Improving network efficiency through switching systems

The switch is a core network terminal in the LAN, so it becomes very important to maintain the switch system, in order to make the LAN network more stable, we often need to properly train the switch equipment to ensure that the device can be run efficiently at all times.





Regular upgrades keep the switch alive





The author has encountered a network frequent interruption of failure, each time only to restart the switch system to solve the problem; After careful investigation of traffic anomalies, network viruses and other factors, but also asked the ISP operators on the Internet line test, the results show that the Internet line also has no problems.





in the absence of a clue, the author suddenly remembered that the switch equipment has been working for many years, the software system version is relatively low, will not be due to the low version of the switch system is not enough vitality? To verify that your guess is correct.





the author immediately as a system administrator login into the switch background management interface, the interface of the command line to execute the "displaycpu" command, found that the switching system CPU occupancy rate has been more than 95%, it is no wonder that the workstation connected to the switch can not surf the Internet;




After
, the author also executes the "displayversion" command in the command line state, from the results of the interface, the author found that the switch system VRP platform software is relatively low, immediately to the corresponding switch equipment on the official website download the latest version of the Platform software, and began to upgrade the switching system software.





because the unit uses the switch to support the remote management function, this author uses the most common FTP way to carry on the upgrade; Before the formal upgrade, the author first looked at the target switch flash memory space size, if the remaining space is not much, you need to delete some outdated documents, Otherwise, the latest switch Upgrade Pack program will not be uploaded to the switching system.





after confirming that the flash memory space is enough, the author uses the ordinary workstation as an FTP server, the switch equipment as the client system, so that the author does not need any configuration of the switch equipment, you can easily set up an FTP server, At this point the author can log on to the FTP server from the switch, using FTP command to save the latest VRP platform software downloaded to the local normal workstation for download to the flash memory of the switch.





to prevent platform software upgrades from failing, the author also backed up the original switch configuration file, after all, switch equipment from the lower version to the high version, due to differences in the command line, may cause some of the switch configuration information loss, this time to backup the old configuration file is quite necessary.




After
, the author uses the boot command to specify that the switching system automatically invokes the latest platform software at the next boot, and when the switch system restarts successfully and the VRP platform software is updated, the switch system is reconfigured again against previous configurations, and the switch's working status is immediately restored to normal.





and for a long time, the author found that the CPU occupancy rate of the system has been about 15%, which means that the switch platform software upgrade to the latest version, it can really make the switch to maintain vitality. Therefore, when the local area network switch working state has been unstable, we should promptly check the corresponding platform software version high and low, once the switch system version is found to be lower, it must be upgraded in time, this can solve many of the switch's own performance caused by the hidden fault phenomenon.





collects suspicious traffic. Once suspicious traffic is detected, we need to capture these packets to determine if the abnormal traffic is a new worm attack. As mentioned above, NetFlow does not perform a deep analysis of the packet.





We need a network analysis tool or intrusion detection device to make further judgments. But how can you easily and quickly capture suspicious traffic and guide network analysis tools? Speed is important, otherwise you'll miss the chance to kill the worm in the early days. In addition to quickly locating the physical location of the suspect device, there is a means to gather evidence as soon as possible.





It is not possible to place a network analysis or intrusion detection device next to each access layer switch, or to carry an analyzer to the wiring compartment when suspicious traffic is found. With the above analysis, let's look at how to use the catalyst function to meet these needs!





detects suspicious traffic Cat6500 and Catalyst 4500 (SUP IV, SUP V, and SUP v–10 GE) provides hardware-based NetFlow capabilities to capture traffic information flowing through the network. These information collection and statistics are completed through the hardware asci, so there is no impact on system performance. Catalyst 4500 Sup V-10ge with the NetFlow card by default, so there is no need to increase investment.





tracking suspicious sources, Catalyst integrated security features provide identity-based network services (IBNS), as well as DHCP monitoring, source IP protection, and dynamic ARP detection functions. These features provide the user's IP address and MAC address, the physical port binding information, while guarding against spoofing IP address. This is very important, if the IP address can not be prevented from counterfeiting, then the information collected by NetFlow is meaningless.





users can obtain this information once they have logged on to the network. With ACS, you can also locate the user name that the user is logged on to. Write a script file on the Netflow collector (Netflow Collector) that can be emailed when suspicious traffic is found.





sends the relevant information to the network administrator. In the notification email, reported that there is an abnormal network activity of the user CITG, the group is CITG-1 (this is used for 802.1x login). The IP address of the access layer switch is 10.252.240.10, and the physical interface is FASTETHERNET4/1.





also has the client IP address and MAC address, as well as the amount of flow and packet it emits within 5 minutes (this time is defined by the script). With this information, the webmaster can immediately take the following actions: capturing suspicious traffic over remote spans. The remote port mirroring feature supported on the Catalyst Access Layer switch system can mirror traffic capture to a remote switch.





For example, the flow of a port or VLAN on an access-layer switch system through a relay mirror to a port on a distribution or core layer can be done with a few simple commands. Traffic is captured to network analysis or intrusion detection devices (such as the CAT6500 Integrated Network analysis module, NAM or IDs module) for further analysis and corresponding actions.