IT教程FG420-网络运维性能调优

内容大纲

1. 网络运维性能调优概述
2. 网络性能分析
3. 带宽优化
4. 延迟优化
5. TCP性能优化
6. 网络设备优化
7. 负载均衡优化
8. 网络监控
9. 网络故障排查
10. 最佳实践

1. 网络运维性能调优概述

网络运维性能调优是保障网络高效稳定运行的关键工作，它通过分析网络性能瓶颈，优化网络配置和资源使用，提高网络的带宽利用率、降低延迟、提升可靠性。网络性能调优需要覆盖带宽、延迟、吞吐量、丢包率等多个指标，建立完善的监控和优化机制。

网络运维性能调优的核心目标包括：

提高网络带宽利用率和吞吐量
降低网络延迟和抖动
减少网络丢包和错误
提升网络可靠性和可用性
优化网络资源分配
确保网络安全稳定运行

更多学习教程www.fgedu.net.cn

2. 网络性能分析

2.1 网络性能指标

# 网络性能分析脚本
$ cat > /usr/local/bin/network_performance_analysis.sh << 'EOF' #!/bin/bash echo "开始网络性能分析..." # 1. 查看网络接口统计 echo "=== 网络接口统计 ===" ip -s link show # 2. 查看网络流量 echo -e "\n=== 网络流量统计 ===" sar -n DEV 1 5 # 3. 查看网络错误统计 echo -e "\n=== 网络错误统计 ===" cat /proc/net/dev | column -t # 4. 查看TCP连接统计 echo -e "\n=== TCP连接统计 ===" netstat -s | head -30 # 5. 查看UDP统计 echo -e "\n=== UDP统计 ===" netstat -su # 6. 查看网络延迟 echo -e "\n=== 网络延迟测试 ===" ping -c 5 8.8.8.8 # 7. 查看路由表 echo -e "\n=== 路由表 ===" ip route show # 8. 查看ARP表 echo -e "\n=== ARP表 ===" ip neigh show echo "网络性能分析完成" EOF $ chmod +x /usr/local/bin/network_performance_analysis.sh

输出结果如下：
开始网络性能分析…
=== 网络接口统计 ===
2: eth0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:12:34:56 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1234567890 1234567 0 0 0 0
TX: bytes packets errors dropped carrier collsns
987654321 987654 0 0 0 0

=== 网络流量统计 ===
Linux 4.18.0-305.el8.x86_64 (server.fgedu.net.cn) 04/03/2026 _x86_64_ (8 CPU)

10:30:45 AM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s %ifutil
10:30:46 AM eth0 1234.56 987.65 123.45 98.76 0.00 0.00 0.00 0.12
10:30:47 AM eth0 1256.78 1001.23 125.67 100.12 0.00 0.00 0.00 0.12

=== 网络错误统计 ===
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
eth0: 1234567890 1234567 0 0 0 0 0 0 987654321 987654 0 0 0 0 0 0
lo: 12345678 12345 0 0 0 0 0 0 12345678 12345 0 0 0 0 0 0

=== TCP连接统计 ===
Tcp:
12345 active connections openings
23456 passive connection openings
123 failed connection attempts
456 connection resets received
789 connections established
1234567 segments received
987654 segments sent out
123 segments retransmitted
0 bad segments received
456 resets sent

=== UDP统计 ===
Udp:
12345 packets received
0 packets to unknown port received
0 packet receive errors
9876 packets sent
0 receive buffer errors
0 send buffer errors

=== 网络延迟测试 ===
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=12.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=12.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=12.4 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=117 time=12.6 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=117 time=12.3 ms

— 8.8.8.8 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 12.3/12.4/12.6/0.15 ms

=== 路由表 ===
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.100

=== ARP表 ===
192.168.1.1 dev eth0 lladdr 00:0c:29:ab:cd:ef REACHABLE
192.168.1.101 dev eth0 lladdr 00:0c:29:12:34:56 REACHABLE
网络性能分析完成

2.2 网络性能测试

# 网络性能测试脚本
$ cat > /usr/local/bin/network_performance_test.sh << 'EOF' #!/bin/bash echo "开始网络性能测试..." # 1. 带宽测试 echo "=== 带宽测试 ===" iperf3 -c 192.168.1.101 -t 10 -i 1 # 2. 延迟测试 echo -e "\n=== 延迟测试 ===" ping -c 10 192.168.1.101 # 3. 丢包测试 echo -e "\n=== 丢包测试 ===" mtr -r -c 10 192.168.1.101 # 4. 路由追踪 echo -e "\n=== 路由追踪 ===" traceroute 8.8.8.8 # 5. DNS解析测试 echo -e "\n=== DNS解析测试 ===" dig www.fgedu.net.cn # 6. HTTP性能测试 echo -e "\n=== HTTP性能测试 ===" ab -n 1000 -c 10 http://www.fgedu.net.cn/ # 7. 网络吞吐量测试 echo -e "\n=== 网络吞吐量测试 ===" netperf -H 192.168.1.101 -l 10 echo "网络性能测试完成" EOF $ chmod +x /usr/local/bin/network_performance_test.sh

输出结果如下：
开始网络性能测试…
=== 带宽测试 ===
Connecting to host 192.168.1.101, port 5201
[ 5] local 192.168.1.100 port 54321 connected to 192.168.1.101 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 5] 0.00-1.00 sec 112 MBytes 941 Mbits/sec 0 375 KBytes
[ 5] 1.00-2.00 sec 111 MBytes 932 Mbits/sec 0 375 KBytes
[ 5] 2.00-3.00 sec 112 MBytes 941 Mbits/sec 0 375 KBytes
– – – – – – – – – – – – – – – – – – – – – – – – –
[ ID] Interval Transfer Bandwidth Retr
[ 5] 0.00-10.00 sec 1.10 GBytes 945 Mbits/sec 0 sender
[ 5] 0.00-10.00 sec 1.10 GBytes 942 Mbits/sec receiver

=== 延迟测试 ===
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=0.523 ms
64 bytes from 192.168.1.101: icmp_seq=2 ttl=64 time=0.512 ms
64 bytes from 192.168.1.101: icmp_seq=3 ttl=64 time=0.518 ms
64 bytes from 192.168.1.101: icmp_seq=4 ttl=64 time=0.521 ms
64 bytes from 192.168.1.101: icmp_seq=5 ttl=64 time=0.515 ms

— 192.168.1.101 ping statistics —
10 packets transmitted, 10 received, 0% packet loss, time 9008ms
rtt min/avg/max/mdev = 0.512/0.518/0.523/0.015 ms

=== 丢包测试 ===
Start: Fri Apr 3 10:30:45 2026
HOST: server.fgedu.net.cn Loss% Snt Last Avg Best Wrst StDev
1. 192.168.1.101 0.0% 10 0.5 0.5 0.5 0.6 0.0

=== 路由追踪 ===
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.523 ms 0.512 ms 0.518 ms
2 10.0.0.1 (10.0.0.1) 1.234 ms 1.245 ms 1.256 ms
3 172.16.0.1 (172.16.0.1) 5.678 ms 5.689 ms 5.700 ms
4 * * *
5 google-public-dns-a.google.com (8.8.8.8) 12.345 ms 12.356 ms 12.367 ms

=== DNS解析测试 ===
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> www.fgedu.net.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.fgedu.net.cn. IN A ;; ANSWER SECTION: www.fgedu.net.cn. 300 IN A 192.168.1.100 ;; Query time: 12 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Apr 03 10:30:45 CST 2026 ;; MSG SIZE rcvd: 61 === HTTP性能测试 === This is ApacheBench, Version 2.3 <$Revision: 1874286 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.fgedu.net.cn (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests

Server Software: nginx/1.18.0
Server Hostname: www.fgedu.net.cn
Server Port: 80

Document Path: /
Document Length: 12345 bytes

Concurrency Level: 10
Time taken for tests: 5.234 seconds
Complete requests: 1000
Failed requests: 0
Total transferred: 12567890 bytes
HTML transferred: 12345000 bytes
Requests per second: 191.05 [#/sec] (mean)
Time per request: 52.340 [ms] (mean)
Time per request: 5.234 [ms] (mean, across all concurrent requests)
Transfer rate: 2345.67 [Kbytes/sec] received

=== 网络吞吐量测试 ===
MIGRATED TCP STREAM TEST from 192.168.1.100 () port 0 AF_INET to 192.168.1.101 () port 0 AF_INET
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec

87380 16384 16384 10.01 945.23
网络性能测试完成

学习交流加群风哥微信: itpux-com

3. 带宽优化

3.1 带宽监控

# 带宽监控脚本
$ cat > /usr/local/bin/bandwidth_monitor.sh << 'EOF' #!/bin/bash echo "开始带宽监控..." # 1. 实时带宽监控 echo "=== 实时带宽监控 ===" ifstat -i eth0 1 5 # 2. 带宽使用统计 echo -e "\n=== 带宽使用统计 ===" vnstat -i eth0 # 3. 流量分析 echo -e "\n=== 流量分析 ===" iftop -n -i eth0 -t -s 5 # 4. 连接带宽统计 echo -e "\n=== 连接带宽统计 ===" nethogs eth0 # 5. 端口带宽统计 echo -e "\n=== 端口带宽统计 ===" netstat -antp | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq -c | sort -nr | head -10 # 6. 协议带宽统计 echo -e "\n=== 协议带宽统计 ===" cat /proc/net/dev | grep eth0 echo "带宽监控完成" EOF $ chmod +x /usr/local/bin/bandwidth_monitor.sh

输出结果如下：
开始带宽监控…
=== 实时带宽监控 ===
eth0
KB/s in KB/s out
123.45 98.76
125.67 100.12
122.34 97.89
124.56 99.23
126.78 101.34

=== 带宽使用统计 ===
Database updated: Fri Apr 3 10:30:45 2026

eth0 since 2026-01-01

rx: 1.23 TiB tx: 987.65 GiB total: 2.21 TiB

monthly
rx | tx | total | avg. rate
————————+————-+————-+—————
2026-03 456.78 GiB | 345.67 GiB | 802.45 GiB | 2.56 Mbit/s
2026-04 123.45 GiB | 98.76 GiB | 222.21 GiB | 2.45 Mbit/s
————————+————-+————-+—————
estimated 156.78 GiB | 125.34 GiB | 282.12 GiB |

daily
rx | tx | total | avg. rate
————————+————-+————-+—————
today 12.34 GiB | 9.87 GiB | 22.21 GiB | 2.34 Mbit/s
————————+————-+————-+—————
estimated 15.67 GiB | 12.53 GiB | 28.20 GiB |

=== 流量分析 ===
interface: eth0
IP address is: 192.168.1.100
MAC address is: 00:0c:29:12:34:56
Listening on eth0

=== 连接带宽统计 ===
15 :80
10 :443
8 :22
5 :3306
3 :6379

=== 协议带宽统计 ===
eth0: 1234567890 1234567 0 0 0 0 0 0 987654321 987654 0 0 0 0 0 0
带宽监控完成

3.2 带宽优化配置

# 带宽优化配置脚本
$ cat > /usr/local/bin/bandwidth_optimization.sh << 'EOF' #!/bin/bash echo "开始带宽优化..." # 1. 配置流量控制 echo "配置流量控制..." tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 800mbit ceil 1000mbit tc class add dev eth0 parent 1:1 classid 1:20 htb rate 200mbit ceil 1000mbit # 2. 配置QoS策略 echo "配置QoS策略..." # 为HTTP流量设置优先级 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 80 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 443 0xffff flowid 1:10 # 为SSH流量设置优先级 tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dport 22 0xffff flowid 1:20 # 3. 配置带宽限制 echo "配置带宽限制..." # 限制特定IP的带宽 tc class add dev eth0 parent 1:1 classid 1:30 htb rate 10mbit ceil 20mbit tc filter add dev eth0 protocol ip parent 1:0 prio 3 u32 match ip src 192.168.1.200 flowid 1:30 # 4. 配置网络缓冲区 echo "配置网络缓冲区..." # 增加接收和发送缓冲区 ethtool -G eth0 rx 4096 tx 4096 # 5. 启用网络多队列 echo "启用网络多队列..." ethtool -L eth0 combined 8 # 6. 配置网卡offload echo "配置网卡offload..." ethtool -K eth0 tso on ethtool -K eth0 gso on ethtool -K eth0 gro on ethtool -K eth0 lro off echo "带宽优化完成" EOF $ chmod +x /usr/local/bin/bandwidth_optimization.sh

输出结果如下：
开始带宽优化…
配置流量控制…
配置QoS策略…
配置带宽限制…
配置网络缓冲区…
启用网络多队列…
Channel parameters for eth0:
Pre-set maximums:
RX: 0
TX: 0
Other: 0
Combined: 8
Current hardware settings:
RX: 0
TX: 0
Other: 0
Combined: 8
配置网卡offload…
带宽优化完成

4. 延迟优化

4.1 延迟分析

# 延迟分析脚本
$ cat > /usr/local/bin/latency_analysis.sh << 'EOF' #!/bin/bash echo "开始延迟分析..." # 1. ICMP延迟测试 echo "=== ICMP延迟测试 ===" ping -c 10 8.8.8.8 | tail -2 # 2. TCP延迟测试 echo -e "\n=== TCP延迟测试 ===" tcpping 8.8.8.8 80 # 3. DNS延迟测试 echo -e "\n=== DNS延迟测试 ===" for i in {1..5}; do time dig @8.8.8.8 www.fgedu.net.cn +short done # 4. HTTP延迟测试 echo -e "\n=== HTTP延迟测试 ===" curl -o /dev/null -s -w "DNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n" http://www.fgedu.net.cn # 5. 网络抖动测试 echo -e "\n=== 网络抖动测试 ===" ping -c 20 8.8.8.8 | awk '/time=/ {print $7}' | cut -d= -f2 | awk '{sum+=$1; sumsq+=$1*$1} END {print "平均延迟:", sum/NR, "ms"; print "抖动:", sqrt(sumsq/NR - (sum/NR)^2), "ms"}' # 6. 路由延迟分析 echo -e "\n=== 路由延迟分析 ===" traceroute -n 8.8.8.8 echo "延迟分析完成" EOF $ chmod +x /usr/local/bin/latency_analysis.sh

输出结果如下：
开始延迟分析…
=== ICMP延迟测试 ===
— 8.8.8.8 ping statistics —
10 packets transmitted, 10 received, 0% packet loss, time 9008ms
rtt min/avg/max/mdev = 12.3/12.4/12.6/0.15 ms

=== TCP延迟测试 ===
seq 0: response from 8.8.8.80 [open] 12.345 ms
seq 1: response from 8.8.8.80 [open] 12.456 ms
seq 2: response from 8.8.8.80 [open] 12.567 ms

=== DNS延迟测试 ===
192.168.1.100
real 0m0.012s
user 0m0.001s
sys 0m0.002s
192.168.1.100
real 0m0.011s
user 0m0.001s
sys 0m0.002s
192.168.1.100
real 0m0.013s
user 0m0.001s
sys 0m0.002s

=== HTTP延迟测试 ===
DNS: 0.012345s
Connect: 0.023456s
TTFB: 0.045678s
Total: 0.056789s

=== 网络抖动测试 ===
平均延迟: 12.45 ms
抖动: 0.15 ms

=== 路由延迟分析 ===
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.1 0.523 ms 0.512 ms 0.518 ms
2 10.0.0.1 1.234 ms 1.245 ms 1.256 ms
3 172.16.0.1 5.678 ms 5.689 ms 5.700 ms
4 * * *
5 8.8.8.8 12.345 ms 12.356 ms 12.367 ms
延迟分析完成

4.2 延迟优化配置

# 延迟优化配置脚本
$ cat > /usr/local/bin/latency_optimization.sh << 'EOF' #!/bin/bash echo "开始延迟优化..." # 1. 优化TCP参数 echo "优化TCP参数..." cat >> /etc/sysctl.conf << 'TCP' # TCP延迟优化 net.ipv4.tcp_low_latency = 1 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 5 TCP sysctl -p # 2. 启用BBR拥塞控制 echo "启用BBR拥塞控制..." echo net.ipv4.tcp_congestion_control = bbr >> /etc/sysctl.conf
sysctl -p

# 3. 优化DNS解析
echo “优化DNS解析…”
cat > /etc/resolv.conf << 'DNS' nameserver 8.8.8.8 nameserver 8.8.4.4 options timeout:2 attempts:3 rotate single-request DNS # 4. 配置DNS缓存 echo "配置DNS缓存..." yum install -y dnsmasq cat > /etc/dnsmasq.conf << 'DNSMASQ' listen-address=127.0.0.1 bind-interfaces cache-size=1000 no-hosts DNSMASQ systemctl start dnsmasq systemctl enable dnsmasq # 5. 优化网络队列 echo "优化网络队列..." # 减少网络队列延迟 ip link set eth0 txqueuelen 1000 # 6. 禁用网络延迟 echo "禁用网络延迟..." # 禁用TCP延迟 ethtool -K eth0 tso off ethtool -K eth0 gso off echo "延迟优化完成" EOF $ chmod +x /usr/local/bin/latency_optimization.sh

输出结果如下：
开始延迟优化…
优化TCP参数…
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
启用BBR拥塞控制…
net.ipv4.tcp_congestion_control = bbr
优化DNS解析…
配置DNS缓存…
Created symlink /etc/systemd/system/multi-user.target.wants/dnsmasq.service → /usr/lib/systemd/system/dnsmasq.service.
优化网络队列…
禁用网络延迟…
延迟优化完成

学习交流加群风哥QQ113257174

5. TCP性能优化

5.1 TCP参数优化

# TCP参数优化脚本
$ cat > /usr/local/bin/tcp_optimization.sh << 'EOF' #!/bin/bash echo "开始TCP参数优化..." # 1. 优化TCP缓冲区 echo "优化TCP缓冲区..." cat >> /etc/sysctl.conf << 'TCP' # TCP缓冲区优化 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.rmem_default = 262144 net.core.wmem_default = 262144 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.tcp_mem = 786432 1048576 1572864 TCP # 2. 优化TCP连接 echo "优化TCP连接..." cat >> /etc/sysctl.conf << 'TCP' # TCP连接优化 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_orphans = 32768 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_retries2 = 5 net.ipv4.tcp_retries1 = 3 TCP # 3. 优化TCP超时 echo "优化TCP超时..." cat >> /etc/sysctl.conf << 'TCP' # TCP超时优化 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_tw_reuse = 1 TCP # 4. 优化TCP拥塞控制 echo "优化TCP拥塞控制..." cat >> /etc/sysctl.conf << 'TCP' # TCP拥塞控制优化 net.ipv4.tcp_congestion_control = bbr net.core.default_qdisc = fq net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_no_metrics_save = 1 TCP # 5. 优化TCP Fast Open echo "优化TCP Fast Open..." cat >> /etc/sysctl.conf << 'TCP' # TCP Fast Open优化 net.ipv4.tcp_fastopen = 3 TCP # 6. 应用配置 echo "应用配置..." sysctl -p echo "TCP参数优化完成" EOF $ chmod +x /usr/local/bin/tcp_optimization.sh

输出结果如下：
开始TCP参数优化…
优化TCP缓冲区…
优化TCP连接…
优化TCP超时…
优化TCP拥塞控制…
优化TCP Fast Open…
应用配置…
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_fastopen = 3
TCP参数优化完成

5.2 TCP连接优化

# TCP连接优化脚本
$ cat > /usr/local/bin/tcp_connection_optimization.sh << 'EOF' #!/bin/bash echo "开始TCP连接优化..." # 1. 查看当前TCP连接状态 echo "=== 当前TCP连接状态 ===" netstat -antp | awk '{print $6}' | sort | uniq -c # 2. 优化连接跟踪 echo "优化连接跟踪..." cat >> /etc/sysctl.conf << 'CONNTRACK' # 连接跟踪优化 net.netfilter.nf_conntrack_max = 655360 net.netfilter.nf_conntrack_tcp_timeout_established = 1200 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 CONNTRACK # 3. 优化端口范围 echo "优化端口范围..." cat >> /etc/sysctl.conf << 'PORT' # 端口范围优化 net.ipv4.ip_local_port_range = 1024 65535 PORT # 4. 优化文件描述符 echo "优化文件描述符..." cat >> /etc/security/limits.conf << 'LIMIT' * soft nofile 65535 * hard nofile 65535 LIMIT # 5. 优化系统限制 echo "优化系统限制..." cat >> /etc/sysctl.conf << 'FS' # 文件系统优化 fs.file-max = 1000000 fs.nr_open = 1000000 FS # 6. 应用配置 echo "应用配置..." sysctl -p echo "TCP连接优化完成" EOF $ chmod +x /usr/local/bin/tcp_connection_optimization.sh

输出结果如下：
开始TCP连接优化…
=== 当前TCP连接状态 ===
1 established
2 listen
3 time_wait
4 close_wait
优化连接跟踪…
优化端口范围…
优化文件描述符…
优化系统限制…
应用配置…
net.netfilter.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.ipv4.ip_local_port_range = 1024 65535
fs.file-max = 1000000
fs.nr_open = 1000000
TCP连接优化完成

6. 网络设备优化

6.1 交换机优化

# 交换机优化配置（Cisco示例）
$ cat > /tmp/switch_optimization.txt << 'EOF' ! 交换机性能优化配置 ! 1. 启用快速生成树 spanning-tree mode rapid-pvst spanning-tree portfast default ! 2. 配置端口聚合 interface Port-channel1 description Link Aggregation switchport mode trunk channel-protocol lacp channel-group 1 mode active ! 3. 配置QoS mls qos interface GigabitEthernet0/1 wrr-queue bandwidth 10 20 30 40 wrr-queue cos-map 1 0 1 wrr-queue cos-map 2 2 3 wrr-queue cos-map 3 4 5 wrr-queue cos-map 4 6 7 ! 4. 启用流量控制 flowcontrol receive desired flowcontrol send desired ! 5. 配置端口安全 interface GigabitEthernet0/1 switchport port-security switchport port-security maximum 10 switchport port-security violation restrict ! 6. 优化MAC地址表 mac address-table aging-time 300 ! 7. 启用IGMP Snooping ip igmp snooping ! 8. 配置风暴控制 interface GigabitEthernet0/1 storm-control broadcast level 10.00 storm-control multicast level 20.00 storm-control action shutdown EOF

6.2 路由器优化

# 路由器优化配置（Cisco示例）
$ cat > /tmp/router_optimization.txt << 'EOF' ! 路由器性能优化配置 ! 1. 优化路由协议 router ospf 1 router-id 1.1.1.1 auto-cost reference-bandwidth 10000 timers throttle spf 5 100 5000 timers throttle lsa 5 100 5000 timers lsa arrival 10 ! 2. 配置CEF ip cef ip cef accounting per-prefix ! 3. 优化BGP router bgp 65001 bgp router-id 1.1.1.1 bgp always-compare-med bgp bestpath as-path ignore timers bgp 10 30 ! 4. 配置QoS class-map VOICE match ip dscp ef class-map VIDEO match ip dscp af41 policy-map WAN-QOS class VOICE priority 1000 class VIDEO bandwidth 2000 class class-default fair-queue interface GigabitEthernet0/0 service-policy output WAN-QOS ! 5. 启用NetFlow ip flow-export destination 192.168.1.100 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow ingress ip flow egress ! 6. 优化ACL ip access-list extended ALLOW-TRAFFIC permit tcp any any established permit icmp any any echo-reply deny ip any any log ! 7. 配置NAT优化 ip nat translation timeout 300 ip nat translation tcp-timeout 3600 ip nat translation udp-timeout 300 ! 8. 启用路由缓存 ip route-cache flow ip route-cache cef EOF

风哥风哥提示：网络设备优化需要根据实际网络架构和业务需求进行合理配置，避免过度优化导致网络不稳定。

7. 负载均衡优化

7.1 负载均衡配置

# Nginx负载均衡配置
$ cat > /etc/nginx/conf.d/load-balancing.conf << 'EOF' # 负载均衡配置 upstream backend { # 负载均衡算法 least_conn; # 后端服务器 server 192.168.1.101:8080 weight=5 max_fails=3 fail_timeout=30s; server 192.168.1.102:8080 weight=5 max_fails=3 fail_timeout=30s; server 192.168.1.103:8080 weight=5 max_fails=3 fail_timeout=30s backup; # 健康检查 check interval=3000 rise=2 fall=3 timeout=1000 type=http; check_http_send "GET /health HTTP/1.0\r\n\r\n"; check_http_expect_alive http_2xx http_3xx; # 长连接 keepalive 32; keepalive_timeout 60s; keepalive_requests 100; } server { listen 80; server_name www.fgedu.net.cn; # 代理配置 location / { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 超时配置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # 缓冲配置 proxy_buffer_size 16k; proxy_buffers 4 64k; proxy_busy_buffers_size 128k; } # 状态监控 location /nginx_status { stub_status on; access_log off; allow 192.168.1.0/24; deny all; } } EOF

7.2 HAProxy负载均衡配置

# HAProxy负载均衡配置
$ cat > /etc/haproxy/haproxy.cfg << 'EOF' global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon maxconn 4000 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 retries 3 option redispatch maxconn 3000 frontend http_front bind *:80 acl url_static path_beg -i /static /images /javascript /stylesheets acl url_static path_end -i .jpg .gif .png .css .js use_backend static if url_static default_backend http_back backend static balance roundrobin option httpchk GET /health server static1 192.168.1.101:80 check inter 3000 rise 2 fall 3 server static2 192.168.1.102:80 check inter 3000 rise 2 fall 3 backend http_back balance leastconn option httpchk GET /health option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 server app1 192.168.1.101:8080 check inter 3000 rise 2 fall 3 weight 5 server app2 192.168.1.102:8080 check inter 3000 rise 2 fall 3 weight 5 server app3 192.168.1.103:8080 check inter 3000 rise 2 fall 3 weight 5 backup listen stats bind *:8080 stats enable stats uri /stats stats refresh 10s stats auth admin:password stats admin if TRUE EOF

8. 网络监控

8.1 网络监控系统

# 网络监控系统配置
$ cat > /usr/local/bin/network_monitoring_system.sh << 'EOF' #!/bin/bash echo "配置网络监控系统..." # 1. 安装监控工具 echo "安装监控工具..." yum install -y net-snmp net-snmp-utils nagios-plugins # 2. 配置SNMP echo "配置SNMP..." cat > /etc/snmp/snmpd.conf << 'SNMP' rocommunity public 192.168.1.0/24 sysLocation "Server Room" sysContact "admin@fgedu.net.cn" sysServices 72 SNMP systemctl start snmpd systemctl enable snmpd # 3. 配置网络监控 echo "配置网络监控..." cat > /etc/nagios/nrpe.cfg << 'NRPE' log_facility=daemon pid_file=/var/run/nrpe/nrpe.pid server_port=5666 nrpe_user=nrpe nrpe_group=nrpe allowed_hosts=192.168.1.100 dont_blame_nrpe=0 debug=0 command_timeout=60 connection_timeout=300 command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 command[check_mem]=/usr/lib64/nagios/plugins/check_mem -w 80% -c 90% command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p / command[check_network]=/usr/lib64/nagios/plugins/check_network -w 1000 -c 5000 NRPE systemctl start nrpe systemctl enable nrpe # 4. 配置流量监控 echo "配置流量监控..." cat > /etc/collectd/collectd.conf << 'COLLECTD' Hostname "server.fgedu.net.cn" FQDNLookup true BaseDir "/var/lib/collectd" PIDFile "/var/run/collectd.pid" PluginDir "/usr/lib64/collectd" TypesDB "/usr/share/collectd/types.db" LoadPlugin interface LoadPlugin network LoadPlugin snmp
Interface “eth0”
IgnoreSelected false

Server “192.168.1.100” “25826”

Type “if_octets”
Table true
Instance “IF-MIB::ifDescr”
Values “IF-MIB::ifInOctets” “IF-MIB::ifOutOctets”

Address “192.168.1.1”
Version 2
Community “public”
Collect “if_octets”

COLLECTD

systemctl start collectd
systemctl enable collectd

echo “网络监控系统配置完成”
EOF

$ chmod +x /usr/local/bin/network_monitoring_system.sh

8.2 网络告警配置

# 网络告警配置脚本
$ cat > /usr/local/bin/network_alert_config.sh << 'EOF' #!/bin/bash echo "配置网络告警..." # 1. 配置告警规则 echo "配置告警规则..." cat > /etc/nagios/objects/network_alerts.cfg << 'ALERT' define service { use generic-service host_name server.fgedu.net.cn service_description Network Traffic check_command check_network_traffic!eth0!1000!5000 max_check_attempts 3 check_interval 5 retry_interval 1 contact_groups admins notification_interval 30 notification_period 24x7 notification_options w,u,c,r } define service { use generic-service host_name server.fgedu.net.cn service_description Network Latency check_command check_ping!8.8.8.8!100.0,20%!500.0,60% max_check_attempts 3 check_interval 5 retry_interval 1 contact_groups admins notification_interval 30 notification_period 24x7 notification_options w,u,c,r } define service { use generic-service host_name server.fgedu.net.cn service_description Network Errors check_command check_network_errors!eth0!100!500 max_check_attempts 3 check_interval 5 retry_interval 1 contact_groups admins notification_interval 30 notification_period 24x7 notification_options w,u,c,r } ALERT # 2. 配置告警通知 echo "配置告警通知..." cat > /etc/nagios/objects/contacts.cfg << 'CONTACT' define contact { contact_name network-admin alias Network Administrator service_notification_period 24x7 host_notification_period 24x7 service_notification_options w,u,c,r host_notification_options d,u,r service_notification_commands notify-service-by-email host_notification_commands notify-host-by-email email network-admin@fgedu.net.cn } define contactgroup { contactgroup_name admins alias Network Administrators members network-admin } CONTACT # 3. 配置邮件通知 echo "配置邮件通知..." cat > /etc/nagios/objects/commands.cfg << 'COMMAND' define command { command_name notify-host-by-email command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$ } define command { command_name notify-service-by-email command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$ } COMMAND echo "网络告警配置完成" EOF $ chmod +x /usr/local/bin/network_alert_config.sh

更多学习教程公众号风哥教程itpux_com

9. 网络故障排查

9.1 网络故障排查流程

# 网络故障排查脚本
$ cat > /usr/local/bin/network_troubleshoot.sh << 'EOF' #!/bin/bash echo "开始网络故障排查..." # 1. 检查网络接口 echo "=== 网络接口检查 ===" ip addr show # 2. 检查路由表 echo -e "\n=== 路由表检查 ===" ip route show # 3. 检查DNS解析 echo -e "\n=== DNS解析检查 ===" nslookup www.fgedu.net.cn # 4. 检查网络连通性 echo -e "\n=== 网络连通性检查 ===" ping -c 5 8.8.8.8 # 5. 检查端口连接 echo -e "\n=== 端口连接检查 ===" netstat -antp | grep LISTEN # 6. 检查防火墙规则 echo -e "\n=== 防火墙规则检查 ===" iptables -L -n -v # 7. 检查网络统计 echo -e "\n=== 网络统计检查 ===" netstat -s | head -30 # 8. 检查ARP表 echo -e "\n=== ARP表检查 ===" ip neigh show # 9. 检查网络错误 echo -e "\n=== 网络错误检查 ===" cat /proc/net/dev | grep -E "eth0|lo" # 10. 检查网络日志 echo -e "\n=== 网络日志检查 ===" tail -20 /var/log/messages | grep -i network echo "网络故障排查完成" EOF $ chmod +x /usr/local/bin/network_troubleshoot.sh

9.2 网络故障解决方案

生产环境风哥建议：
– 网络不通：检查网络配置、路由表、防火墙规则
– DNS解析失败：检查DNS配置、DNS服务器状态
– 网络延迟高：检查网络拥塞、路由跳数、MTU设置
– 网络丢包：检查网络质量、设备性能、线路问题
– 带宽不足：优化流量控制、增加带宽、负载均衡

10. 最佳实践

10.1 网络优化原则

生产环境风哥建议：
– 先分析后优化，避免盲目调优
– 一次只调整一个参数，观察效果
– 记录所有优化操作和结果
– 建立性能基线，对比优化效果
– 定期评估网络性能，持续优化

10.2 网络优化清单

# 网络优化清单
# 1. 带宽优化
– 配置流量控制
– 设置QoS策略
– 优化网络缓冲区
– 启用网络多队列

# 2. 延迟优化
– 优化TCP参数
– 启用BBR拥塞控制
– 优化DNS解析
– 配置DNS缓存

# 3. TCP优化
– 优化TCP缓冲区
– 优化TCP连接
– 优化TCP超时
– 优化TCP拥塞控制

# 4. 设备优化
– 优化交换机配置
– 优化路由器配置
– 优化防火墙配置
– 优化负载均衡配置

# 5. 监控优化
– 配置网络监控
– 配置网络告警
– 配置流量分析
– 配置性能报告

10.3 网络监控指标

# 网络监控指标
# 1. 带宽指标
– 带宽使用率
– 流量速率
– 流量峰值
– 流量分布

# 2. 延迟指标
– 网络延迟
– DNS延迟
– TCP延迟
– 应用延迟

# 3. 可靠性指标
– 丢包率
– 错误率
– 重传率
– 连接成功率

# 4. 性能指标
– 吞吐量
– 并发连接数
– 请求速率
– 响应时间

10.4 网络优化工具

# 网络优化工具
# 1. 带宽测试工具
– iperf3: 网络带宽测试
– netperf: 网络性能测试
– ttcp: TCP性能测试
– bwm-ng: 带宽监控

# 2. 延迟测试工具
– ping: ICMP延迟测试
– tcpping: TCP延迟测试
– hping3: 高级ping工具
– mtr: 网络诊断工具

# 3. 流量分析工具
– iftop: 实时流量监控
– nethogs: 进程流量监控
– vnstat: 流量统计
– nload: 网络流量监控

# 4. 网络诊断工具
– tcpdump: 网络抓包工具
– wireshark: 网络协议分析
– nmap: 网络扫描工具
– netstat: 网络状态查看

生产环境风哥建议：
– 建立完善的网络监控体系
– 定期进行网络性能评估和优化
– 建立网络性能基线和告警机制
– 持续学习和应用新技术
– 总结和分享网络优化经验

author:www.itpux.com

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html