Network management is required! Understanding switch control port traffic

It is very important for the network administrator to learn how to control the port traffic of a vswitch. It can effectively control the traffic and ensure the stability of our network. The vswitch is an important connection "Hub" in the LAN ", once an accident occurs, all the computers connected to the vswitch will suffer. Otherwise, the Internet will be slow. Otherwise, the Internet will be disconnected, therefore, it is critical to select a vswitch with superior performance and superior quality to form some important networks.

However, no matter how high the performance, no matter how high the quality of the switch, if not properly managed, maintenance, then its working status is easy to appear unexpected. This is not the case. The following network fault occurs because the network administrator does not limit the traffic of the switch control port on the switch port, which causes the switch to be overwhelmed by the traffic of the large switch control port ".

In the end, a large area of network disconnection occurs for Internet users. To prevent this fault from happening again, the network administrator decides to control the Internet port and limit the data transmission speed of the computer, make sure that the switch is not frequently impacted by large data volumes "!

The switch is "killed"

A building has around 1000 computers accessing the Internet. To facilitate control and management of these computers, they are connected to several common L2 switches, all L2 switches are connected to the routing switch of the building data center through multi-mode optical fiber lines. The routing switch is directly connected to the Internet through a MB broadband optical fiber line shared by the local telecommunications department.

All computers are divided into different virtual working subnets according to their different units. Each virtual working subnet is independent of each other, and computers in each subnet cannot access each other, in this way, network viruses, broadcast storms, and other abnormal phenomena can be avoided, and the network stability of the entire building can be prevented. When the building network was just getting started, the network administrator tested the network in different virtual work subnets and found that each computer had a fast Internet access speed, in addition, Internet users are also satisfied with the network transmission speed of the building. Every day, almost no faulty phone calls come to "harass" network administrators.

However, with the passage of time, the network administrator began to receive more faulty calls, and some said that their computer had a faster speed than before, some people say that their computers are suddenly slow to access the Internet, and some say that their computers are often unable to access the Internet stably until a large area of the floor fails to access the Internet one day, this makes the network administrator aware of the severity of the problem.

Based on the networking information, he immediately finds the IP address of the switch that cannot be used on the Internet floor, and attempts to remotely log on to the background System of the target switch to view the status information of each switch port, he found that the remote login operation failed. Later, the network administrator rushed to the faulty Switch site, connected through the Console cable, and directly logged on to the switch's background system using the Super Terminal Program.

Then enter the cascade port configuration mode of the switch connected to the building route switch, and use the "display interface" command in this mode to view the status information of the cascade port, it is found that the traffic of the input/output switch controlling port of this port is extremely large, especially the traffic of the input packet switch controlling port in the last 30 seconds is obviously abnormal.

According to the same operation method, the network administrator checks the status information of other common switching ports, and finds that some switch port inputs and outputs control port traffic properly, some Input and Output switches control port traffic is also relatively large. Under normal circumstances, the traffic of the input packet control port of the normal switch port should not exceed 500 packets per second.

However, under the faulty switch, the network administrator found that the traffic of the input data switch control port under many common switch ports exceeded 1000 packets per second, which is obviously abnormal, so why is the traffic on the ports controlled by these switches so large? At first, the network administrator suspected that the faulty switch had a network loop. However, after enabling the loop control test function of the faulty switch, no network loop exists.

Therefore, the Network Administrator estimates that the traffic of these large vswitches to control ports may be caused by malicious downloads by Internet users under the faulty vswitch. When the "display cpu" command is executed in the background System of the faulty switch, the network administrator finds that the CPU resources of the switch system have been consumed more than 90%, under normal circumstances, the CPU resource consumption rate of the switch system should be above 50%. It seems that the faulty switch has been overwhelmed by the switch control port traffic of Internet users, as a result, all users connected to the vswitch cannot access the Internet normally.

Feasible solutions to faults

From the fault description above, the reason why users on the floor cannot access the Internet in a large area is obviously caused by the uncontrolled consumption of valuable bandwidth resources by online users. To prevent a switch from being overwhelmed by the packets that control the port traffic of the switch, there are usually two solutions available. One solution is to increase the outbound bandwidth for accessing the Internet, allow Internet users to continue to ride freely on the "high-speed" Road. Another solution is to keep the bandwidth at the Internet egress unchanged and try to limit the traffic on each user's Internet access switch to control the port traffic, make sure they do not overoccupy the Internet egress bandwidth resources. Considering the current lease of Internet lines, fees are charged based on different outbound bandwidth sizes. The larger the outbound bandwidth, the higher the rental cost of Internet lines, obviously, by simply expanding the bandwidth of the Internet egress to avoid switch congestion, you need to pay a high network operation cost.

In addition, even if this solution is used, the switch may still be "killed" by large data packets. After consideration, the Network Administrator intends to restrict the access switch of Internet users from controlling the port traffic from the network optimization settings, it is prohibited to use bandwidth resources when downloading BT videos or enjoying large-capacity multimedia videos online. Because there are also many ways to restrict the traffic on the Internet switch to control the port traffic, for example, using some professional speed limiting tools, we can restrict the computer's Internet access to the switch to control the port traffic for a certain IP address, you can also use the proxy server to transfer traffic to the vswitch to prevent Internet users from consuming Internet bandwidth resources at will.

However, these methods have obvious shortcomings. For example, when the proxy server is used to control the Internet traffic, the access speed of the Internet users is subject to the performance of the proxy server, in addition, when the proxy server processes many tasks at the same time, it is prone to paralysis. When professional tools are used to limit Internet traffic, if the IP address of the computer keeps changing, in this case, the traffic limit will not be good.

Finally, after careful analysis and consideration, the network administrator decides to use the network management function provided by the floor switch to limit the access speed of each Internet exchange port. No matter how the IP address of the Internet computer changes in the future, as long as they are connected to the switch port configured with a speed limit, the traffic on the control port of their Internet access switch is controlled within a specified range, as a result, the probability of the switch being impacted by large-volume data packets is greatly reduced.

Obviously, this solution does not require additional Internet access costs, and does not require additional equipment, making it unnecessary to adjust the existing network structure of the building network, therefore, this method of limiting the port traffic of a switch can not only ensure that the switch is not vulnerable to the "impact" of large-capacity data information, but also ensure stable operation of the building network. Of course, this solution is only applicable to small-and medium-sized networks and networks with relatively single online applications!