Slow Lan-- What will be the reason?

[sec_ware]

Hi XTC46

What you say sounds pretty reasonable to me So please ignore my mixed ordering.
I just recalled to have spent hours searching software problems, while actually one
router was partly damaged (due to some loose contact) - this was years ago. I simply
realised that the focus was on malware, and I wanted to add a few more ingrediences.

According to your posts, you would:
- Identify the "affected" segments of the network (could be the whole one)
- Check the type of traffic there (malicious activity?)
- If so, detach identified nodes and clean them.
- If not, check the logs for collisions etc., re-evaluate your network design, ...
- Check the hardware.

Something like that?

Cheers.

[MrCoffee]

Viruss,

I guess I would want to know what exactly "was slowing down", but one of the other possiblities you might look into for the effected systems are:

1) Incorrect DNS. If the workstations are pointing to the wrong DNS it will slow things way down.
2) Any new protocol's added? Look to see if someone added AppleTalk (chatty at best) or IPX
3) Find the point of bottle neck. Is it just slow to log on? Accessing file shares? Everything?
4) Bad cabling. If all these effected systems are on the same piece of backbone cabling..?

Most of these things can be done while you are running a Adaware or Spybot or AV scan.

I have had a bad 3Com switch cause this type of problem as well.

[f1fan]

Hey,

As the problem is relatively new, I think you said 1-2 months old. Have any users started streaming audio/radio/video to the desktops??

With 600 users, once one user figures out that they can listen to the radio via computer this news can spread quickly....

It was a little unclear to me.. is your internet traffic slow? Is the intranet traffic slow? or both.

I also ran into a situation where the switch changed from 100 Mbs to 10 Mbs by a sloppy admin. This might be an issue if you do not administer the network devices...

Hope this helps,
F1fan

[viruss]

Thanks to all of you for your valuable suggestions.

Let me clear my network scenario.
1) My data sharing between Intranet is slow. Internet access is not so important as it has only 128 kbps leased line.
2)600 PCs are connected in four switches all over network. There is no IP address scheme followed for this network. i.e. We are using 192.168.X.X/class B & there is no IP segments in our network.
3)There is not a certain area where LAN becomes slow. Some time it becomes very slow or some times it is better.
4)Due to lack of segmentation of network, I can't able to locate exact faulty switch in such huge area.
5) I have tried escan antivirus on client PCs but couldn't find any virus.

Mean while I will check with Ad-aware SE.
Shall I convert existing network in four different IP segmetns, so that there will not be any broadcasting on other network untill any request comes.
Shall I use Layer 3 switch to coneect these four segments? or Linux PC as router will work ofr it?

[XTC46]

first off you REALLY need to rething the archetecture of your network. 600 nodes on a network that is unsegment is a hell of a lot. when you say some times its good some times its not it is probably casued by more users being online. In a token ring network, the more people online, the longer each has to wait for their turn and for the data to get to them. I would really consider switching to a star topology ifit is at all possible. if not, atleast segment the parts of the lan, and get ethereal going on that network. set up a few boxes (one for each segment if you can segment it) and see what the traffic is. look for tons of out bound traffic on any one computer (major sign of an infestation) also get a tool like solarwinds if money permits to monitor the load on the switches. 4 switches under very heavy traffic on a what seems to be very disorganized network could easily casue both slow downs and complete crashes. wha could be happening (depending on the design of your network) is that one of the switches is crashing and since the computers are in a ring configuration they have to send untill they hit the break, then back track all the way back around the network.

so, 1) get etheal running no matter what.
2) if possible rethink the network design (yea this is a huge project ofr a network your size, but it WILL help)
3) move from un managed switches to something more advanced if money/trained staff permits.
4) segment that lan and rething you ip scheme.

[viruss]

wow.. great suggestion . thanks to XTC46

I am trying to make four segment of the exisitng network.But let me know that will it possible to create VLAN for these segments by departmental wise ? what will be the basic hardware setup require for it i.e Fast Ethernet card or Gigabit card? (As I told early, I am having four Cisco 2950 switches with Dlink 1024R un-managed switches below it)
Will it possible to create VLAN with unmanaged switches? (Due to money problem, its not possible to change all unmanaged switches at a time)

I am thinking about purchasing a Layer 3 switch (cisco 4503 / 4506 for connecting these four cisco switches for routing purpose.

I request You guys to give me your valuable suggestions for this network..

thanks in advance.. Viruss

[aeallison]

I have a few questions that I am surprised have not been asked here...


What version of Windows Server are you using? NT-x? Windows 2000 Server? Windows 2000 Advanced Server? Windows 2003 Server? UNIX? Solaris? I am assuming by the previous posts that it is on a Windows NT managed network as I have never heard of a Token Ring configuration ever working on a 2000 Server managed network. If it is a 2000 or 2003 network, does it have the typical DNS, DHCP, and DC, servers with redundant backup servers?

It sounds to me like your network is not on a domain at all, the IP range for internal Workgroups that you mentioned: 192.168.0.1 to 192.168.0.255 only allows a maximum of 254 connections on a subnet mask of 255.255.255.0, one of those will have to be on the LAN side of the router and another as the default gateway to the WAN, leaving a maximum of possible client connections of 252. How in the world does a network of 600 computers work on a network without DHCP or NAT translators to assign IP addresses? I can't imagine hooking up more than 5 or 10 workstations in a workgroup envroment, much less 600! I have problems with 3 computers on a workgroup at home. I would go nuts trying to keep a 600 node network running with that type of un-secure network architecture.

And last but not least... What version OS are the client workstations on? Are they all legitimate Win2k pro workstations? or are the a mish mash of Legacy system such as (shudder) win95, 98, ME, XP

[SirDice]

aeallison: Reread the thread. Viruss has 600 clients in a 192.168.x.x Class B network. That's 192.168.0.0/16 or 192.168.0.0 netmask 255.255.0.0. The tokenring network was just an example to indicate more users -> slower network.


Viruss: As noted by others, I believe 600 nodes in 1 broadcast domain is way too much. You might be plagued by broadcast storms. Windows machines tend to broadcast a lot of crap.. Other things to check are the NetBios node types. This maybe a cause if you have a lot of broadcast traffic. Resolving DNS/WINS might be an issue too. But I highly recommend segmenting your network. It'll make life a whole lot easier...

Other things to look for are speed/duplex mismatches between the switch and the NICs. We set everything. We've had our fair share of users complaining about slow connections when the NIC and the switchport where both set to auto/auto (speed/duplex). Turns out both will try another setting every now and then and then it'll screw up.

[aeallison]

SirDice : I have reread the thread as you suggested and (after reading your post) I am beginning to understand better what viruss is trying to accomplish. What I don't understand is how this system/network ever worked reliably. I do understand why he is haveing problems, with network speed.

I agree with SirDice that setting adaptors and switches to auto negotiate is a bad idea. I have had problems with this kind of setup before.

And why allow the entire network internet connectivity? If it is only an ISDN or DSL type connection with a 128k maximum bandwidth. This would be fine for home use ore for a small (less than 50 node) network. I am not trying to imply that this is an impossible configuration, just a badly structured one. My guess... tell me if I am wrong... is that this network started out with only a few nodes and through time it has had more and more added to it that it has long ago outgrown its original purpose. And as for gigabit adaptors and routers?? the connections will never be any faster than the slowest connection on the network. Again correct me if I am in error, the limit is in a 128k WAN connection, isn't this one eighth the bandwidth that is capable over a 1mb connection, why use a 1000mb connection? Spend that money on insuring that all of the clients are using the same OS and configurations that the users ( lusers as Gore would imply ) cannot screw with in order to chat or listen to music when they should be working. My experience tells me that out of 600 users at least 1 of those users will think he knows more about computers and networking than the Administrator.

[zENGER]

Originally posted here by aeallison
Again correct me if I am in error, the limit is in a 128k WAN connection, isn't this one eighth the bandwidth that is capable over a 1mb connection, why use a 1000mb connection?

He's doesn't seem to be worried about the internet connection, just the intranet portion which is not limite by the WAN connection.

Are your clients talking to a small number of servers in a server farm, or to each other? If you have 600 machines hitting one server this could also be a bottleneck.

I 100% agree that you have too many nodes on that one broadcast lan. Splitting them up is the best way to reduce the traffic load.