After the vswitch system is restarted successfully and the VRP platform software is updated, the switch system is reconfigured according to the previous configuration, and the switch's working status returns to normal immediately, so what is the reason?
As a core network terminal in a LAN, maintaining the switch system becomes very important. In order to make the LAN work more stably, we often need to properly adjust the switch to ensure that the device can always run efficiently.
Regular upgrades keep vswitches alive
I have encountered a frequent network interruption fault, and each time I restart the switch system, the problem can be solved. After careful troubleshooting of traffic exceptions, network viruses, and other factors, ask the ISP carrier to test the Internet connection line. The result shows that the Internet connection line has no problems.
Without a clue, I suddenly remembered that the switch has been working for many years and the software system version is relatively low, is it because the version is too low that the vswitch system is not dynamic? To verify that your guess is correct.
The author immediately logged on to the vswitch background management interface as a system administrator and executed the "displaycpu" command in the command line status. It was found that the CPU usage of the vswitch system was always above 95%, no wonder the workstation connected to the vswitch cannot access the Internet;
Then, I executed the "displayversion" command in the command line state. From the result interface, I found that the VRP platform software version of the switch system is relatively low, download the latest platform software from the official website of the corresponding vswitch device and start upgrading the system software.
Because the switch used by the organization supports remote management, the most common FTP mode is used for upgrading. Before the formal upgrade, I first checked the remaining space in the Flash memory of the target switch. If there is not much space available, I need to delete some outdated files, otherwise, the latest vswitch upgrade package cannot be uploaded to the vswitch system.
After confirming that the remaining space of the Flash memory is sufficient, I regard my normal workstation as an FTP server and the switch device as a client system, in this way, I can easily set up an FTP server without any configuration on the switch device. At this time, I can log on to the FTP server from the switch, use the FTP command to download and save the latest VRP platform software on the local normal workstation to the Flash memory of the switch.
To prevent platform software upgrade failure, I backed up the original Switch configuration file. After all, when the switch device is upgraded from a lower version to a later version, some Switch configuration information may be lost. It is necessary to back up the old configuration file.
Then, the author uses the boot command to specify that the switch system automatically calls the latest platform software at the next startup. After the switch system restarts successfully and the VRP platform software is updated, the switch system is reconfigured according to the previous configuration, and the switch's working status is immediately restored to normal.
After a long time, I found that the CPU usage of the system has been around 15%, which indicates that after the switch platform software is upgraded to the latest version, the switch can remain dynamic. Therefore, when the LAN switch remains unstable, we should check the version of the corresponding platform software in time. Once the switch system version is found to be low, we must upgrade it in time, this can solve many hidden failures caused by the switch's own performance.
Collect suspicious traffic. Once the suspicious traffic is detected, We need to capture these packets to determine whether the abnormal traffic has undergone a new worm attack. As described above, Netflow does not perform in-depth analysis on data packets.
We need network analysis tools or intrusion detection devices for further judgment. However, how can we easily and quickly capture suspicious traffic and direct it to network analysis tools? Speed is very important. Otherwise, you will miss the chance of killing the worm in the early stages. In addition to quickly locating the physical location of suspicious devices, evidence should be collected as soon as possible.
We cannot place network analysis or intrusion detection devices next to each access layer switch, or carry the analyzer to the wiring room when suspicious traffic is detected. With the above analysis, we will see how to use the Catalyst function to meet these needs!
Detects suspicious traffic Cat6500 and Catalyst 4500 (Sup IV, Sup V and Sup V-10 GE). It provides a hardware-based Netflow function to collect traffic information flowing through the network. The information collection and statistics are completed through the hardware ASCI, so there is no impact on the system performance. The Catalyst 4500 Sup V-10GE comes with a Netflow card by default, so no additional investment is required.
Trace suspicious sources. The security features integrated by Catalyst provide identity-based network services (IBNS), as well as DHCP listening, Source IP protection, and dynamic ARP detection. These functions provide information for binding users' IP addresses, MAC addresses, and physical ports, and prevent counterfeit IP addresses. This is very important. If you cannot prevent IP Address Spoofing, the information collected by Netflow will be meaningless.
Once you log on to the network, you can obtain this information. In combination with ACS, you can also locate the user name for logon. Write a script file on the Netflow Collector to email suspicious traffic.
- Introduction to five vswitch system configuration techniques
- Adjust the switch system to improve network operation efficiency
- Why is the Programmable switch system started?
- How to quickly build a secure switch system
- How to build a secure switch system
Send related information to the network administrator. In the notification email, CITG, a user with abnormal network activity, was reported to belong to a CITG-1 (which was used by 802.1x login ). The IP address of the access layer switch is 10.252.240.10, and the physical interface is FastEthernet4/1.
In addition, there are Client IP addresses and MAC addresses, as well as the number of flow and packet sent in five minutes (this time is defined by the script. Once the information is obtained, the network administrator can immediately take the following actions: capture suspicious traffic through a remote SPAN. The remote port image function supported by the Catalyst access layer switch system can capture traffic images to a remote switch.
For example, the traffic from a port or VLAN on the access layer switch system passes through the relay image to a port on the distribution layer or core layer, and only a few simple commands are required. Traffic is captured to network analysis or intrusion detection devices (such as Cat6500 integrated network analysis module NAM or IDS module) for further analysis and action.