≡ Menu

How to Configure Failover on Cisco ASA Firewall

Configuring a Cisco ASA firewall to achieve resiliency is straightforward. Implementing the failover feature in the firewall to be on Active Standby mode can achieved by the following commands.

Please note that it is not recommended to use the Management interface for failover purposes, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other.

Furthermore, we have to consider the future implication of using such Management Interface, as you may be want to create a completely new network for the Out Of Bound (OOB) access where the Management Interface on each device will participate. Therefore, using a Management Interface might cause design issues in the future.

On this example below, I will be using GigabitEthernet0/5 on both devices as the Failover interface.
[click to continue…]

Border Gateway Protocol (BGP) as SDN Backbone

Border Gateway Protocol (BGP) is the core of Internet and yet its versatility is hardly utilised by majority of the networking community within a data centre environment. BGP is widely used by the service provides and also in conjunction with MPLS. In the introduction of Software-Defined Networking (SDN), the whole concept of network will change dramatically in the coming years; some could say it has already changed, and I agree. We will hardly be managing devices individually and it will become impractical to manage 100s or even 1000s of devices in a data centre architecture.

Why Border Gateway Protocol?

I will try and justify my views as how BGP would be the perfect candidate as a SDN backbone. However, other protocols will still tick some of the boxes but those won’t be able to tick every boxes as BGP does.


I can’t think of a protocol which is versatile enough to handle control plane and data plane separate, yet when it comes to talking between control and data plane, it does it efficiently. After all, SDN is all about separating Control Plane from Data Plane.
[click to continue…]

Is SecureCRT worth it?

You are probably here becasue you have asked the same question as I did before purchasing SecureCRT: Is it worth me forking out $100 for a terminal emulator software?

This is probably one of the question every Network/Systems Engineer asks when it comes to buying a terminal emulator, or stick with freeware like Putty/TeraTerm etc on Windows, iTerm2 on Mac and Terminal on Linux.

There is a great post covered by Greg Ferro here, where he iterates that is it not good value for money. I do agree with him 100% where you could get such application on Mac App Store for around $25. However, when it comes to evaluating a software or any matter, one needs to consider the individual requirement before committing themselves financially to the purchase.

There are a number of questions I have asked myself before going ahead with the purchase…
[click to continue…]

4 Byte BGP Autonomous System Numbers

Like IPv4 Address space depletion, the 2-Byte (16 bit) BGP AS number is also running out. As per RFC4893 (BGP Support for Four-octet AS Number Space) 4-Byte Autonomous Systems (AS) numbers have been issued by the Regional Internet Registry (RIR).

2-Byte (16 Bit) Autonomous System Numbers
We have a total of 216 = 65536 Possible AS Numbers
Private AS Numbers: 64512 – 65534
Reserved AS Numbers: 59392 – 64511, 65535

4-Byte (16 Bit) Autonomous System Numbers
We have a total of 232 = 4,294,967,296 Possible AS Numbers
Any numbers ranging from 65536 to 4294967295 are considered 32Bit AS Numbers.

This is the IETF preferred notation of AS Numbers, where a 2-Byte AS Number such as 65535 is represented in the form of text in both command and CLI. Where a 4-Byte As number such as 65546 will be represented in the form of “65546″

As mentioned above, the ASDOT notation for the 2-Byte AS Numbers are represented in decimal format.
4-Byte AS Numbers is represented in the following format.
[click to continue…]

How to Upgrade Juniper SRX

In this case, I will be upgrading an SRX210H. This step is rather straight forward and If you require further clarification, please refer to the appropriate guide from Juniper Network’s Website.

First of all, Copy the JunOS Software into a USB FAT32 Formatted drive.

Make sure you have checked the integrity of the file by runnning md5sum, and compare it with the one listed on Juniper Network’s Website.

nish@WS /media/nish/JunOS $ md5sum junos-srxsme-11.4R9.4-domestic.tgz 
ac7a405477544d4a81b382f9816931d2  junos-srxsme-11.4R9.4-domestic.tgz
nish@WS /media/nish/JunOS $ 

Go into the Shell prompt by issuing the command nish@iNET> start shell if you are not already in there

Check the devices to see before plugging in the USB Drive containing JunOS.

% ls /dev/da*
/dev/da0        /dev/da0s1c     /dev/da0s2c     /dev/da0s3e     /dev/da0s4a
/dev/da0s1      /dev/da0s2      /dev/da0s3      /dev/da0s3f     /dev/da0s4c
/dev/da0s1a     /dev/da0s2a     /dev/da0s3c     /dev/da0s4

[click to continue…]

Juniper SRX Autorecovery Alarm Light

There are various reasons the Alarm light might come on. First to check, why you are seeing the alarm.

nish@iNET# run show system alarms 
1 alarms currently active
Alarm time               Class  Description
2013-11-02 01:09:17 GMT  Minor  Autorecovery information needs to be saved

In the above case, it is because Autorecovery information is not saved.

This is accomplished by doing the following command

nish@iNET> request system autorecovery state save 
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information