How to control port traffic and not let the switch die

The switch is an important connection "hub" in the LAN, once its working status is unexpected, then all the computers connected to the switch have to "suffer", light is the phenomenon of slow surfing the internet, serious words simply can not go online, for this choice of superior performance, quality of the switch to form some important network, is very critical. However, no matter how superior the performance, no matter how good the quality of the switch, if not properly managed, maintained, then its working state is very easy to accident. It's not, this article below a network fault, is because the network administrator did not limit the flow of the exchange port, resulting in the switch is a large flow of "top dead", and eventually triggered a large area of Internet users broken network phenomenon; In order to keep this symptom from happening again, the network administrator decided to control the Internet port. Limit the data transmission speed of the computer, ensure that the switch will not be frequently subject to the "impact" of large-capacity data information!

The switch is "dead."

There are about 1000 computers in a building that have access to the Internet, and to facilitate the control and management of these computers, they are connected to a number of common two-tier switches, all two-tier switches are connected to the routing switches in the building's room via multimode fiber lines, Routing switches are directly connected to an Internet network through a shared 1000MB broadband fibre line in the local telecommunications department. All computers are based on different units, is divided into different virtual work subnets, each virtual work subnet is independent of each other, the computers in each subnet can not be accessed across the network, so as to avoid network viruses, broadcast storms and other anomalies, the danger of the entire building network running stability.

When the building network just started to run, the network administrator in different virtual work subnet test, found that each computer's Internet speed is very fast, and each Internet user to the building network transmission speed is also very satisfied, every day almost no trouble calls to "harass" network administrator. But, as time goes on, network administrator received a breakdown of the phone began to start more, there is said that their computer online speed is not as fast as before, there is said that their computer suddenly slow down, there is said that their computer often can not stabilize the Internet, until one day the floor has a large area can not be online failure phenomenon, This makes the network administrator aware of the seriousness of the problem. He immediately based on the network information, find the Internet floor can not use the IP address of the switch, and try to telnet into the target switch back-end system to view the status of each Exchange port information, he found that the remote login operation has failed; later, the network administrator rushed to the fault switch scene, Connect through the console cable and log in directly into the back-end system of the switch using the HyperTerminal program, then enter the Cascade port configuration mode that the switch connects to the building's routing switch, and use the "Display Interface" command in that mode state to view the status information of the cascading ports. It was found that the port's input and output traffic is particularly large, especially in the last 30 seconds of the input packet traffic is significantly abnormal.

According to the same method of operation, the network administrator has also checked other common Exchange port's state information, found that some exchange port input, the output flow size is normal, some input, the output flow is also relatively big; normally, the input packet traffic of the ordinary exchange port should not exceed 500 packets per second, However, under the fault switch, the network administrator found that there are many ordinary exchange ports in the input data traffic is more than 1000 packets per second, this is obviously not normal, then why are these traffic so large? At first, the network administrator suspected that there was a network loop on the faulty switch, but after the loopback controlled test of the failed switch was enabled, no network loops were found, and for this reason the network administrator estimated that these large traffic could be caused by malicious downloading of the Internet users under the faulty switch. Continue in the back of the fault switch system, the implementation of the "Display CPU" command, the network administrator found that the switch system CPU resources have been consumed more than 90%, while the normal switching system CPU consumption rate should be more than 50%, it seems that the fault switch has been the user's large flow of internet "Top dead", which causes all users connected to the switch to not be able to surf the internet properly.

Possible solutions to the problem

From the above description of the fault, the floor users can not access the Internet, it is clear that users of the Internet to consume the precious bandwidth of resources caused by unrestrained. To not allow the switch to be "dead" by a large traffic packet, there are usually two options, one is to find ways to expand access to the Internet network of export bandwidth size, so that users continue to the "high-speed high road" on the free gallop, the other is to maintain the Internet export bandwidth size unchanged, Find ways to limit the amount of Internet access traffic per user, and ensure that they do not unduly occupy the bandwidth of the Internet outlet.

Taking into account the current rental of internet lines, is based on the size of the export bandwidth of different charges, and the larger the size of the export bandwidth, the higher the cost of the Internet line rental, it is clear that by simply expanding the size of the network export bandwidth to avoid the switch blocked the fault, the need to pay a higher operating costs And even with this solution, the switch still has the potential to "kill" the bulk packet. After weighing, the network administrator intends to start from the network optimization settings, to limit the access of Internet users to the size of the user to prohibit the BT download or online appreciation of large-capacity multimedia movies Malicious rob use of Internet bandwidth resources.

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/jhjs/

Because there are many ways to limit the amount of Internet traffic, such as the use of a number of professional speed-limiting tools, we can target an IP address, to limit the computer's access to the Internet traffic size, or through the proxy server relay methods to control the flow, to avoid Internet users at random consumption of Internet bandwidth resources , however, these methods have obvious shortcomings, such as using Proxy server to control the Internet traffic, the speed of access to the Internet users will be subject to the performance of proxy server, and the proxy server at the same time to deal with the task more easily paralysis phenomenon, and the use of professional tools to limit Internet traffic, If the Internet computer's IP address is constantly changing, then the traffic restrictions will not be better. Finally, the network administrator after careful analysis, consider, decided to use the floor switch with the network management function, to limit the access speed of each Internet Exchange port, in the future, regardless of the Internet computer IP address changes, as long as the access to the speed limit set on the Exchange port, Their internet traffic size is controlled in a prescribed range, so the switch is greatly reduced by the impact of large traffic packets.

Obviously, this kind of solution does not need to pay extra cost of internet, there is no need to increase the equipment alone, not to adjust the network structure of the building, so this scheme can not only ensure that the switch is not susceptible to the "impact" of large-capacity data information, but also ensure that the building network can run stably. Of course, this solution is only for small and medium sized networks and Internet applications more than a single network more applicable!

Limit the port's traffic size

When a viable solution to the failure is selected, the network administrator immediately prepares to limit the access speed of each switched port on the failed switch. Due to different models of switches, the limit of port traffic size is not the same, the network administrator found that the fault switch in the unit network using the Quidway brand switch, the Internet search for relevant information, he found that the brand's switches often use line-rate command to limit the speed of port traffic, He also found that the brand's switch message rate limit level was 1~127. If the rate limit level is in the 1~28 range, the rate limit granularity is 64Kbps, in which case, when the level is set to N, the rate limit on the port is n*64k, and if the rate limit level is in the 29~127 range, the rate limit granularity is 1Mbps, in which case When the level is set to N, the rate at which the port is limited is (N-27) *1mbps.

Considering that the entire building network's export bandwidth is shared 1000MB, the network administrator decides to limit the maximum transmission speed of each normal switch port on the floor switch to 5Mbps, assuming that a common computer in the LAN is connected to the 2nd Ethernet port on the floor switch, The network administrator now hopes that the Ethernet port's maximum transmission speed can only be 5Mbps, to achieve this control purposes, so he first as a system administrator into the target floor switch background management system, execute the "system" string command, switch it to the system global configuration state, Continue executing string command "interface Ethernet 0/2" In this state, enter 2nd Ethernet port configuration mode, execute "line-rate outbound 32" command under this configuration interface, In this way, the target switching port's direction message flow speed is limited to 5Mbps, according to the same operation method, and then execute "line-rate intbound 32" command, the target switching port into the direction of the message flow rate is also limited to 5Mbps. Then, the other Exchange ports do the same operation, their traffic speed is limited to 5Mbps, so that the entire switch export bandwidth resources will not be a certain exchange port over consumption, then the switch is not easy to be large capacity data "top dead."

Of course, in the case of a large LAN scale and a larger number of computers, we cannot simply restrict traffic to the exchange port of the ordinary floor switch, after all, this restriction method is very heavy, which is not conducive to improving the management efficiency of the network, and it is necessary to restore the working state of the normal Exchange port It's also more troublesome. At this point, we can try to limit the Cascade port access traffic of each floor switch on the core switch of LAN to limit the large flow "impact" of each floor network on the whole core switch.