Booches.nl

Upgrade Juniper SA cluster

A Juniper SA cluster can be configured as active/active or active/standby cluster. An active/active cluster uses an external load balancer or DNS round-robin to enable load-sharing across multiple appliances. Today I had to upgrade an active/standby cluster and found an KB article on the Juniper website (restricted access) about the preferred upgrade method.

Juniper uses the following steps to upgrade a cluster:

1. 1. Login directly to a member in the cluster as administrator;
2. 2. Disable the member from the cluster;
3. 3. Upgrade the service package on the disabled member;
4. 4. After the upgrade is completed login back to the IVE and enable the disabled member in the cluster configuration;

The following notes are mentioned by Juniper:

• In active/standby cluster mode, it is recommended to start the upgrade process with the passive members and after completing the upgrade on the passive IVE and moving to the upgrade of the active IVE please note all connections are dropped when the active IVE is disabled. However after disabling the active node the passive IVE becomes active;
• Once the upgraded member is enabled back in the cluster, it shows the other nodes as Unreachable. This is expected behavior as the cluster members are running different versions and hence cannot sync with each other;
• Once the second IVE is being upgraded all user connections are dropped and not migrated due to the mismatch of software versions. This limitation is addressed in 4.0 with the Minimal downtime cluster upgrade available in the licensable Central Manager feature set;

I followed the steps mentioned above and the upgrade of the IVE cluster went smoothly. I disabled the passive node and upgraded the firmware with the new package. After the upgrade (and a reboot) the passive node was reachable in standalone mode. Next I logged in to the active IVE and enabled the passive node back into the cluster. When you hit Enable you receive the warning message that the configuration of the new cluster node will be erased and overwritten with the configuration of the active node. Just choose Yes.

After enabling the passive node, you will loose your web session with the active node. The VIP address is taken over by the new node in the cluster and the “old active” node starts updating automatically. This is a little tricky, because you don’t notice anything from the update process taken place. Just have patience and ping the node to check when it is online again. When the node is back online, login to the IVE and check the Cluster Status. Both IVE are now updated and members of the cluster. You could decide to do a manual Fail-Over IP to the “old active” node so everything is back to the original state before the upgrade.

Cisco router: determine amount of memory/flash

Somebody asked me how he could determine the amount of DRAM and flash memory on a Cisco router. I always thought that everybody would know how to determine this information, but since this isn’t matter, I will tell you how you can determine the values.

You use the show version command to retrieve the requested information. Below you see an example output of the command on a Cisco 876 router.

Router#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 876 (MPC8272) processor (revision 0×200) with 118784K/12288K bytes of memory.
Processor board ID FCZ121160T5
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0×10
4 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0×2102

The first highlighted line tells you how much Dynamic RAM (DRAM) and Packet memory are installed in your router. Some platforms use a fraction of their DRAM as Packet memory. The memory requirements take this into account, so you have to add both numbers to find the amount of DRAM available on your router (from a memory requirement point of view).

Some types of routers have separate DRAM and Packet memory, so you only need to look at the first number. Other routers use a fraction of DRAM as Packet memory, so you need to add both numbers to find out the real amount of DRAM.

The second highlighted line tells you how much flash memory is installed in your router. This amount can also be determined by using the command show flash:.

Router#show flash:
24576K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

2  -rwx    18934284   Mar 1 2002 01:33:35 +01:00  c870-advipservicesk9-mz.124-15.T6.bin

23482368 bytes total (4542464 bytes free)

Maybe I can imagine why somebody doesn’t know where to look, because a show version actually gives you a lot of information. So I hope this posts helps all of you who don’t know where to look.

Automated eSafe backup

After configuring an eSafe appliance you have the option to export the configuration through the management interface, but you have to do this manually. eSafe has also a build in command line option to create a backup of the required files.

The command line allows backing up and restoring files using standard backup/restore commands. The command line option creates a tar.gz file; the same file that is created when backing up via the eSafe Appliance Manager.

I did some simple scripting to create a backup file, which is copied to a FTP server daily at 05:00 AM. When using the build in backup feature, the tar.gz file is created in the folder /var/esafe. I created two additional files (backup.sh and ftp_file) to automate the backup proces.

Below you see the content of both files:

backup.sh

#/bin/bash

cd /var/esafe
# Remove old backups
rm -rf *.tar.gz

# Create the backup with build-in eSafe backup
/opt/eSafe/esgapi –createbackup

# FTP files to Management server
ftp -inv </var/esafe/ftp_file &

ftp_file

# FTP files to Management server
open 10.10.1.10
user username password
lcd /var/esafe
cd /backup/esafe
put *.tar.gz
bye
quit

These commands create the necessary tar.gz backup file and copies this file to the FTP server. The last step is configuring the crontab to execute the command daily at 05:00 AM.

crontab

# Backup eSafe configuration
# Backup is copied via FTP to Management server
0 5 * * * bash /var/esafe/backup.sh

I guess the script couldn’t be more easy, but it works perfectly (for me).

When running the build in backup command (/opt/eSafe/esgapi –-createbackup) eSafe looks in the file /opt/eSafe/backup.list to determine the files to backup. You could decide to extend this list with the location of the Anti-Spam & URL filtering database (/opt/eSafe/eSafeCR/ConfigFilter/ofdb/*.fdb). This saves some downloading time when restoring an eSafe appliance.

Cisco IOS 15 licensing

I just read an interesting article about the new licensing on Cisco hardware, especially after the End-of-Sale and End-of-Life Announcement for Cisco IOS Software Release 12.4.

In short the article tells the following:

IOS 12.4 is replaced by IOS 15. IOS 15 is a single software package for the hardware platform that your are using. You have one image with all the features and there’s no need to copy multiple images for different features. By default you can use all the base features and you need a license key to use the Advanced IP feature set.

This licensing can be compared to the licensing of a Cisco PIX, ASA or IPS. Maybe this will be hard for some of you, especially in situations where you replace a broken hardware component (License Transfer Between Two Working Devices).

So pay attention and take some time to dig into the new developments in Cisco IOS 15 licensing.

CB-WFQ Bandwidth Allocation

When configuring Quality of Service with CB-WFQ I am always puzzling to get the correct classes. When configuring CB-WFQ it is important to remember that the router does not allow the class queues to consume more than 75% of the total interface bandwidth. The remaining 25% are used for the default class as well as all non-IP packets, like routing protocols.

A quick example shows the problem. I have a router with a 10 Mbps Ethernet interface. I will add a service-policy to this interface and create a priority queue for voice traffic of 8 Mbps.

First I created the class-map and the policy-map:

class-map match-all VOIP
match ip dscp ef
!
policy-map policy-cbwfq
class VOIP
priority 8192

Next I try to apply the policy-map to the interface, but I receive an error-message like shown below:

Router(config)#int fa 0/0
Router(config-if)#service-policy output policy-cbwfq
I/f FastEthernet0/0 class VOIP requested bandwidth 8192 (kbps), available only 7500 (kbps)

The error message clearly tells me that I can use only 75% of the bandwidth for class queues. The router automatically adds a fair-queue configuration to the interface as a fallback.

fair-queue 64 256 256

You can increase the amount of bandwidth for reservation of class queues with the command max-reserved bandwidth. This gives you the opportunity to increase the reserved bandwidth to 90%.

Router(config-if)#no fair-queue
Router(config-if)#max-reserved-bandwidth 90
Router(config-if)#service-policy output policy-cbwfq

The service-policy is now accepted by the router.

Router#sh policy-map interface fa0/0 output
FastEthernet0/0

Service-policy output: policy-cbwfq

Class-map: VOIP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 8192 (kbps) Burst 204800 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0

Class-map: class-default (match-any)
23 packets, 2252 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

A useful with more information (difference between bandwidth percent and bandwidth remaining percent) can be found here.