Control port traffic to prevent the switch from being "killed"

Bkjia.com exclusive Article] A vswitch is an important connection "Hub" in the LAN. Once it is in an unexpected state, all the computers connected to the vswitch will suffer ", in this case, the Internet access is slow. In severe cases, the Internet access is simply unavailable. Therefore, it is critical to select a vswitch with superior performance and superior quality to form some important networks. However, no matter how high the performance, no matter how high the quality of the switch, if not properly managed, maintenance, then its working status is easy to appear unexpected. This is not the case. The following network fault occurs because the network administrator does not limit the traffic on the switch port, causing the switch to be overwhelmed by large traffic ", in the end, a large area of network disconnection occurs for Internet users. To prevent this fault from happening again, the network administrator decides to control the Internet port and limit the data transmission speed of the computer, make sure that the switch is not frequently impacted by large data volumes "!

The switch is "killed"

A building has around 1000 computers accessing the Internet. To facilitate control and management of these computers, they are connected to several common L2 switches, all L2 switches are connected to the routing switch of the building data center through multi-mode optical fiber lines. The routing switch is directly connected to the Internet through a MB broadband optical fiber line shared by the local telecommunications department. All computers are divided into different virtual working subnets according to their different units. Each virtual working subnet is independent of each other, and computers in each subnet cannot access each other, in this way, network viruses, broadcast storms, and other abnormal phenomena can be avoided, and the network stability of the entire building can be prevented.

When the building network was just getting started, the network administrator tested the network in different virtual work subnets and found that each computer had a fast Internet access speed, in addition, Internet users are also satisfied with the network transmission speed of the building. Every day, almost no faulty phone calls come to "harass" network administrators. However, with the passage of time, the network administrator began to receive more faulty calls, and some said that their computer had a faster speed than before, some people say that their computers are suddenly slow to access the Internet, and some say that their computers are often unable to access the Internet stably until a large area of the floor fails to access the Internet one day, this makes the network administrator aware of the severity of the problem. Based on the networking information, he immediately finds the IP address of the switch that cannot be used on the Internet floor, and attempts to remotely log on to the background System of the target switch to view the status information of each switch port, he found that the remote login operation failed. Later, the network administrator rushed to the faulty Switch site, connected through the Console cable, and directly logged on to the switch's background system using the Super Terminal Program, then enter the cascade port configuration mode of the switch connected to the building route switch, and use the "display interface" command in this mode to view the status information of the cascade port, it is found that the input and output traffic of this port is particularly large, especially the traffic of input packets in the last 30 seconds is obviously abnormal.

According to the same operation method, the network administrator checks the status information of other common switching ports, and finds that some of the switching port's input and output traffic are normal, while others have large input and output traffic; under normal circumstances, the incoming packet traffic of the common switch port should not exceed 500 packets per second, but under the faulty switch, the Network Administrator found that the input data traffic on many common switching ports exceeded 1000 packets per second, which is obviously abnormal. Why is the traffic so large? At first, the network administrator suspected that the faulty switch had a network loop. However, after enabling the loop control test function of the faulty switch, it was found that no network loop exists, for this reason, the Network Administrator estimates that these large traffic volumes may be caused by malicious downloads by online users under the faulty vswitch. When the "display cpu" command is executed in the background System of the faulty switch, the network administrator finds that the CPU resources of the switch system have been consumed more than 90%, under normal circumstances, the CPU resource consumption rate of the switch system should be above 50%. It seems that the faulty switch has been overwhelmed by the large traffic of Internet users, as a result, all users connected to the vswitch cannot access the Internet normally.

Feasible solutions to faults

From the fault description above, the reason why users on the floor cannot access the Internet in a large area is obviously caused by the uncontrolled consumption of valuable bandwidth resources by online users. To prevent a switch from being overwhelmed by large-volume data packets, there are usually two solutions available. One solution is to increase the outbound bandwidth for accessing the Internet, allow Internet users to continue to ride freely on the "high-speed" Road. Another solution is to keep the bandwidth at the Internet egress unchanged and try to limit the Internet access traffic of each user, make sure they do not overoccupy the Internet egress bandwidth resources.

Considering the current lease of Internet lines, fees are charged based on different outbound bandwidth sizes. The larger the outbound bandwidth, the higher the rental cost of Internet lines, obviously, by simply expanding the bandwidth of the Internet egress to avoid switch congestion, you need to pay a high network operation cost, and even if you use this solution, there is still the possibility that the switch will be "killed" by large data packets. After consideration, the Network Administrator intends to begin with network optimization settings to limit the access traffic of Internet users and prohibit them from using bandwidth resources when downloading BT videos or enjoying large-capacity multimedia videos online.

There are also many ways to limit the size of Internet traffic. For example, we can use some professional speed limiting tools to limit the size of Internet access traffic for a certain IP address, or, you can use the proxy server's transit method to control traffic to prevent Internet users from consuming Internet bandwidth resources at will. However, these methods have obvious shortcomings, for example, when using the proxy server to control Internet traffic in transit, the access speed of Internet users is subject to the performance of the proxy server, and many tasks simultaneously processed by the proxy server are prone to paralysis. When professional tools are used to limit Internet traffic, if the IP address of the computer on the Internet keeps changing, the traffic limit will not be good. Finally, after careful analysis and consideration, the network administrator decides to use the network management function provided by the floor switch to limit the access speed of each Internet exchange port. No matter how the IP address of the Internet computer changes in the future, as long as they are connected to the switch port configured with a speed limit, their internet traffic volume is controlled within a specified range, so that the switch is greatly affected by the impact of large-volume data packets.

Obviously, this solution does not require additional Internet access costs, and does not require additional equipment, making it unnecessary to adjust the existing network structure of the building network, therefore, this port traffic restriction solution not only ensures that the switch is not vulnerable to the "impact" of large data volumes, but also ensures stable operation of the building network. Of course, this solution is only applicable to small-and medium-sized networks and networks with relatively single online applications!

Traffic limit on the port

After selecting a feasible solution to solve the fault, the network administrator immediately sets a limit on the access speed of each switch port of the faulty switch. Because different models of switches have different methods to limit the port traffic, the network administrator finds that the faulty switch in the unit network uses a Quidway switch. After searching for relevant information online, he found that vswitches of the brand often use the line-rate command to limit the port traffic speed. At the same time, he found that the packet speed limit level of vswitches of the brand is 1 ~ 127. If the speed limit level is 1 ~ Within the range of 28, the granularity of the speed limit is 64 Kbps. In this case, when the set level is N, the speed limit on the port is N * 64 K; if the speed limit is between 29 and 29 ~ Within the 127 range, the speed limit granularity is 1 Mbps, in which case when the set level is N, the speed limit on the port is (N-27) * 1 Mbps.

Considering that the egress bandwidth of the entire building network is 1000 MB, the network administrator decides to limit the maximum transmission speed of each common switching port on the floor switch to 5 Mbps. Suppose, if a common computer in the LAN is connected to the 2nd Ethernet ports of the floor switch, the network administrator wants the maximum transmission speed of the Ethernet port to be 5 Mbps, then, he only needs to enter the background management system of the switch on the target floor as a system administrator, execute the "system" string command, and switch it to the global configuration status of the system, in this status, continue to run the string command "interface Ethernet 0/2" to enter the 2nd Ethernet port configuration mode. On this configuration page, run the "line-rate outbound 32" command, in this way, the outbound traffic speed of the target switching port can be limited to 5 Mbps. In the same way, run the "line-rate intbound 32" command, the inbound traffic speed of the target switch port is also limited to 5 Mbps. Then, execute the same operation on other switch ports to limit all their traffic transmission speeds to 5 Mbps, in this case, the outbound Bandwidth Resources of the entire switch will not be excessively consumed by a certain switching port, so the switch will not be easily "overwhelmed" by large data volumes.

Of course, when the local area network is large and the number of computers is large, we cannot simply restrict traffic on the switch ports on normal floors, after all, this method requires a lot of work, which is not conducive to improving network management efficiency. It is also troublesome to restore the normal switching port to work in the future. At this point, we can try to restrict the access traffic of the cascade ports of switches on each floor on the core switch of the LAN, so as to restrict the network on each floor to generate a large traffic impact on the entire core switch ".

Bkjia.com exclusive, not reprinted without authorization. For reprinted sites, please indicate the author and source of the original article is bkjia.com, and the content of the original article cannot be modified .]