V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
ericbize
V2EX  ›  宽带症候群

想请教一下,三层交换机的转发速率。

  •  
  •   ericbize · 2019-06-26 20:42:39 +08:00 · 4090 次点击
    这是一个创建于 1976 天前的主题,其中的信息可能已经有所发展或是发生改变。
    公司机房的核心交换机 似乎负载很高,但是我还没开始搭建环境测试, 现在想先请教一下 有大佬知道 三层交换机 在 二层交换 和三层交换性能差多少(刚才已经致电了华为售后,售后告知 二层转发速率和三层转发速率不一样,但是差多少要问售前拿资料)
    24 条回复    2019-08-01 18:13:39 +08:00
    trepwq
        1
    trepwq  
       2019-06-26 21:27:14 +08:00 via iPhone   ❤️ 1
    二层一般都是满速,三层惨不忍睹
    ericbize
        2
    ericbize  
    OP
       2019-06-26 22:04:28 +08:00
    @trepwq 就是很卡,但是没有什么证据,明天看看 华为 售前有没有数据; 准备自己 测了,这种东西,估计别人不好意思拿出来。
    CallMeReznov
        3
    CallMeReznov  
       2019-06-26 23:02:57 +08:00   ❤️ 1
    三层和二层是两个指标的
    我个人遇到的实际 CPU 负载在 70%的时候已经很饱和的在工作了,出现各种问题也很正常
    你看一下 CPU 负载,在看一下出口负载.
    ixiaoyui
        4
    ixiaoyui  
       2019-06-27 08:53:57 +08:00   ❤️ 1
    核心交换机三层不是线速吗???线速都达不到的设备拿来放核心层???
    ericbize
        5
    ericbize  
    OP
       2019-06-27 09:19:24 +08:00
    @ixiaoyui N 年前, 公司在机房只有两三个柜, 现在 加到了 9 个,换交换机 有风险
    huangmiao233
        6
    huangmiao233  
       2019-06-27 17:20:45 +08:00 via Android   ❤️ 1
    什么型号呀,我帮你看看文档,版本发下?
    intoext
        7
    intoext  
       2019-06-27 18:59:14 +08:00   ❤️ 1
    别开玩笑了,10 年前的三层交换机,L2/L3 都是线速转发了。
    如果是负载重,除非你们让交换机承担了很多访问控制的功能
    Tianao
        8
    Tianao  
       2019-06-27 19:02:35 +08:00 via iPhone   ❤️ 2
    @intoext #7 +1,或者拓扑变化、网络震荡导致动态路由之类的进程负载太重了。
    ericbize
        9
    ericbize  
    OP
       2019-06-27 20:33:40 +08:00
    @helijia21 S5700-52C-EI 做了堆叠
    ericbize
        10
    ericbize  
    OP
       2019-06-27 20:38:44 +08:00
    @intoext 没有设置 acl
    @Tianao 没有动态路由, 路由表立都是 直连 和 静态

    表现 就是 本地 ping 1.5ms ~ 2ms,然后 ssh 上去 很慢,找不到原因。
    其次是
    ericbize
        11
    ericbize  
    OP
       2019-06-27 20:39:39 +08:00
    @CallMeReznov cpu 负载 30% 左右,
    ericbize
        12
    ericbize  
    OP
       2019-06-27 20:42:46 +08:00
    @Tianao
    CIST topology change information
    Number of topology changes :921
    Time since last topology change :15 days 3h:39m:32s
    Topology change initiator(notified) :GigabitEthernet0/0/1
    Topology change last received from :0425-c529-60b0
    Number of generated topologychange traps : 80
    Number of suppressed topologychange traps: 4


    似乎也没有 网络震荡
    Tianao
        13
    Tianao  
       2019-06-27 20:53:53 +08:00 via iPhone
    @ericbize 这个情况看起来有点玄学问题,建议先无脑刷一波版本,5700-EI 作核心大部分场景下完全 OK 啊。确定这个延迟不是接入层带来的吗?或者如果方便楼主贴下配置?
    ericbize
        14
    ericbize  
    OP
       2019-06-28 15:31:19 +08:00
    @Tianao

    #
    interface Vlanif1
    #
    interface Vlanif19
    ip address 172.31.99.254 255.255.255.0
    #
    interface Vlanif20
    ip address 172.31.100.248 255.255.255.0
    #
    interface Vlanif21
    ip address 172.31.101.254 255.255.255.0
    #
    interface Vlanif308
    ip address 172.18.1.254 255.255.255.0
    #
    interface Vlanif3700
    ip address 172.18.2.225 255.255.255.224
    #
    interface MEth0/0/1
    ip address 10.1.1.1 255.255.255.0
    #
    interface Eth-Trunk4
    #
    interface Eth-Trunk5
    description to_emmm-emmm-002
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk6
    description to_emmm_emmm_058
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk7
    description to_emmm_emmm_017
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk8
    description to_emmm_emmm_030
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk9
    description to_emmm_emmm_037
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk10
    description to_emmm_emmm_080
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk11
    description to_emmm_emmm_081
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface Eth-Trunk12
    description to_emmm_emmm_082
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface GigabitEthernet0/0/1
    port link-type trunk
    port trunk allow-pass vlan 19 308
    #
    interface GigabitEthernet0/0/2
    port link-type access
    port default vlan 3700
    port-mirroring to observe-port 1 inbound
    port-mirroring to observe-port 1 outbound
    #
    interface GigabitEthernet0/0/3
    eth-trunk 7
    #
    interface GigabitEthernet0/0/4
    eth-trunk 8
    #
    interface GigabitEthernet0/0/5
    eth-trunk 9
    #
    interface GigabitEthernet0/0/6
    eth-trunk 10
    #
    interface GigabitEthernet0/0/7
    eth-trunk 11
    #
    interface GigabitEthernet0/0/8
    eth-trunk 12
    #
    interface GigabitEthernet0/0/9
    #
    interface GigabitEthernet0/0/10
    shutdown
    #
    interface GigabitEthernet0/0/11
    #
    interface GigabitEthernet0/0/12
    #
    interface GigabitEthernet0/0/13
    #
    interface GigabitEthernet0/0/14
    description toFTFW
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface GigabitEthernet0/0/15
    #
    interface GigabitEthernet0/0/16
    description toShiJinFW(89)
    port link-type access
    port default vlan 3700
    #
    interface GigabitEthernet0/0/17
    #
    interface GigabitEthernet0/0/18
    #
    interface GigabitEthernet0/0/19
    #
    interface GigabitEthernet0/0/20
    port link-type trunk
    port trunk allow-pass vlan 2 to 4094
    #
    interface GigabitEthernet0/0/21
    #
    interface GigabitEthernet0/0/22
    #
    interface GigabitEthernet0/0/23
    #
    interface GigabitEthernet0/0/24
    #
    interface GigabitEthernet0/0/25
    #
    interface GigabitEthernet0/0/26
    #
    interface GigabitEthernet0/0/27
    #
    interface GigabitEthernet0/0/28
    #
    interface GigabitEthernet0/0/29
    #
    interface GigabitEthernet0/0/30
    #
    interface GigabitEthernet0/0/31
    #
    interface GigabitEthernet0/0/32
    #
    interface GigabitEthernet0/0/33
    #
    interface GigabitEthernet0/0/34
    #
    ericbize
        15
    ericbize  
    OP
       2019-06-28 15:31:44 +08:00
    @Tianao


    interface GigabitEthernet0/0/35
    port link-type access
    port default vlan 308
    #
    interface GigabitEthernet0/0/36
    port link-type access
    port default vlan 308
    #
    interface GigabitEthernet0/0/37
    #
    interface GigabitEthernet0/0/38
    port link-type access
    port default vlan 308
    #
    interface GigabitEthernet0/0/39
    #
    interface GigabitEthernet0/0/40
    description toWAF
    port link-type access
    port default vlan 20
    #
    interface GigabitEthernet0/0/41
    port link-type trunk
    #
    interface GigabitEthernet0/0/42
    port link-type access
    port default vlan 20
    #
    interface GigabitEthernet0/0/43
    eth-trunk 6
    #
    interface GigabitEthernet0/0/44
    eth-trunk 5
    #
    interface GigabitEthernet0/0/45
    #
    interface GigabitEthernet0/0/46
    #
    interface GigabitEthernet0/0/47
    #
    interface GigabitEthernet0/0/48
    shutdown
    #
    interface GigabitEthernet1/0/1
    port link-type access
    port default vlan 3700
    #
    interface GigabitEthernet1/0/2
    #
    interface GigabitEthernet1/0/3
    eth-trunk 7
    #
    interface GigabitEthernet1/0/4
    eth-trunk 8
    #
    interface GigabitEthernet1/0/5
    eth-trunk 9
    #
    interface GigabitEthernet1/0/6
    eth-trunk 10
    #
    interface GigabitEthernet1/0/7
    eth-trunk 11
    #
    interface GigabitEthernet1/0/8
    eth-trunk 12
    #
    interface GigabitEthernet1/0/9
    #
    interface GigabitEthernet1/0/10
    #
    interface GigabitEthernet1/0/11
    #
    interface GigabitEthernet1/0/12
    #
    interface GigabitEthernet1/0/13
    #
    interface GigabitEthernet1/0/14
    #
    interface GigabitEthernet1/0/15
    #
    interface GigabitEthernet1/0/16
    #
    interface GigabitEthernet1/0/17
    #
    interface GigabitEthernet1/0/18
    #
    interface GigabitEthernet1/0/19
    #
    interface GigabitEthernet1/0/20
    #
    interface GigabitEthernet1/0/21
    #
    interface GigabitEthernet1/0/22
    #
    interface GigabitEthernet1/0/23
    #
    interface GigabitEthernet1/0/24
    #
    interface GigabitEthernet1/0/25
    #
    interface GigabitEthernet1/0/26
    #
    interface GigabitEthernet1/0/27
    #
    interface GigabitEthernet1/0/28
    #
    interface GigabitEthernet1/0/29
    #
    interface GigabitEthernet1/0/30
    #
    interface GigabitEthernet1/0/31
    #
    interface GigabitEthernet1/0/32
    #
    interface GigabitEthernet1/0/33
    #
    interface GigabitEthernet1/0/34
    port link-type access
    port default vlan 20
    #
    interface GigabitEthernet1/0/35
    #
    interface GigabitEthernet1/0/36
    port link-type access
    port default vlan 3700
    #
    interface GigabitEthernet1/0/37
    #
    interface GigabitEthernet1/0/38
    port default vlan 21
    #
    interface GigabitEthernet1/0/39
    #
    interface GigabitEthernet1/0/40
    #
    interface GigabitEthernet1/0/41
    port link-type trunk
    #
    interface GigabitEthernet1/0/42
    port link-type trunk
    #
    interface GigabitEthernet1/0/43
    eth-trunk 6
    #
    interface GigabitEthernet1/0/44
    eth-trunk 5
    #
    interface GigabitEthernet1/0/45
    #
    interface GigabitEthernet1/0/46
    #
    interface GigabitEthernet1/0/47
    #
    interface GigabitEthernet1/0/48
    port link-type access
    port default vlan 3700
    #
    interface NULL0
    #
    cpu-defend policy arpattcheck
    auto-defend enable
    auto-defend threshold 30
    #
    ip route-static 0.0.0.0 0.0.0.0 172.18.2.254
    ip route-static 10.230.8.0 255.255.255.0 172.18.2.250
    ip route-static 172.16.0.0 255.255.0.0 172.18.2.250
    ip route-static 172.30.1.0 255.255.255.0 172.18.2.250
    ip route-static 172.30.16.0 255.255.240.0 172.18.2.250
    ip route-static 172.30.32.0 255.255.255.0 172.18.2.250
    ip route-static 192.168.0.0 255.255.0.0 172.18.2.250
    #
    snmp-agent

    stelnet server enable
    ssh authentication-type default password
    ssh client first-time enable
    ssh client 172.18.2.227 assign rsa-key 172.18.2.227
    ssh client 172.31.100.249 assign rsa-key 172.31.100.249
    ssh client 172.31.100.250 assign rsa-key 172.31.100.250
    ssh client 172.31.100.251 assign rsa-key 172.31.100.251
    ssh client 172.31.100.66 assign rsa-key 172.31.100.66
    #
    cpu-defend-policy arpattcheck global
    #
    user-interface con 0

    user-interface vty 0 4
    authentication-mode aaa
    user privilege level 15
    protocol inbound all
    user-interface vty 16 20
    #
    return
    lirno
        16
    lirno  
       2019-06-28 17:02:08 +08:00
    我这边思科的核心也是用了挺久,发现高峰时段负荷经常跑到 70-80 以上,内网也只是个简单三层环境,赶紧升级换了新设备就降到 10-20 正常了。
    Tianao
        17
    Tianao  
       2019-06-28 17:08:47 +08:00 via iPhone
    @ericbize 看到楼主使能了 cpu auto-defend,建议楼主使用
    display cpu-defend statistics
    display auto-port-defend statistics
    display auto-port-defend attack-source
    命令查看下是否有正常报文被误伤。
    ericbize
        18
    ericbize  
    OP
       2019-06-28 19:38:50 +08:00 via iPhone
    @lirno 线上环境,不是想换就换的啊;经费是一回事;服务暂停又是另外一回事了……
    ericbize
        19
    ericbize  
    OP
       2019-06-28 21:53:25 +08:00
    >display auto-port-defend att
    Attack source table on MPU:
    Total : 1
    --------------------------------------------------------------------------------
    Interface Vlan Protocol Expire(s) PacketRate(pps) LastAttackTime
    --------------------------------------------------------------------------------
    GE1/0/44 20 arp-request 165 10 2019-06-28 21:50:25
    --------------------------------------------------------------------------------
    ericbize
        20
    ericbize  
    OP
       2019-06-28 21:54:51 +08:00
    display cpu-defend statistics
    Statistics on slot 0:
    --------------------------------------------------------------------------------
    Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
    --------------------------------------------------------------------------------
    arp-miss 121981498 2179095 2019-06-28 08:05:39
    NA NA
    arp-request 307021137 1414108 2019-03-06 21:45:16
    NA NA
    dns 89275 0 -
    NA NA
    fib-hit 9409 0 -
    NA NA
    ftp 84937 19 2019-04-15 16:15:23
    NA NA
    http 107546 0 -
    NA NA
    https 225246 3127 2019-06-15 08:55:35
    NA NA
    hw-tacacs 0 0 -
    NA NA
    icmp 2936317 0 -
    NA NA
    lnp 8003840 0 -
    NA NA
    ntp 304137 0 -
    NA NA
    radius 0 0 -
    NA NA
    snmp 500256 0 -
    NA NA
    ssh 411008 0 -
    NA NA
    tcp 1703945 133028 2019-06-28 08:05:39
    NA NA
    telnet 80136 0 -
    NA NA
    ttl-expired 13895550 11 2019-03-30 10:55:21
    NA NA
    vcmp 0 0 -
    NA NA
    --------------------------------------------------------------------------------
    ericbize
        21
    ericbize  
    OP
       2019-06-28 21:57:37 +08:00
    @Tianao

    >display auto-port-defend ?
    attack-source Attack source
    configuration Current configuration

    剩下那个,命令似乎没有
    Tianao
        22
    Tianao  
       2019-06-29 18:41:25 +08:00
    @ericbize 命令没有可能是版本问题吧,我也不太熟悉这块的命令……
    不过从 #19、#20 的结果来看,貌似是有来自 GE1/0/44 VLAN20 的 ARP 报文被误伤了,虽然不能确定这个事件是否和现有问题有关,但还是建议楼主检查下这个接口来的报文,或者暂时关闭交换机的 ARP 自动防护功能。
    除此以外,恕我无法看出楼主贴出的配置有其他可疑之处。
    ericbize
        23
    ericbize  
    OP
       2019-06-29 23:13:02 +08:00 via iPhone
    @Tianao 其实我们也一直在怀疑是 arp 攻击, 但是无奈于 虚拟机太多, 所以有点想 把核心换了
    j2001588
        24
    j2001588  
       2019-08-01 18:13:39 +08:00
    @erivbize
    arp anti-attack gateway-duplicate enable
    arp speed-limit source-ip maximum 500
    arp-miss speed-limit source-ip maximum 100
    arp 攻击的话可以用这三条试试,建议参考一下华为的手册食用
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2948 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 03:50 · PVG 11:50 · LAX 19:50 · JFK 22:50
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.