Managing the vswitch configuration file is still very important for users, but many users still do not pay much attention to it. This is very dangerous and their networks will also have security risks. The configuration file is the core of Cisco network devices. The configuration file is like the Registry file of the operating system. If the registry is damaged or the configuration is inaccurate, the operating system cannot be started or run stably.
If the vswitch is used. If an error occurs in the configuration file, the switch and other network devices will not work properly. In this article, I will talk about how to improve the security of configuration files by managing Switch configuration files to eliminate security risks related to configuration files.
Generally, the Cisco switch configuration file is stored in three locations: RAM (switch memory, which will be lost after power failure) and NVRAM (another memory type inside the switch, non-volatile random access to memory), TFTP server. These three locations can be used to store the switch configuration files, but their functions are different. Before talking about their specific differences, I think it is necessary for the network administrator, especially the technical staff of the just basic Cisco network equipment, to understand two basic concepts: startup configuration and running configuration. The STARTUP configuration, as the name implies, is the configuration of the switch during the startup process, that is, the Initialization Configuration. The running configuration is the configuration of the switch during operation. For example, some so-called dynamic parameters can be directly modified during the switch operation. After understanding these two concepts, it is easier to understand the above.
When the switch is started, it reads the switch configuration file from NVRAM (non-volatile random access memory. Use the content specified in this initial configuration file to initialize the vswitch. Note that the configuration files in the RAM memory will be lost after the power-off, so there is no content in RAM before the switch starts. During the startup process, the switch RAM reads the configuration file from NVRAM, generates a copy of the configuration file in its own RAM, and then uses the content in the copy for initialization. That is to say, before initialization, the switch will first copy the configuration file from NVRAM to its own RAM. Instead of initializing through the configuration file in NVRAM. In this case, we can regard the configuration file in NVRAM as the startup configuration file. The configuration file in RAM is regarded as a running configuration file.
Note that the startup configuration file is generally the same as the running configuration file. However, if you change the vswitch configuration file during startup, the startup configuration file may be different from the running configuration file. In fact, this is similar to the database initialization parameters. Database parameters include dynamic parameters and static parameters. Dynamic parameters can be changed in the database running status. However, the database design is better than Cisco's IOS design. It can be controlled to change the content in the memory (equivalent to the switch configuration file) when changing the dynamic parameters) or change the content in the memory and the initialization parameter file (equivalent to the startup configuration file of the switch) at the same time ). When changing some dynamic parameters, a vswitch only saves the changed content to RAM. However, after a power failure, the RAM will be lost after the switch is restarted. That is to say, the IOS system of the switch will use the startup configuration file again to initialize the next time the switch is restarted. However, the last modification is not saved in the startup configuration file, so the last update will be lost. The network administrator may need to reconfigure it. Obviously, this is what the network administrator does not want to see.
Key points for managing Configuration Files
To put it simply, to manage the switch configuration file, you must run the copy command in a timely manner at an appropriate time and location. By using the copy command, IOS software can move the configuration file from one component or device to another required component and device. This command mainly has two parameters. The first parameter indicates the source location of the configuration file, that is, the file to be copied. The second parameter indicates the target location, that is, the location where the configuration file is to be copied. If you use the copy running-config tftp command, you can copy the running configuration file to the TFTP server on the network for configuration. However, during replication, note that if the target location has the same configuration file, this command overwrites the configuration file with the same name in the target file. However, this sentence is easy, but it is difficult to do it. Specifically, you need to do the following.
First, after changing the running configuration file in RAM, you need to back up the latest running configuration file. This is mainly because the content in the RAM memory will be lost after power failure. If the network administrator wants to make changes to the vswitch during its operation, the change will remain valid at the next startup. You need to save the changed content in the startup configuration file. To achieve this, run copy running-config startup-config. This command saves the running configuration file to the startup configuration file. In this case, the latest update of the vswitch is saved. Note that when copying the running configuration file in RAM to NVRAM, you must ensure the accuracy of the current configuration. That is to say, when we modify the parameters related to the running configuration file in RAM, we generally do not rush to copy the relevant content to NVRAM. Instead, we need to test and track the new parameters to determine whether they meet our expected needs. That is, to determine whether the new parameter has taken effect and whether it meets the user's needs. This update can be saved to the startup configuration file only when the new configuration parameter runs normally. Otherwise, if this parameter is set incorrectly, problems may occur during the next startup. For the sake of security, it is best to back up the content in NVRAM before copying the running configuration file to NVRAM.
This is mainly because when the copy running-config startup-config command is used, the command will automatically overwrite the startup configuration file at the target location. At this time, if the configuration file is running incorrectly, even the gods will be unable to go back to the sky. For this reason, the author sets up a network administrator. When managing configuration files, be careful and take another step. For example, before saving the update, back up the original STARTUP configuration file on the tftp server. In this case, even if the latest configuration is incorrect and the network administrator saves it, you can use the backup configuration file to start the switch. To complete this function, the network administrator can run the copy start tftp Command to save the startup configuration file to the TFTP server ). If there is a problem with the startup configuration file, you can also use the copy tftp start command to copy the backup configuration file to NVRAM so that the switch can use this configuration file for initialization.
Third, in addition to mutual replication between NVRAM and the tftp server, mutual replication can also be performed between RAM and the tftp server. For example, the network administrator updates a parameter in the switch configuration file, such as setting a virtual LAN. In this case, it may be difficult to determine whether the current configuration is accurate in a short time. It may take a week or longer to make a decision. In this case, it is better not to update the content in the startup configuration file easily. The recommended method is to copy the running configuration file in RAM to the tftp server to implement a temporary transition. After confirming that the configuration is correct, copy and replace the running configuration file to save the latest available updates. To achieve this, run the copy run tftp Command (copy the running configuration file to the tftp server) or run the copy tftp run Command to copy the configuration file on the tftp server to ram.
I 'd better emphasize that how to configure and run the configuration file or initial parameter file involves a lot of content, which is very difficult. However, if you manage the configuration file, the copy command is the core. The key to using this command is to back up the configuration file before making any changes. After ensuring that the update content is available, save it to the NVRAM that is not easy to lose after power failure or the tftp server on the network.