emerging in an endless stream, but they are full of tricks. All Network viruses are transmitted over the network. The data packets of Network Viruses must also follow the TCP/IP protocol, a certain source IP address, and a destination IP address, source TCP/IP Port, destination TCP/IP Port, the same network virus. Generally, the destination IP port is the same. For example, the port of the shock wave virus is 135, and the port of the shock wave virus is 445, as long as these ports are restricted on the vro, the external virus cannot enter the Intranet through the vro's unique entry. packets initiated by internal network viruses, because of the limitations on the vro, The vro does not process it, which can reduce the amount of network bandwidth occupied by virus packets.

Excellent Internet cafe routers should provide powerful ACL functions, which can restrict network packets on Intranet interfaces, or restrict virus network packets on the External King interface, you can also restrict incoming network packets.

The WAN port anti-ping function of the route to prevent disconnection

In the past, there was a post that, in order to engage in cross-site, as long as a large number of people ping this website, this website will be cross-site. This is called a Denial-of-Service attack, with a large amount of useless data requests, he has no time to take care of normal network requests.

Hackers On the network need to scan each IP address on the network before initiating an attack. One common scan method is ping. If there is a response, it indicates that this IP address is active, it can be attacked, this will expose the target, at the same time if there are a large number of packets outside the RG-NBR series router Ping request, will also drag the internet cafe RG-NBR series router cross.

Currently, most Internet cafe routers have designed a WAN port to prevent ping, which can be enabled easily and easily. All data packet requests sent from external ping packets are dumb, this will not expose your own targets, but also prevent external ping attacks.

Protection against ARP Address Spoofing

As we all know, to access the Internet from an internal PC, you need to set the IP address of the PC and the gateway address. The gateway address here is the Intranet interface IP address of the NBR router. How does the internal PC Access the external network? The packet is sent to the internal network of the NBR. After the NAT address is forwarded by the NBR router, the packet is sent to the external network and the external packet is returned, query the NAT link in the vro。 and send it back to the relevant internal PC to complete a network access.

There are two addresses on the network, one is the IP address, the other is the MAC address, and the MAC address is the physical address of the network. To send packets to the Gateway in the internal PC, first according to the IP address of the gateway, query the MAC address of the NBR through ARP, and then send the packet to the MAC address. The MAC address is the physical layer address. All packets must be sent and eventually sent to the corresponding MAC address.

Therefore, there is an ARP ing relationship between each PC, that is, the corresponding table of IP addresses and MAC addresses. These ing relationships are updated through ARP and RARP packets.

Currently, there is a virus on the network that sends fake ARP packets, such as ARP packets sent from the gateway IP address, which maps the gateway IP address to its MAC address, or a non-existing MAC address, and broadcast the fake ARP packet in the network, all the internal PCs will update the corresponding table of the IP address and MAC, next time you access the Internet, the packet sent to the gateway's MAC address will be sent to a non-existent or incorrect MAC address, which will cause a disconnection.

This is ARM address spoofing. This is the cause of disconnection between the internal PC and the external network. The virus has been rampant for a while. In this case, the anti-ARP Address Spoofing feature has also appeared on some professional router products.

Routing prevents offline load balancing and line backup

For example, for example, ruijie RG-NBR series routers all support VRRP hot backup protocol, a maximum of 2-NBR routers can be set, and link 2-broadband lines between these NBR and broadband lines, server Load balancer and line backup are implemented. If the line is disconnected or the network device is damaged, the backup can be automatically implemented. When both the online and network devices are normal, Server Load balancer can be implemented. This function is supported on all vrouters of ruijie.

The RG-NBR series router in the RG-NBR1000E, but also provides 2 WAN port, if necessary, there is a module expansion slot, you can plug in the electrical port or optical interface module, link three broadband lines at the same time. Load Balancing and line backup can be achieved between these three broadband lines. Load Balancing Based on bandwidth can also be performed on internal PCs, you can also set the access to Netcom resources to go through the China Netcom line, and access to the load balancing of telecom resources to go through the China Telecom line.

Comprehensive Performance

The Internet cafe router is very complicated, so it cannot stand out in some aspects alone. It also requires comprehensive development in performance, functions, security, and other aspects to make full use of its advantages, it briefly describes the performance of "multiple, fast, good, saving, stable, simple, static, and strong", 8-Legged Walking, stable, tens of thousands of concurrent NAT links, and line-rate download, simple configuration, quiet usage, adaptability to harsh environments, internal speed limiting, telecom-grade network operating systems, and stable application in demanding environments, these powerful comprehensive performance can make an excellent Internet cafe router.

Nowadays, Internet cafe routers are constantly improving their software design to adapt to the development and changes of Internet cafe applications. The features we introduce today are of course very practical, however, Internet cafe management and technical personnel are also required to learn more about the new features and technologies of Internet cafe routers, improve their capabilities, and perform more scientific and reasonable network management settings, in this way, a non-dropped Internet cafe router can work together to create a non-dropped Internet cafe.