Cause, in the company Server Providing external services is also a very important service. However, as the company's employees also need to occupy a large amount of traffic, the server may not be able to grab the bandwidth, seriously affecting the external services of the server, therefore, we need to restrict the Internet bandwidth of our employees to ensure that the server provides external service bandwidth.
Network Device and network structure:
An External Optical Cable leased line with a bandwidth of 4 Mbps provided by the ISP (actually less than 5 Mbps, about 4.8, or different conversion methods ), for the Peer (ISP), a gateway 1.1.1.1 is connected to a optical cat. The optical cat is connected to a Linux dual-nic PC (with only 2.1 and 512 of the Server Load balancer memory configured for iptables bridge firewall, I have previously said that there is no IP address for bridge fire prevention. In general, it is impossible to launch attacks directly from the Internet, and once a fault occurs, unplug the network cable and directly connect it to the vswitch to restore the network to normal.) The PC is connected to a vswitch and connects multiple servers, including the Video Server 1.1.1.60 that provides external services, the Nat server 1.1.1.56, the company's email server 1.1.1.57, and the testing and monitoring server 1.1.1.58 provide Internet services for employees.
About Tc (Traffic Control ):
TC has been added to the kernel since the Linux kernel and becomes a service provided by the Linux server itself. It is mainly used for Traffic Shaping (bandwidth control) and traffic scheduling Scheduling (one way to prevent individual users from occupying the bandwidth and ensure that everyone can get the same Internet access opportunity ), it works by controlling the packets sent from the NIC to control the traffic. (Note that the network card does not have much to do with the specific protocol, so you can use it no matter whether my machine has an IP address or not ). For details, refer to the Linux advanced routing and Traffic Control manual I posted earlier.
In the latest version of Linux, enter the command
IP link show
You can see the following information:
1: Lo: <loopback, up, 10000> MTU 16436 qdisc noqueue
Link/loopback 00: 00: 00: 00: 00: 00 BRD 00: 00: 00: 00: 00: 00
2: eth0: <broadcast, multicast, up, 10000> MTU 1500 qdisc pfifo_fast qlen 1000
Link/ether 00: AB: CD: EF: 50: 51 BRD FF: FF
3: eth1: <broadcast, multicast, up, 10000> MTU 1500 qdisc pfifo_fast qlen 1000
Link/ether 00: AB: CD: EF: 50: 52 BRD FF: FF
This command mainly looks at network device information. We can see that the default qdisc rule is pfifo_fast, which is a non-class queue, which is completely composed of machines ( System ) Operation, we cannot artificially control it. The basic way of working is first-in-first-out, or almost no processing, as long as it can be sent out.
The htb queue is a TC classified Queue (corresponding to a non-class Queue). The most famous is actually the CBQ queue, but the CBQ is so complicated and difficult to be accurate, I looked at the big head and then saw the book saying, "You have a fixed-rate link and want to separate it for a variety of purposes. Make a bandwidth commitment for each purpose and implement a quantitative bandwidth borrow ." Wow, this is exactly what I want, so I chose htb.
I found it hard to tell the concept clearly-it is hard to say that it is better than what is mentioned in the manual. Simply paste the script directly and explain it in detail. Check the manual if you do not understand it.
Show me tcstart. Sh first
#! /Bin/sh
# Eth0 is PCI Card, eth1 is intergarte card! Note that !!
# Configure for eth0
TC qdisc add Dev eth0 root handle 1: htb default 30
TC class add Dev eth0 parent 1: classid 1:1 htb rate 6 Mbit burst 15 K
TC class add Dev eth0 parent classid htb rate 2 Mbit Ceil 3 Mbit burst 15 K
TC class add Dev eth0 parent classid htb rate 1 Mbit Ceil 2 Mbit burst 15 K
TC class add Dev eth0 parent classid htb rate 0.5 Mbit Ceil 1 Mbit burst 15 K
TC qdisc add Dev eth0 parent :10 handle 10: SFQ perturb 10
TC qdisc add Dev eth0 parent :20 handle 20: SFQ perturb 10
TC qdisc add Dev eth0 parent :30 handle 30: SFQ perturb 10
TC filter add Dev eth0 Protocol IP parent 1: PRIO 10 u32 Match ip SRC 1.1.1.60/32 flowid :10
TC filter add Dev eth0 Protocol IP parent 1: PRIO 20 u32 Match ip SRC 1.1.1.56/32 flowid :20
TC filter add Dev eth0 Protocol IP parent 1: PRIO 30 u32 Match ip SRC 1.1.1.0/26 flowid :30
# Configure for eth1
TC qdisc add Dev eth1 root handle 1: htb default 30
TC class add Dev eth1 parent 1: classid 1:1 htb rate 6 Mbit burst 15 K
TC class add Dev eth1 parent classid htb rate 2 Mbit Ceil 3 Mbit burst 15 K
TC class add Dev eth1 parent classid htb rate 1 Mbit Ceil 2 Mbit burst 15 K
TC class add Dev eth1 parent classid htb rate 0.5 Mbit Ceil 1 Mbit burst 15 K
TC qdisc add Dev eth1 parent :10 handle 10: SFQ perturb 10
TC qdisc add Dev eth1 parent :20 handle 20: SFQ perturb 10
TC qdisc add Dev eth1 parent :30 handle 30: SFQ perturb 10
TC filter add Dev eth1 Protocol IP parent 1: PRIO 10 u32 Match ip DST 1.1.1.60/32 flowid :10
TC filter add Dev eth1 Protocol IP parent 1: PRIO 20 u32 Match ip DST 1.1.1.56/32 flowid :20
TC filter add Dev eth1 Protocol IP parent 1: PRIO 30 u32 Match ip DST 1.1.1.0/26 flowid :30
Explanation: Because only sending packets can be controlled, you must limit the speed limit on both NICs. However, the direction is different. You can check carefully what the rules I add to eth0 and eth1 are different. Let's start with these five sentences:
TC qdisc add Dev eth0 root handle 1: htb default 30
TC class add Dev eth0 parent 1: classid 1:1 htb rate 6 Mbit burst 15 K
TC class add Dev eth0 parent classid htb rate 2 Mbit Ceil 3 Mbit burst 15 K
TC class add Dev eth0 parent classid htb rate 1 Mbit Ceil 2 Mbit burst 15 K
TC class add Dev eth0 parent classid htb rate 0.5 Mbit Ceil 1 Mbit burst 15 K
1 first, create a root handle on the network adapter eth0. 1: According to the htb classification queue rule, the default packet transmission will be sent to the classification queue at the lower level. 2. Then, allocate the bandwidth to the root 1: (you can also write it as). The bandwidth is 6 MB and the maximum allowed excess is 15 kb. 3. Create a sub-class (or sub-queue) with a speed of and a speed of 2 MB. The maximum value cannot exceed 3 MB (1 MB can be used when the total bandwidth is available ). 4 Create a subclass of, the speed is 1 m, the maximum is 2 m, the maximum allowed exceeds 15 K. 5. It's similar to the previous one. Should I be able to understand it? And 5 is the default sending method.
Let's talk about this section.
TC qdisc add Dev eth1 parent :10 handle 10: SFQ perturb 10
TC qdisc add Dev eth1 parent :20 handle 20: SFQ perturb 10
TC qdisc add Dev eth1 parent :30 handle 30: SFQ perturb 10
The purpose is to schedule, or ensure that a certain transmission does not occupy too much bandwidth. For each category, set, and to change once every 10 seconds.Algorithm-- Ensure that there is no certain network connection, because some algorithm advantages keep transmitting faster than other connections.
In the last section, add a filter, that is, let the computer know which data packet will be queued to which queue.
TC filter add Dev eth1 Protocol IP parent 1: PRIO 10 u32 Match ip DST 1.1.1.60/32 flowid :10
TC filter add Dev eth1 Protocol IP parent 1: PRIO 20 u32 Match ip DST 1.1.1.56/32 flowid :20
TC filter add Dev eth1 Protocol IP parent 1: PRIO 30 u32 Match ip DST 1.1.1.0/26 flowid :30
The first is to add a filter to eth1. The IP protocol is used for filtering. The filter is placed at the root node 1: And the priority is 10. u32 is used for matching) the destination IP address is 1.1.1.60/32 (a host). Once the packet meets the conditions, it is placed in the queue at, that is, the transmission rate is guaranteed to be 2 MB, but you can borrow 1 MB queue from the rich bandwidth.
TC is a bit complicated. I can't express it clearly (I still have a lot to understand). Please contact me if you have any specific questions.