I have been working with the Netscreen, and then Juniper firewall products for the past five years and am still learning new and interesting features they offer. One thing that I have been configuring more and more recently are secondary Internet connections and fail-over between them for clients. This post runs through the steps required to configure an SSG firewall to use track-IP to monitor IP addresses on the Internet and then automatically fail-over and fail-back an Internet connection.

The first thing we need to do is move the interfaces that will contain the Internet connections so each is in their own virtual router. This will allow us to have an active default route for each connection and they can behave independently of each other.

set interface ethernet0/0 zone null
set interface ethernet0/1 zone null
set zone untrust vrouter untrust-vr
set vrouter name adsl-vr
set zone name BackupUntrust
set zone BackupUntrust vrouter adsl-vr

For this example I am using the 192.0.2.0/24 address range for my WAN connections – this was defined by the IETF as a subnet to be used for testing and documentation in RFC 5735. As these interfaces are both public facing I am also going to restrict the management to secure protocols only

set interface ethernet0/0 ip 192.0.2.2/29
set interface ethernet0/0 route
set interface ethernet0/0 manage-ip 192.0.2.3
et interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/1 ip 192.0.2.10/29
set interface ethernet0/1 route
set interface ethernet0/1 manage-ip 192.0.2.11
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage ssl

Now we need to setup the default routes out of each virtual router so that each connection can communicate with the rest of the Internet

set vrouter untrust-vr
set route 0.0.0.0/0 interface ethernet0/0 gateway 192.0.2.1
exit
set vrouter adsl-vr
set route 0.0.0.0/0 interface ethernet0/1 gateway 192.0.2.9
exit

We need to ensure that our internal users are able to route to both the untrust-vr and adsl-vr. This can be done by exporting the default static route from the untrust-vr and adsl-vr

set vrouter "untrust-vr"
set access-list 1
set access-list 1 permit ip 0.0.0.0/0 1
set route-map name "untrust-vr_export" permit 1
set match ip 1
set preserve preference
exit
set export-to vrouter "trust-vr" route-map "untrust-vr_export" protocol static
set vrouter "adsl-vr"
set access-list 1
set access-list 1 permit ip 0.0.0.0/0 1
set route-map name "adsl-vr_export" permit 1
set match ip 1
exit
set export-to vrouter "trust-vr" route-map "adsl-vr_export" protocol static

This will import both default routes to the trust-vr and set maintain the preference of the export from the untrust-vr at 20 whilst setting the metric of the adsl-vr export to 140.

Now that our users can connect to the Internet we need to make sure that should there be an issue with the primary internet circuit the backup circuit can be used for Internet access. This is achieved by using track-ip to monitor a number of hosts on the Internet and should they become unreachable shut the interface down.

In this example we are using the IP address of some of the root DNS servers as the addresses the firewall will use to check for a valid Internet connection but they could be any IP addresses that you expect to remain online and will respond to PING requests

set interface ethernet0/0 monitor track-ip ip
set interface ethernet0/0 monitor track-ip threshold 75
set interface ethernet0/0 monitor track-ip weight 75
set interface ethernet0/0 monitor track-ip ip 192.58.128.30 threshold 25
set interface ethernet0/0 monitor track-ip ip 192.58.128.30 weight 25
set interface ethernet0/0 monitor track-ip ip 192.36.148.17 threshold 25
set interface ethernet0/0 monitor track-ip ip 192.36.148.17 weight 25
set interface ethernet0/0 monitor track-ip ip 193.0.14.129 threshold 25
set interface ethernet0/0 monitor track-ip ip 193.0.14.129 weight 25

This will PING the three addresses every second and will consider the address to have failed when the test has failed 25 times consecutively. Summing these three failures together will hit the weight and threshold limits of 75 needed to shut down the interface.

If you want to test the status of the track-ip monitoring you can issue the following commands

get interface ethernet0/0 monitor
get interface ethernet0/0 monitor track-ip

and you will be able to see the failure statistics as well as whether the interface is failed or not.

When the interface is shut down the default route no longer becomes valid in the untrust-vr and will be deleted in the trust-vr leaving the export from the adsl-vr active and Internet traffic will continue to function as normal. In the background, the management address on the primary connection will continue to poll the IP addresses configured and when they become available the weight and threshold will be below the failure values, the interface comes back up and the untrust-vr route export re-appaers in the trust-vr.

The only other thing to consider here is inbound services on the backup line such as MX records to permit mail delivery to a MIP or VIP on the secondary circuit

If this is all configured correctly the only things the user should notice is that any websites/services that login and use session data (eg online banking) will need to login after fail-over or fail-back as their existing session will no longer be valid.

failover · firewall · Internet · juniper · SSG

Just managed to complete my next MCP TS: Windows 7, Configuring which keeps me on my way to my MCITP: Enterprise Administrator qualification which I am hoping to get for the end of the summer.

No tags

Having missed the end of the breakfast show today here is my explanation of the question..

If i buy four oranges and three bananas for £40.50 and the orange costs 50% more than a banana how much does a banana cost?

Let an Orange be represented by o and a banana by b. Then you can say that

4o+3b = £40.50

Because the orange costs 50% more than the banana the following is true

1o = 1.5b

Therefore

4o = 6b

Substituting o for b in the first equation gives

6b + 3b = 40.50

Or

9b = 40.50

you can then work out b as

b = £4.50

So one bananna costs £4.50.. Which is some expensive fruit.

You can then use this to work out the value for an orange as well using the first two equations

4o+(3x4.50) = £40.50

which becomes

4o+13.5 = £40.50

4o = £40.50 - £13.50

4o = £27

o = £6.75

One orange costs £6.75. Still very expensive!

Using the fact that one is 50% more than the other allows us to prove the numbers are correct

(1x£6.75) = (1.5x£4.50)

£6.75 = £6.75

Charlie’s assumption that an orange is half the cost of a banana is unfortunately wrong. If one banana costs 100% the orange costing 50% more costs 150% the ratio becomes 2:3 or 66% the cost of the orange.

Breakfast · Interview Question · Maths · TotalKiss

Introduction

You really cannot appreciate the need for a solid backup solution until you need to restore that crucial piece of business critical data. Whether it’s a whole server or just one word document it is always important to know that the files are available to be recovered. There is no single solution that works in all scenarios and it is important to select the technologies that meet the needs of the individual site. This article will look at a number of different technologies and try to demonstrate how they can be used in a business environment and help negate the need to use companies like Kroll Ontrack to perform data recovery on hard drives which can be incredibly costly.

Shadow Copy / Previous Version Client

“Shadow Copies for Shared Folders is a new file-storage technology in the Microsoft Windows Server 2003 operating systems. Shadow Copies for Shared Folders provides point-in-time copies of files that are located on a shared network resource, such as a file server. With Shadow Copies for Shared Folders, users can quickly recover deleted or changed files that are stored on the network without administrator assistance, which can increase productivity and reduce administrative costs.” (Shadow Copies for Shared Folders Technical Reference)

This technology is the basis of the Previous Version client and allows recovery of accidently deleted files without having to request tapes or an online restore which may incur further delays in restoring the data. The snapshots are stored on your file server and you should make sure that you have sufficient space to store all your data as well as shadow copies. So that you don’t run out of space on the server a maximum size for the shadow copies is defined and at each snapshot the server will calculate if it can store the next snapshot in the data store without deleting older versions. When it can no longer store new snapshots Shadow Copy will delete the oldest snapshots to make way for the newest changes.

As mentioned this is a nice technology to quickly recover a few files or folders but should NOT be considered a backup solution on its own as you are reliant on your server always being online and having sufficient space to store enough copies of the data that you can restore what you need to. Shadow copy does not allow for hardware failure and should your disk array fail in the server you will lose the data as well as the previous version snapshots.

Tape Backup

Tape backups have been around almost as long as computers have and writing data to a magnetic tape is a tried and tested way of keeping a copy of the data that can be taken off-site to cover the loss of a server. Today backup tapes are able to store up to 1.6TB of data (depending on tape model and compression) on a single cartridge. As a result the tape backup is still widely used today as the backup solution of choice in the workplace as after the initial expenditure of buying the tape drive and software to backup your infrastructure there is little ongoing expense involved in maintaining the tape based backup solution.

The key thing to remember when using a tape based backups is to NOT keep your backup tapes in the same building as the server that you are backing up. You can backup all your data and keep a full year of backups but if they are sitting next to your server and there is a fire you lose both the server and the tapes and are unable to restore the data. It is recommended that once data has been written to tape that the user responsible for changing the tapes removes the tape to a secure location. There are companies, such as Iron Mountain, who offer services to collect tapes on a regular basis and store them in a secure vault. This can give you the peace of mind that you only have the minimum number of tapes on site at any one time.

The number of different backups you keep is completely dependent on how far back you feel you need to recover data. One tape that is overwritten daily is not a safe solution and while it is possible to use a completely new tape for each backup this can quickly become a costly way of backing up data. The most common backup hierarchy is the Grandfather, Father, Son scenario. In this scenario your Son backup would usually be your daily backup and then at the end of each week the Friday/Weekend backup is kept as the Father and at the start of the new week a new set of Son backups is created. At the end of the month the last Father backup is promoted to Grandfather and the process starts again at the beginning of the new month. It is recommended that the Grandfather backups be kept for a set as a reference of the data at that point in time. Over the course of a year using this technology you will need to have 21 tapes to rotate through. (4 tapes for Monday – Thursday, 5 tapes for the Friday/Weekend backups and 12 month end tapes). If you would like to keep two weeks of daily backups you will need a further 4 tapes to cover the second week.

Online Backup

If you have data based across multiple sites or you don’t want to be forced to change tapes on a nightly basis an online backup solution may prove to be a viable solution. In the same way as the tape backup will capture your data on a nightly basis and write it to a magnetic tape the software here will connect to a 3rd party data server and upload the data to be stored here.

Rather than taking a full backup of all the files each night the online backup solutions usually look at taking an initial base backup on site which is integrated into the off-site storage platform and then each night an incremental backup will copy changes since the previous backup to the platform. As a result of this files are stored based on the number of impressions that are pushed to the backup platform i.e a file can be backed up on day 1 but doesn’t change for 2 months at which point the second impression is saved to the backup platform whereas a file that changes daily will write a new impression each time that file is backed up. The number of impressions you want to keep is dependent on the money you are willing to pay for storage.

When planning for an online backup it is important to work out how much data will be changing on a daily basis and needs to be sent across the Internet to the storage platform. If your Internet connection doesn’t have sufficient bandwidth you will not be able to take a full snapshot each night and could end up with gaps in your backups that prevent complete restoration of all the data.

Disaster Recovery Site

If the nature of your business means you cannot afford to be offline whilst your IT infrastructure is restored then a DR site may be something worth considering. If your Infrastructure is severely crippled then you are able to switch core services to another site and your users are able to continue working with minimal disruption.

Microsoft developed the DFS Replication technology in Server 2003 to enable file shares to be replicated between multiple servers in real time. In the case of your primary file server failing you simply need to switch your referral server to your DR site and users will be able to access data through the same file shares and shouldn’t notice the changeover. Replication of databases such as Microsoft Exchange or SQL is not as easy to replicate in the same way as the database files are constantly changing with each access. In these cases 3rd party applications such as DoubleTake or XOSoft (formerly WANSync) can be used to make sure that your databases are replicated in real time to the DR site so they can be switched over as needed. With these scenarios users are able to keep working whilst the core infrastructure is recovered and then any changes made whilst working in the Disaster Recovery scenario can be replicated back to the main offices.

The Disaster Recovery solution is not a cheap solution as you need to pay for a second set of servers to replicate the data to and run in an alternate site such as a data centre however the running costs need to be compared with the cost to the company whilst services are restored.

What should YOU do?

What you do now is a very individual decision based around the needs of your business. There are companies that implement all four different technologies mentioned to provide resilience against there being an issue with any of the other backups however this is a costly solution that is not viable for a number of small companies. For most, implementing either the tape or the online backup along with the Shadow Copy snapshots will provide enough security to restore the data should files be deleted or a server fail.

It should be noted however that the backup to tape or offsite should never be taken for granted and ignored. As part of any backup strategy you should be looking to run test restores from your backup media to ensure that you can recover the data you have backed up.

Backup · disaster recovery · DR · server · tape

Having spent a long time ignoring this blog or simply linking to amusing things on the net that I found through sites like stumbleupon.com I think its time to try and focus what I am writing about and see if I can get a good set of useful articles written.

Having thought about it for about 5 minutes this morning I decided that it should be something related to what I do on a daily basis but also something that I have interest in otherwise what’s the point? Visualization was a first thought but I already read a good blog about vmware (http://www.techhead.co.uk) which I would probably end up plagiarising and isn’t the reason for this. The other thing that I am keen on at the moment in the world of technology is network monitoring and the technologies you can use for it.

Now I will say now I’m quite biased when I am looking at setting up a monitoring solution as I don’t really want to say for the extra hardware or software I use to monitor everything. This does mean I will look for a good open source application(s) to carry out a task and which I can customize rather than paying for a boxed product that does some of what I want to do but not everything.

Now I still like sharing interesting pages I find on the web but I may need to split the blog into 2 sections to look more professional… Still haven’t decided yet but don’t worry the random site links will still be there!

So what’s my first entry under the new incarnation of the blog? I think I will write up the “Howto” on building an open source monitoring machine that can keep an eye on your network. Expect it in a few days.

Blog · monitoring

This is a brilliant post that I stumbled across this morning. My favourite two quotes are:

If debugging is the process of removing software bugs, then programming must be the process of putting them in. – Edsger Dijkstra

and

Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. – Brian Kernighan

read more | digg story

Computer · programming · quotes

Stumbled across this this morning and its just amusing. Well worth a watch

adult · comedy · humour · turtle

Hello World!

twitter

Disable the User Account Control (UAC) feature on your Windows Vista computer.
Makes Vista a lot less annoying for power users.

read more | digg story

Computer · Microsoft · Uncategorized · Vista · Windows

If you don’t have anyone to celebrate it with then its fairly crap!

Oh well. I just have to get on with life!

Uncategorized

Back in the day when Coke produced decent adverts the sign that Christmas was coming was heralded by the bright red Coke trucks and some happy music.

This year Coke have given us a CRAP advert that is poo and no where near as good.

Uncategorized

Gemini have announced the new product in their iSeries line of DJ equipment – the iTrax which allows you to plug your iPod into the top of the mixer and have your entire music collection at your fingertips. As with most mixers you get an eq on the iPod channels, mic insert, headphone jack, option for aux inputs (CD/turntable), master out and record out. Another useful feature is the video out which will allow you to connect your mixer to a projector/tv and make use of the video features of the latest gen iPods.

There are however some features that make this a less than desirable product to own

You will need 2 iPods (who has 2) so that you can mix from track to track.

If you two, then you will need to have the same collection on both as there’s nothing worse than having the next track on the source you are currently sending to the speakers.

This has all been done before anyway by Numark with their iDJ which is now in its second incarnation. The first iDJ had the same features as the Gemini product but without the video (IIRC). The second gen iDJ recognises the fact that people don’t have two iPods and will allow you to mix from track to track through just a single music player – a much better solution if you ask me.

The Numark iDJ (2 iPod) is available from decks.co.uk for £169 and the iDJ2 for £429. The Gemini iTrax is reported to be coming in at around £100 which is what should be expected for something like this.

If you are seriously considering buying an iPod DJ package and have the money to spend go for the iDJ2 any day as the other two require you to have two iPods to use it properly!

Source [Gizmodo]

audio · DJ · iPod · Uncategorized

It is with sadness that I learnt about the death of possibly the greatest animal lover in recent history. Steve Irwin was an amazing person who did so much for animal awareness and he used his celebrity status to further this.

Steve died whilst filming a documentary off the Batt Reef in Australia, receiving a barb from a stingray to the heart. Paramedics were rushed to the scene but they couldn’t save him. Steve is only the second person to die from a stingray in Australia.

More details can be found at the BBC website

animal · australia · death · Steve Irwin · Uncategorized

Well having heard all the hype about the film I was intrigued to see what it was all about so Kate and I decided to head down to Reading Vue to catch the film with possibly the biggest hype in recent history and see what it was all about.

It really didn’t live up to what I was expecting. The characters were fairly pointless, the CGI wasn’t brilliant and the fact that it had been “written” from contributions of various people showed as the story never really flowed correctly and the action seemed incredibly implausible. If you haven’t seen the film then stop now as this will “spoil” it for you.

The opening five minutes set the precident for the rest of the film as Nathan Phillips character witnesses the murder of some guy and is chased down by a local Triad boss who will do all he can to prevent him from testifying against him. In steps Samuel L to save Phillips from certain death at the hands of the henchmen before taking him back to the US to testify. The triads get pissed off and put a collection of exotic snakes onto the plane and spray all the flower necklasses with pheromones to make the snakes go “crazy”.

Half-way into the flight, the snakes are set loose and they start to bite people and cause panic. Captain dies as does the co-pilot and Jackson’s character is left to keep order. As with all these films the crappy characters are killed off and the stars survive to save the day.

There was a surprise performance from Kenan Thompson (of Kenan & Kel fame) as a bodyguard to the rapper who has an OCD over cleanliness.  The crowning moment of the whole film (apart from the final credits) was the quote from Jackson’s character “Enough is enough! I have had it with these motherfucking snakes on this motherfucking plane!” Apart from this the dialog was fairly sub standard and uninspiring.

Kate did enjoy the snake specialist who was unwilling to come out because he had baby anacondas which had just hatched.

All in all a poor film with masses of hype that will make the director/producers/actors incredibly rich. If Samuel L Jackson hadn’t agreed to put his name to this then there is a good chance that the film would have flopped massively and been a failure throughout whereas it will be loved by many for being bad and a few people (myself included) will feel that our £5.50 was badly spent

snakes on a plane · Uncategorized

On Saturday evening I am flying out to Kenya with my parents and brother to celebrate my mum & dad’s 25th wedding anniversary.

The trip has been booked through Trailfinders and our itinery includes 5 days of safari and 2 weeks of beach holiday in Zanzibar.

If I’m perfectly honest I am looking forward to the 2 weeks on the beach more than the safari if only because the days are starting at 5:00am and that’s gonna be more than a small shock to the system!

Wherever possible I will keep the blog updated with the happenings of the holiday and anyone who is interested can read along.

holiday · kenya · safari · Uncategorized · zanzibar

It’s been over 2 years since I have seen Doogs and now he’s getting married…. Tomorrow will be the first time I have seen him in ages and I can’t wait!

Uncategorized

I havent even been back for 2 weeks now and I am really thoroughly bored. I had thought about joining a gym to try to get fit but I still cannot be bothered with that.

I just need something to entertain me!

Uncategorized

Well after the success of Tuesday’s presentation I was asked to create another that could be used at the Middle and Senior school prizegiving. This was a much less difficult presentation to organise as there was no music for it to be in sync with and just to be merely a collection of images displayed in order. With just over 100 images and 6 seconds per image I created at 10 minute slideshow that repeated.

However, now that this has been completed I am looking for some work that I can do to keep me going now there is no more to do at Downsend (except their website).

Uncategorized

I’m currently in the process of creating a DVD presentation set to Dario G’s Sunchyme and over the past 24 hours have heard the song about 1 000 000 times. It is starting to get quite tedious but in order to get the timings of the various clips accurate I need to listen to it over and over and over again!

Apart from that I have been to a White family lunch. My mum, dad and myself went over to see most of the my dad’s side of the family. We had a really nice meal and it was the first time we had all been together for a long time. My dad showed his complete dislike to animals by scaring off a random cat that had wandered into the garden – everyone was just ignoring the cat but when it walked towards my dad he just shouted at it to “GO AWAY”. As the cat clearly doesn’t understand english a further shout of “BRRRRRRR!!!!” was heard!

Simon “couldn’t make it” but I feel that he would rather spend time with friends over family… tut tut!

Right… off to sleep as I need to get up early tomorrow to sort out the rest of this bloody presentation!

Dario G · Downsend · family meal · Uncategorized

Having spent all of about 2 days revising for ASE I think i now know enough to answer 65-75% of the paper.

I know quite a bit about:

• Software Testing
• Agile Methods
• Software Maintenance

I dont know much about:

• Program Slicing

This could prove to be problematic in the exam!

Degree · Durham · exams · Uncategorized