The LAN network is slow, generally there are the following possibilities:
Intranet ARP spoofing attack.
Intranet virus attack.
Switch, router hardware failure.
The network cable is in poor contact and the network cable is aging.
Broadcast storms, network loops.
The above problems, even for an experienced network administrator, need to be tested and analyzed by combining multiple commands such as ping, arp, tracert, etc., before they can be gradually investigated. Sometimes it is necessary to use a packet capture tool for packet capture analysis. In order to simplify the work of network administrators, our WFilter software (WSG gateway) has integrated a very practical plug-in "Network Health Detection". The above problems can be detected with one click. As shown below:
However, the software detection is only a detection and positioning method, and the specific solution of the fault requires manual operation. In this article, I will briefly introduce the "broadcast storm" solution.
1. Broadcast storm detection and troubleshooting
First, there are two possibilities for the generation of broadcast storms:
Unreasonable network division. For example, many clients are in the same network segment. Since ARP and DHCP are in the form of broadcast packets, broadcast storms will sometimes occur.
loop. In the loop, the data packets will be repeatedly transmitted, and a broadcast storm will also occur.
Among the two, the loop situation is more malignant and needs to be eliminated immediately by network administrators; while the broadcast storm caused by network segment division is relatively benign and generally has less impact on the network.
WFilter's network health detection plug-in works by sending N broadcast packets and monitoring at the same time. If the number of broadcast packets monitored is greater than N*2, there will be a broadcast storm alarm prompt. As shown below:
You move the mouse over the icon of "Broadcast storm and loop detection", you can see the specific value (the actual broadcast packet N is sent, M is detected). You need to judge based on the actual value. The above figure is a typical loop situation: "The detected broadcast packets are much larger than the actual broadcast packets sent, and the connectivity of the intranet is also poor."
If the detected broadcast packets are only slightly larger than the sent broadcast packets, it means that the storm is caused by network segment division.
2. What should I do if a network loop is found?
Once a network loop is detected, it is necessary to immediately check the LED display of the switch port, unplug the network cable of the frequently flashing switch port, and re-detect. Repeat this many times until the looped port is found. This process can only be done manually.
3. How to divide VLANs reasonably to avoid broadcast storms?
Since broadcast packets cannot cross network segments, VLANs are generally used to suppress broadcast storms. Generally speaking, it is recommended to have one VLAN and one class C network segment , that is, 254 hosts.
VLAN division can be configured on Layer 3 switches; it can also be configured on gateway devices/firewall devices.
Taking the WSG Internet Behavior Management Gateway as an example, you can divide a different subnet on each interface. The steps are as follows:
As shown in the figure above, we bind an interface to different network segments of the internal network port, and set IP and DHCP services for this interface. After this configuration, you only need to connect the Layer 2 switch to this interface, which is a separate network segment. The same is true for other devices, please refer to their respective help documents for specific procedures.