IT Network Guru

Are you ready for Amazon S3...Maybe?

2007-12-07T10:49:00.000-05:00

This is sort of a continuation of my previous post about Amazon S3.

While was looking for a way to use Amazon S3 without doing any coding, I ran into a couple of beta programs. Some of which just didn't seem to work right. I was looking for a program that would copy the files to S3 daily and wouldn't change the name of the files. JungleDisk was one of the first I looked at and it would constantly be doing a get and put while uploading the data along with changing the file name (if you used only JungleDisk you won't realize this). As mentioned in my previous post, S3 backup and S3interface.com were good candidates but they didn't do automated backups. S3interface limits the file size to 10MB and you can only upload from within the web GUI. S3 backup on the other hand with the release of S3 backup beta 12 the automated feature now works and I have been using it successfully for 2 months.

I have S3 backup installed on my "monitoring" server (which monitors all of my web/sql servers) where the external HD is directly connected. So after my backups run I scheduled an upload within S3 backup to upload the changed files. I also installed this program on my desktop. Since I can connect to the same bucket I can see if, what time and which files where uploaded. It works great!

The only problem I had with this program was when I created two jobs. I was trying to use multiple buckets to store the files for the different servers that I backup. When I would run the second job it would put all of the files in the first bucket and overwrite the files from the previous job. I worked around this by creating a single job using one bucket with multiple folders. As a consequence, this is much easier to view all of the files at once. So when reviewing my backup files I can quickly look at all of the files quickly.

Since this has been working so well I have started to think about cancelling my other online off-site storage provider. With Amazon S3, their costs are so cheap that I am paying about $60-70 per month for about 30GB. This includes the daily uploads of the differential files (between 200MB and 3GB) and full backups of about 26GB. My current provider gives me 500GB for $600 per month. Although this is more space the cost savings is nearly 10 fold since with Amazon I only pay for what I use and I don't use all 500GB.

In summary, I have found that S3 backup is the best program (so far) out there to upload files to S3 without having to create your own. Also a great way to take advantage of Amazon S3's cost savings and data center reliability.

Are You Ready for Amazon S3?...Probably Not

2007-08-23T21:54:00.000-04:00

Having only discovered Amazon S3 a couple of months ago I was totally blown away by the idea. For those of you who don't know what this it, it is storage space in Amazon's data center that is rented out on a monthly fee (and transfer fee). As soon as I read about this I started thinking about the current online/off site storage vendors that I was using. I couldn't believe that Amazon would offer this "service" at such a cheap price.

I started researching everything about it and how I could start using it. The catch is that you must use it by utilizing their APIs. Meaning that you just don't sign up for the service and download their program, you need to write you own program or use someone else's open-source program which is what I did. Since there are so many open-source type programs out there you can just pick the one that you think is the best for your needs and use it. (On a side note, there are also some "pay-for" programs and some online storage companies have moved their infrastructure over to Amazon and are already offering this as a "storage backed by Amazon" type of service.)

The problem I see is the maturity of these open source programs. If I use one now for the next year and the person (or company) stops development of it, then what? A program like JungleDisk changes the file names for some reason when the file is uploaded. If development stops on this program you may need another program to interact with Amazon S3, renaming all of your files could be an arduous task. The other programs that I have used S3backup and www.S3Interface.com both keep the file name unchanged. But I want to be able to automate the file transfer and with these programs this task is more of a manual one.

On another note, I believe that S3 will revolutionize the way we think about storage all together. It will turn storage into a commodity and something where a physical location is not important. Backing up data in one location and restoring it at another may not be a problem in the not too distant future.

Here is the link to Amazon's site if you want to read more about it. www.amazon.com/s3

Breaking into the IT Field

2007-08-16T22:06:00.000-04:00

Getting a job in the IT field is not as difficult as one may think. I have a couple of steps that you can follow to break into it. You can follow these steps whether or not you have a College degree. Although I believe a degree is very beneficial.

1. Like computers and computer systems
2. read magazines and online articles about #1 daily (I read the following; information week, and network world)
3. Get a computer, download and install any trial (Microsoft) or actual (Linux) software that you are interested in.
4. Study for the Microsoft, Cisco, Linux, CompTIA certificates. Get the highest level of certificate you can. I remember I knew someone who told me that they were going to get the MCSA and stop there. Their rational was that in their IT career they didn't think that an MCSE would be needed. That is crap or just plain laziness! Go for the highest possible. That kind of thinking will leave you a mediocre career. (On other note, bite the bullet for the price of the exams. Don't wait for your work to pay for them, just do it. They will pay for themselves with your first job.)
5. Get to know other IT people. As you start to look for a job these other people will be able to help you with advice or may even know of a job opening.

These 5 steps will help you. Number 1 is a bit more of a personality trait than something that one can just do. But actually liking what you do will excel your career way ahead of the other people that just see it as a job. I also can't stress enough of number 3. Actually using the programs as home and being able to experiment with their workings is how you can learn much more also. Typically at work you can't just change settings on a production server to see what happens.

At the other end of the scale, here are some things that I don't think you need to do or are just a waste of time.

1. Don't' take one of the famous MCSE classes or entire MCSE bootcamp courses. I am referring to the commercials I hear on the radio every single day about the "average salary of a MCSE...". I personally don't have any experience with this particular school but I have been to many classes and most are the instructor either reading out of the book, following some odd hands on lab or a combination of the two. I prefer buying the book and installing the software at home. I can normally work through the book much faster than the instructor.

2. Stay at a position that you are bored or are not challenged. If you aren't doing something different or challenging everyday you are not growing and learning.

Some people say that they learn better in school. They can ask questions and the instructor or other classmates can help with the understanding of the problem. This is true, but you can also look online or post the question in a forum and get just as good of an answer for free.

If you don't like computers and you just want a job in IT because the money sounds good... Good luck. I believe that the money will start coming in because of your genuine interest in what you are doing. I have seen IT people stuck in the same job for years. I can never figure out why they are happy but to each his(or her) own.

Sunrocket VoIP service - I can still make calls!

2007-07-19T12:29:00.000-04:00

I was a loyal Sunrocket customer for about 2 years. I couldn't complain about the service while they were still in business and I still can't. Except for the loss of voicemail, I still have inbound and outbound calling capability. I signed up for the $199 per year deal in January of 2007. So, I have used about 7 months of it so far. By my calculations if I compare the monthly service that I had to the yearly service that I was using, I have just about broke even. Not sure how much longer I will be able to make calls, but I wonder about international calls. If they don't have a billing department any more will my call be free...

Here is a link to an article about the closing. http://www.nbc4.com/news/13700302/detail.html

Spiceworks - Network Management System

2007-07-12T21:37:00.000-04:00

I found spiceworks while reading one of my RSS feeds about 2 months ago. Spiceworks is a network management program that is completely free and just about as robust as much larger and much much more expensive ones.

After reading about the program in the article and checking it out on their website (link here) I decided to download it and give it a try. The interface is web based. After some simple configuration to get it to work on your network it finds all of the devices. It will categorize and label everything. The program will tell you about the hardware and all of the specs that you need for your hardware inventory. It finds all of the software installed and can provide you with reports about who has what installed and whether or not you have enough licenses.

Spiceworks also includes a helpdesk function. I just set this up and I was worried that I would need to create individual users manually (it doesn't have Active Directory integration). But once the user goes to the helpdesk site and enters in the ticket spiceworks will associate the hardware device where the the user filled in the ticket. The username, computer name, IP address, and everything else that spiceworks already has in its database about the hardware device will show up. So far it is working great. I only wish that I could get the money in the paycheck for what I saved in a Network Management System.

Acronis True Image Hell

2007-06-05T17:22:00.000-04:00

I use Acronis True Image Enterprise Server and Server for Windows to backup my servers. The past Monday I came into the office as I normally do. I open my email to check the status of the backups. I open a couple of them when one of them has a weird message. It says,

"Cannot create the image of the logical drive C: because it is currently in use by running applications or the logical drive contains bad sectors. : None"

along with a couple of other messages. I figure that the drive must have some bad sectors since the server is a production server so of course there are running applications. There have been applications running on it during the backup time for the past year and a half and there never was a problem. So, I restart the backup job thinking that it may have been some odd occurrence but I get the same error. I run a check disk with no options (this doesn't actually change or correct anything) and it fails. I now think that there must really be something wrong with the server. I schedule some downtime so I can run the chkdsk again. This time it run ok and I give it a reboot. The message is still there after trying to restart the backup job. Now I really think that I need to run the chkdsk with the /r option to fix the bad sectors. This process starts at midnight (like I said...it is a production server) and it runs until 3 am (btw...I am up and waiting the whole time for it to finish). The machine reboots and I restart the backup job...same error!?

Contacting tech support for Acronis is really only an email away. They don't seem to have phone support. I have used their email support before without any success. After sending a couple of emails back and forth with Acronis I get an email requesting that I run a program called "Devicetree.zip". At the end of this email there is a quick one sentence remark that says, "Please note that the application may crash the system when you exit, so we recommend you to save all your work and close other programs prior to running it." Crash my system?! Do I really want to run this program on my production server?!

Anyway, I ended up buying another USB drive and using NTbackup while I figure out whether or not I want to continue to use Aronis or switch to Symantec.

Windows 2003 Server 64-bit with ASP.NET 2.0 and 1.1

2007-05-02T09:34:00.000-04:00

Microsoft once again wins the award for non-backwards compatibility. I recently ran into a problem running ASP.NET 2.0 and 1.1 on this same server. Part of this problem may have been my fault for not checking to make sure this was possible before using Windows 2003 Server x64. My current live webserver uses 32-bit and has 2.0 and 1.1 installed without any problem at all. I didn't think to check whether Microsoft would have a 64-bit release of both versions. ASP.NET 1.1 is only available in the 32-bit version so if you want to install both on a 64-bit machine you must run them both in 32-bit mode.

Switching between 32-bit 1.1 and 64-bit 2.0
http://support.microsoft.com/kb/894435

MSDN blog about the missing ASP.NET tab in IIS MMC. This also discusses how Microsoft has classified this as a "won't fix"
http://blogs.msdn.com/carloc/archive/2006/09/09/747702.aspx

ITToolbox Blog

2007-03-26T21:40:00.000-04:00

I have started using ITtoolbox as a place to mirror my blog. Please check it out. http://blogs.ittoolbox.com/networking/itguru You can also see a photo of me :)

Brad

Microsoft Windows Server Security

2007-02-24T09:00:00.000-05:00

Security Checklist for Windows 2003 Servers

I created a personal checklist for locking down a server after building it. This is a compilation of reading security books and Windows security guides over the past couple of years. This checklist also assumes that you are putting your server behind a firewall with only the ports open that you need (port 80, 443 for example). The first thing I do is find out what role the server will take. Once you know what role it will be then there are a couple of setting that can be changed. A typical server that I used to set up a lot was a web server. I will use a web server as an example. Here is the base O/S.

Windows 2003 Server Standard Edition (32-bit)
IIS 6 installed with SMTP and FTP (I know that all of these roles shouldn't be on the same server and you probably wouldn't want to use Microsoft's SMTP or FTP but I used to, so I will write about it.)

Step One - Building Your Server
When you build your server you should use NTFS as the file system. This is absolutely critical, I almost didn't mention it because it seems so obvious. After the basic installation make sure you run all of the Windows updates until they say "0". You may get a couple of hardware updates that you won't need if you are using the manufacturer's drivers instead of the windows drivers.

Step Two - Lockdown FTP
Unfortunately the default setting for a freshly installed server in still anonymous access is allowed. So you must go in the IIS Manager MMC and change this. In the MMC expand the FTP sites folder under you see "Default FTP site" right click on this site and click properties. Once this window opens up click on the "Security Accounts" tab and uncheck the "Allow anonymous connections" checkbox. After you uncheck this checkbox Microsoft will warn you about how this action will allow users to see the username and password in plaintext. This is true and one of the reason why you shouldn't use Microsoft's FTP. Use one that implements FTP over SSL.

Step Three - Lockdown SMTP
My experience with MS's SMTP is that either it is used for Exchange or SQL Server used it to send out messages to the developers for whatever trigger they set. Thankfully, MS has decided not to allow relaying as the default setting in Windows 2003. Whenever I set it up I always went one step further and didn't let any computers connection except for the ones that I allowed. In order to access the settings of the SMTP server go to the IIS Manager MMC and right click on "Default SMTP Virtual Server" and click on properties. Next click on the "Access" tab and the bottom two boxed areas are what we want to change. So the settings would be as follows;
1. Connection Control - Set to "Only the list below" with either your IP range or the one or two other computers that need to connect to it. Remember to add the local server if it will be connecting to it to send messages.
2. Relay Restrictions - Set it exactly how Connection Control is set. Remember to add the local server if it will be connecting to it to send messages.

Step Four - Disable Any Services that the Web Server Won't Need
Here are a couple of services that I would stop and disable for a web server
1. Print Spooler
2. Wireless Configuration
3. Windows Audio

Since Windows 2003 already disables services like "Alerter" and "Messenger" most of the services that I disable are to make sure that RAM and other server resources don't get allocated to starting, stopping and managing them.

Step Five - Change the Local Security Policy
There are many settings in the local security policy that should be changed to increase security. In order to access the local security policy click on Start/Administrative Tools/Local Security Policy. You will see five different sub-sections, Account Policies, Local Policies, Public key Policies, Software Restriction Policies and IP Security Policies on Local Computer. I will be discussing the first two, Account Polices and Local Policies.

Account Policies
Within Account Policies there are two sub sections, Password Policy and Account Lockout Policy. My custom password policy uses the following settings with success (so far). Remember I don't work for the government if so these settings would probably be much more restrictive.

Password policy
Enforce password history - 4 passwords remembered
Maximum password age - 90 days
Minimum password age - 2 days
Minimum password length - 8 Characters
Password must meet complexity requirements - enabled.

Account lockout policy

Account lockout duration - 30 minutes
Account lockout threshold - 10 invalid logon attempt
Reset account lockout counter after - 30 minutes.

I have heard many many different ways to set this. Some set the threshold to 3 attempts others never reset the lockout counter (in this case an administrator must manually unlock it). My belief is that my settings will stop any hacker from trying to dictionary or brute force your password.

Local Policies
Withing this section there are three sub-sections, Audit Policy, User Rights Assignment and Security Options

Audit Policy - I used to log everything but this really only allows for a couple of hours of security logs. I now set this to failure for everything and success for "Audit account logon events".

User Rights Assignments - Here I remove the everyone group anywhere I see it. The following policies should have it, Access this computer from the network and Bypass traverse checking.

Security Options - Once again Microsoft has changed some of these settings to be a more restrictive security setting. I will discuss the ones that I change. I will not go through each one but starting at the top I will move down probably skipping several entries until you see the next one.

Accounts: Rename administrator account - Change this to anything you want besides the default

Interactive logon: Message text for users attempting to log on - Put some warning in this area along with a "if you aren't authorized do not logon" also. I got something that I saw about the local computer system law. It looks pretty good. (If you want it just email me)

Interactive logon: Message title for users attempting to log on - This is the title of the window. Put something like "WARNING!", just a simple one line of text for this one.

Interactive logon: Prompt user to change password before expiration - the default is 14 days. That seems like a long time to me. I change this to 3 days.

Most of the other setting should be in a "locked down" state. There are detailed Microsoft guides that discuss exactly what each of these setting do. If you want some more detail then click here. There is one caveat about the local security policy is that if the server is part of a Windows domain then a domain security policy will replace the local security policy.

HP Procurve 2810 Switch Setup

2007-02-19T21:54:00.000-05:00

Using VLANs for Failover/Disaster Recovery

A recent project at work required me to implement a couple of switches with VLANs. I decided that I would be able to include a failover/disaster recovery setup with two VLANs and two switches. Just to refresh anyone about my project; it is a Microsoft Windows 2003 Server (R2) webfarm with Microsoft SQL Server 2005 back-end (click here). The switches I chose were HP procurve 2810-24G for the following reasons:

1. Procurve switches have a lifetime warranty.
2. Procurve switches are one of the top 3 in the switch manufacturer business.
3. The ease in which they can be setup.
4. My personal familiarity and experience working with Procurves.

Some background about these switches.

HP Procurve switches are data center class switches that have a choice of three different interfaces and two forms of accessing them. The three interfaces are; CLI (command line interface), web based and text based. I have never used the CLI but I would imagine that it is similar to Cisco's switch CLI. The text based interface is what I use. This interface can be extremely fast once you get used to navigating the menus. I am able to logon change a port to a different VLAN and logoff within about 10-15 seconds. The web GUI takes that long just to logon. I do like the web GUI to get a "feel" for the switch and the traffic patterns, but the full feature set when configuring these is not available. Creating VLANs for example cannot be done with the web based GUI. The text based or CLI are needed for such configurations. The two way of accessing these switches is either with the console port or by the IP address. The console port is the "first time" way to access the switch. It doesn't have an IP address with the factory default settings.

Initial switch setup
Once you have connected to the switch with the console cable you are presented with a CLI prompt. At this point type "setup" without quotes. This will bring up the Switch Setup menu. You have several options at this point. You can give the switch a name, set up SNMP, change the logon default (CLI or text) and give it an IP address among other options. I filled out all of the needed IP information and chose text for the logon default. I saved the settings then connected by IP address.

How I setup my switches
Once again to review. I am connecting to the switches by IP address through Ethernet and utilizing the text menu to configure them. My webfarm is similar to the majority of webfarms out there. There is a front-end network for handling the Internet traffic and a back-end network for intra-system communication. This is pretty standard stuff, I may write a post about it or you can email me and I can explain it to you (bradATitnetworkguruDOTcom). Back to how I setup my switches. I have two switches, one for each network. But since I only need to use about 8 ports, I setup half of the ports in one VLAN and the other half in another one (photo of my firewall and switch setup is here). The front-end switch currently has the webservers and the uplinks to the firewalls as the only ports used. So, with my two webservers and failover firewalls attached to the switch only 4 ports are used. The photo shows the other ports on the right being used also but this is for firewall external ports and are only used temporarily. The back-end switch (bottom one in the photo) has teamed NICs using LACP (802.3ad). This means that I am using two physical cables per logical network connection. This also means that I am using twice the amount of switch ports.

In order to configure the VLANs with the text menu do the following;

1. Logon to the switch with telnet in manager mode
2. press number 2 "Switch Configuration"
3. press number 7 "VLAN Menu..."
4. press number 1 "VLAN Names"
5. press "Add"

VLANs can be added at this point. The 802.1Q VLAN ID can be any unique number from 1 - 4096. The name can be anything you want also (up to 12 characters). I call it something descriptive like BackEnd for the back-end network.

6. press "save"

Repeat this procedure for adding as many VLANs as you need. We should now have at least 2 VLANs, one of the front-end traffic and one of the back-end traffic. None of our switch ports are in the new VLANs yet but I will go over this in a moment. But first let's create the switch trunks.

I would recommend at this point to create the trunks. We are creating the trunks for the teamed NICs in the back-end, one trunk per teamed NIC. After this step we can go back and add the necessary ports to the VLANs. If we add the ports now and then create the trunks we will have to go back and add the trunks. It seems like double the amount of work.

To create the trunks make sure you are still logged on in manager mode with telnet in text menu mode.

1. press number 2 "Switch Configuration"
2. press number 2 "Port/Trunk Settings"
3. scroll to Edit option with the arrow keys and press enter.
4. scroll to the ports that you are using for your teamed NICs. I always put these NICs in sequential order. So for example port 13 and 14 will be for Trk1
5. scroll over to "Group" and press the space bar to change the trunk number. If this is the first truck then I would recommend "Trk1"
6. scroll to the right to the "Type" column and press the space bar until you see "LACP".
7. scroll to the port of second NIC in the team and follow the same procedure as the first NIC
8. Repeat steps 5 -7 until you have all of the teamed NICs in separate trunks.
9. Once finished press enter and save.

We are now ready to add all of the ports necessary to the proper VLAN. Since I only have 2 VLANs and I want half of the ports in one and the other half in the other it is pretty simple. First we need to get back into the VLAN Menu. We do this by doing the same VLAN steps that we did to create the VLAN.

1. Logon to the switch with telnet in manager mode
2. press number 2 "Switch Configuration"
3. press number 7 "VLAN Menu..."
4. press number 3 "VLAN Port Assignment"
5. Scroll to Edit and press enter.
6. Scroll with the arrow keys to the first port that you want to change.

Each port that you want in a VLAN must be "untagged" only for that VLAN. You can't untag a port in two VLANs. As you look at the GUI, all of the ports should be untagged in the Default_VLAN and a "No" in the second VLAN column. You can use the Default_VLAN as one of your VLANs, as I did. Iif we are adding ports to the back-end VLAN then we need to highlight the port in the default_VLAN column and do the following;

REMEMBER: Changing the port that you are using to connect to the switch will disconnect you!

7. press the space bar twice until it says "No".
8. scroll to the right and press the space bar twice again until it says, "No".
9. repeat this procedure until all of the ports are untagged in the proper port.
10. press enter and scroll to Save and press enter.

That's it, once you are ready to log off press 0 twice to exit the menu and confirm the logoff.

How the Failover/Disaster Recovery Works
The reason for setting up the switches in the manner is for failover. As I mentioned earlier the HP switches have a lifetime warranty. But the problem is what do you do after the switch fails and you are waiting for a replacement. With this setup any of the switches can fail and my total downtime will be dependent on how long it take me to drive to the data center or for the data center staff to change over all of the ports. The is an acceptable risk considering that only one HP switch has ever failed on me in my career.

Conclusion
This is how you create VLANs and use switches for disaster recovery. This is a very basic introduction to VLANs and I didn't get into the other options such as tagging and forbidding ports. I will save this for another post...

Data Centers Use 90% More Electricity

2007-02-18T10:07:00.000-05:00

Data Centers are using 90% more electricity. Although it's not because of the price of electricity, it is the amount of servers that each data center houses. The main factor as to why such as large increase can be attributed to the amount of smaller low end servers. These lower end servers are used for VoIP, video and music. A way to stop such an increase from continuing is using virtualization software. This will reduce the physical number of servers needed thus reducing the amount of electricity needed.

[Via InformationWeek]

HP Integrated Lights-Out 2 (iLO) - Management Network

2007-02-11T09:47:00.000-05:00

My past experience was unfortunately with Dell servers. I could never convince my old employer that HP servers were better. I guess they didn't care or didn't mind that I needed to drive to the data center to reboot a frozen server in the middle of the night. At my new job with uptime being so important the obvious choice for servers was HP. Compared to Dell...well there is no comparison. Dell is always a generation behind on their management programs. I had limited experience with HP servers at some of my old clients and I could see that this is the way to go.

There are several versions of the iLO software and every HP Proliant DL server comes with the basic version. The basic version gives you virtual power switch control. You have a couple of options whether you want to just press the power button or press and hold for several seconds. The basic version is what I am using for now. My main concern is rebooting a frozen server at 3:00am without having to drive to the data center ;). The advanced version gives you full KVM access even to the boot screen. I haven't recommended to management the advanced version yet, but I can see that having it would be very useful.

The way I set up my server environment was with a separate private "iLO network". The network is totally closed with no access to the Internet. I have a separate server which I use for monitoring my production servers. (See my blog "My Latest Project" for a description of the hardware setup.) First I setup all of my production servers with an iLO "private" 192.168.0.0/24 network address. You do this when the server boots, press F8 when you see the iLO prompt. There are several options in this menu. You need to turn off "get a DHCP address" and manually input your private IP address. I chose a simple sequential numbering scheme starting with 192.168.0.3 for my servers (.1 and .2 are for my two firewalls). 192.168.0.9 is my last IP address which is for the monitoring server. I actually probably can never access this server when it crashes with iLO since my only access is from this same server.

Here is my monitoring server NIC setup.

NIC 1 - front-end IP address
NIC 2 - back-end 172.16.0.0/24 address
NIC 3 - iLO network 192.168.0.9
NIC 4 - iLO management 192.168.0.8

From this server I can see all of my other servers with the iLO web interface. As long as this server is up and running I will be able to reboot and control my production servers.

The NICs of my other production web/sql servers are setup in a similar way except they only have the front-end, back-end and iLO management NICs. These servers can't actually communicate over the iLO network they only listen for commands from the monitoring server. Within my production setup (photo of my firewall/switch setup here) I don't include my iLO switch. Since the production network can't have any downtime I bought a pair of high-end switches. But the uptime of the iLO network is not as critical so I just used a cheap workgroup switch. If it fails then no big deal. I will just go buy another one and pop it in during business hours. I think the risk of this switch failing and one of the servers failing at the same time is very low.

That's it...the iLO network is setup. I put some favorites in my web browser so I could quickly access each server without having to remember the IP address. Also for an cool effect use different color Ethernet cables for each network. I personally try to use a different color for each one; one for the front-end, one for the back-end and a different one for the iLO network. Makes it easier when it is time to move on and the new sys admin is trying to figure out how the system works...but we don't care about him/her now do we???? :)

Setting up two Cisco ASA 5510s - Active/Passive

2007-02-10T13:56:00.000-05:00

Part of the project for doublepositive was to setup everything so that if one piece of hardware failed a backup would be in place and able to handle the failure. While spec'ing the requirements for this project I looked at the 5505 and the 5510s. Both are on the lower end of as far as capacity and throughput goes (Here is a link to their specs), but for the amount of traffic we are anticipating the 5510 would work well for the next 3-5 years. The 5510 also has stateful active/passive failover, the 5505 does not. Since most if not all of our applications require clients to use our web applications a stateful failover is very important.

The 5510 has 7 Ethernet ports. One for each of the following; management, console, aux and 4 for actually handling the traffic. The management port is nice since it has a built in DHCP server. I used this for the initial setup (no crossover cable needed). The console port is for the CLI interface. I normally use this for my day to day administration like access list changes, adding static maps or names. I have never used the aux port before, if anyone does use it and would like to share their experience with it, let me know. The 4 traffic ports can be setup in any way that you like. They are numbered from 0-3. I have the 0 port as my outside interface, port 1 as my inside, port 2 as my failover port and port 3 as my stateful failover port. Using a separate port for the stateful failover port is optional but since I will not have any other networks (just inside and outside) I chose to use the extra port. Here is a link to a photo of my setup. Once you come up with an IP scheme or given an IP address to use the set up is pretty straight forward.

More on this in the next part...

Cisco/HP Hardware Project

2007-02-07T21:51:00.000-05:00

Here is what I have been doing lately. Some background...The company I work for needed to expand their IT infrastructure from a small business server with one additional webserver to a web server farm with replicated SQL servers. They are a Microsoft shop (and that is where my talents are also) so they use MS for everything. I was given one requirement...the system can't go down. So with this in mind I was going to build the system of my dreams. At the beginning I had visions of geographically load balanced farms in several locations. Maybe one in Spain and one in the US. Just so I could have a reason to go to Europe ;). But of course $ matters so I needed to build something a bit more realistic.

Here is the system that I build(ing).

2 - Cisco ASA 5510 (with security bundle)
2 - HP Procurve switches (2810-24G)
2 - HP ProLiant DL 380 G5 Web Servers
2 - HP ProLiant DL 380 G5 SQL Servers
1 - HP ProLiant DL 320 G5 Monitoring Server

The two 5510s are setup in a Active/Passive failover configuration. Here is the document I used to set this up. Click Here

The two HP Procurve switches are setup in a sort of manual failover. I have each switch setup with 2 VLANs. One VLAN is for the Front-end (web) traffic and the other is for the Back-end (SQL) traffic. Each of these switches is only using one of the VLANs at a time, unless a switch fails. When this happens I will be able to (drive to the datacenter to do this but...) move all of the cables from the failed switch to the one that is functioning and everything will come back up. Here is a link for more information about these switches. Click Here

All of the HP 380 Servers are in the same failover configuration except for the amount of RAM and disk drives. The webservers have 2GB of RAM and a RAID 1 with SAS 72GB drives. The SQL servers have 4 GB of RAM with the same RAID 1 as the webservers but also a RAID 5 for the database files. I choose 5 - 146GB SAS drives for this. The NIC configuration is a little different. For the web servers I used 2 - PCIe dual gig NICs along with the on-board NICs. I was able to team two of the ports of each PCIe NIC with each other to provide cable, switch port, and NIC port failure. (LACP trunking needed to be set up on the switches)

The HP 320 server is a 1U server and isn't to powerful or special. This server will have adventNet's OpManager and HP's insight manager installed on it an will be used to monitor (and send me emails in the middle of the night). I will also use this server for the database mirror witness role but more about this another night...

Technology Companies

2007-02-07T20:15:00.000-05:00

I sometimes wonder how a company can stay in business. I used to work for a company that would stumble over itself internally. Every manager or vice president had his/her own idea about how to do something. One vice president would want to direct the company toward a special technology and another one would want to move another way. They would accept contracts for which they didn't have any specialists. They would then feverishly look for someone with that speciality (even offering referral bonuses to employees). It they couldn't find someone they would down the contract. I really couldn't believe it.

Will this technology Work?

2007-02-06T21:41:00.000-05:00

here I am starting to blog. I remember hating to write when I was in school. I guess that is what happens when you get old.