Juniper Networks EX Ethernet switches

The EX series Ethernet Switch  from Juniper Networks certainly  is not the “cheaper” solution, but is a high level solution for the enterprise.

This post is dedicated to review the EX Series Ethernet switch portfolio from Juniper Networs.

Specifically, the series EX2200, EX3200, EX4200 and EX8200.

The EX2200 ethernet switch:

EX 2200 Ethernet Switch

Single rack unit (1 RU) with 24 or 48 x 1Gbps ports.

Aditional has a 4 x 1Gbps fixed ports to connect to agregation layer.

It’ available with or without 802.3af (PoE), ideally for IP phones, wireless Access Points, and IPCCTV cameras.

Ideal for access layer, in branch office or medium enterprise.

And of course, runs the same JUNOS operating system (with some extension for switches).

The EX3200 ethernet switch:

EX 3200 Ethernet Switch

Single rack unit with 24 or 48 x 1Gbps ports. Partial (8) or totally support for 802.3af (PoE) in ports.

Two optional modules with pluggable ports; 4 ports x 1 Gbps or 2 ports x 10Gbps.

Another feature is the little display, that shows the status of the switch, enviromental factors, the ports, etc.

Run Junos.

The EX4200 ethernet switch:

EX 4200 Ethernet Switch

Designed for access or aggregation layer, offers 24 or 48 x 1Gbps ports. Full or partial PoE ports.

Two optional modules with pluggable ports; 4 ports x 1 Gbps or 2 ports x 10Gbps.

Also has the display.

The big feature on this switch it’s called “Juniper’s Virtual Chassis Technology”. That’s, connect up to 10 switches with a 128Gbps backplane, to create a single logical device up to 480 x 1Gbps user ports, and 20 x 10Gbps  uplink ports.

The EX8200 ethernet switch:

EX 8200 Ethernet Switch

Its designed for high density 10Gbps networks like, campus agreggation, data centers an core.

Two options are available, a 16 rack units (16 RU) with 8 slots, and 21 racks units (21 RU) with 16 slots.

Have a “built-in migration path” to support (in the future) 100Gbps.

Support “Virtual Chassis” up two switches, and, runs Junos.

Well, these are the Juniper’s Networks switchs that i want in my rack

Pursuit of JNCIS-ENT

Juniper JNCIS logo

This post is for anounce the pursuit of Juniper Networks Certified Internet Specialist – Enterprise (JNCIS-ENT).

In 2009 i passed JNCIA-ER exam (JN0-342).

Now in 2011, the certification expires. So, i have decided to pursuit de JNCIS-ENT (JN0-343).

The objetives for the exam are here, and they are:

• Layer 2 Switching and VLANs
• Spanning Tree
• Layer 2 Security
• Protocol Independent Routing
• Open Shirtest Path First (OSPF)
• Intermediate System to Intermediate System (IS-IS)
• Border Gateway Protocol (BGP)
• Tunnels
• High Availability

As far as possible i’ll writing a post to specific topic of the JN0-343 exam.

Mapa de claves WEP.

Utilizando google maps, para organizar claves WEP.

View Larger Map

Documento de instalación de ubuntu PXE+TFTP+NFS

Saludos.
Navegando por el sistema de ficheros, encontre un documento ya viejito pero util.

Instalación de Ubuntu en red mediante PXE + DHCP + TFTP + NFS.

Instalacion-de-ubuntu-7.04-mediante-PXE.pdf

Apache Reverse Proxy + ModSecurity.

ModSecurity is an open source web application firewall. It’s like an “Intrusion Detection/Prevention System for a WEB application“. Works as an Apache’s module.
It’s a powerfull tool for securing web applications.

A complete reference, is the ModSecurity Handbook, a good book for in-deep study of the tool.

ModSecurity can be implemented in an Apache Reverse Proxy for WEB applications, with support for both HTTP and HTTPS.

Apache as a Reverse Proxy with ModSecurity

After reading some ModSecurity Handbook’s chapters, and the Apache mod_proxy documentation, a basic configuration file looks like this one.

<VirtualHost *:443>
# ModSecurity configuration
Include /opt/modsecurity/etc/modsecurity.conf
SSLEngine on
RewriteEngine on
SSLProxyEngine on
# The public certificate and the private key
# for the client <--> reverse proxy
SSLCertificateFile /etc/apache2/ssl/reverse-cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/reverse-key.pem
# The Certification Authority (CA) file.
# Who signed the certificates from the remote webservers.
SSLProxyCACertificateFile /etc/apache2/ssl/webservers-CA.pem
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteRule ^/webserver1$ /webserver1/ [R]
RewriteRule ^/webserver2$ /webserver2/ [R]
RewriteRule ^/webserver3$ /webserver3/ [R]
<Location /webserver1/>
ProxyPass https://webserver1/
ProxyPassReverse https://webserver1/
</Location>
<Location /webserver2/>
ProxyPass https://webserver2:8443/
ProxyPassReverse https://webserver:8443/
</Location>
<Location /webserver3/>
ProxyPass http://webserver3/
ProxyPassReverse http://webserver3/
</Location>
ErrorLog /var/log/apache2/reverse_proxy.log
LogLevel warn
CustomLog /var/log/apache2/reverse_proxy.log combined
ServerSignature Off
</VirtualHost>

Edit (25/10/2011):
The content of /opt/modsecurity/etc/modsecurity.conf

SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecUploadKeepFiles Off
SecDebugLog /opt/modsecurity/var/log/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHKZ
SecAuditLogType Concurrent
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
SecAuditLogStorageDir /var/log/mlogc/data
SecRequestBodyLimit 131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit 524288
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
SSecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"ecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecRule ARGS MY_UNIQUE_TEST_STRING \
"phase:1,log,deny,status:503"
SecDefaultAction "phase:2,deny,log,status:500"
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"


Apache as a Reverse Proxy

Recently, in my current job, i have to configure a reverse proxy for some WEB servers, to share the same IP and DNS name.

Almost all servers are SSL enabled for their WEB application.

For this configuration Apache + mod_proxy will be used.

Apache as a reverse proxy configuration

The reverse proxy is a Debian GNU/Linux 6.0 box. To install Apache:

apt-get install apache2 mod_proxy mod_ssl

To enable mod_proxy and mod_ssl, in Debian GNU/Linux for Apache:

a2enmod proxy ssl

Put the X.509 Certificate Autority (CA) file in a location for Apache, this certificate is the CA for the webservers to be proxied (if they are SSL-enabled).

/etc/apache2/ssl/ca.crt

Edit the VirtualHost file, for the reverse proxy:
<VirtualHost *:80>
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyCACertificateFile /etc/apache2/ssl/ca.crt
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /webserver1/>
ProxyPass https://ip.webserver1/
ProxyPassReverse https://ip.webserver1/
</Location>
<Location /webserver2/>
ProxyPass http://ip.webserver2/
ProxyPassReverse http://ip.webserver2/
</Location>
<Location /webserver3/>
ProxyPass https://ip.webserver3/
ProxyPassReverse https://ip.webserver3/
</Location>
</VirtualHost >

Restart the Apache WEB server:
/etc/init.d/apache2 restart

With this configuration, the internal webservers are accesible from INTERNET.
http://reverse.proxy.domain/webserver1/
http://reverse.proxy.domain/webserver2/
http://reverse.proxy.domain/webserver3/

Also, it’s possible to configure the reverse proxy with SSL for HTTPS connections.
https://reverse.proxy.domain/

Apuntes de ORACLE: Respaldos con RMAN.

Saludos.
Algunos apuntes de ORACLE sobre respaldos utilizando RMAN.

1. CONFIGURING RMAN.

– Crear TABLESPACE.
– Crear usuario RMAN.
– Dar permisos de conexion al usuario RMAN.
– Dar permisos al TABLESPACE.
– Ingresar como RMAN.
– Crear CATALOGO.
– Registrar base de datos en catalogo.

SQL> CREATE TABLESPACE RMAN DATAFILE ‘$ORACLE_BASE/oradata/orcl/rman01.dbf’ SIZE
100m EXTENT MANAGEMENT LOCAL UNIFORM SIZE 128K;
SQL> CREATE USER RMAN IDENTIFIED BY RMAN DEFAULT TABLESPACE RMAN;
SQL> GRANT CONNECT TO RMAN;
SQL> ALTER USER RMAN DEFAULT TABLESPACE RMAN QUOTA UNLIMITED ON RMAN;
SQL> GRANT RECOVERY_CATALOG_OWNER TO RMAN;
$ rman CATALOG rman/rman@orcl target eman/rman@orcl
RMAN> CREATE CATALOG;
$ rman CATALOG rman/rman@orcl target rman/rman@orcl
RMAN> REPORT SCHEMA;
RMAN> REGISTER DATABASE;

2. RMAN OFFLINE FULL BACKUP.

$ rman CATALOG rman/rman@orcl TARGET rman/rman@orcl
RMAN> BACKUP DATABASE;

3. RMAN INCREMENTAL BACKUP.

$ sqlplus / AS SYSDBA;
SQL> ALTER DATABASE ENABLE BLOCK CHANGE TRACKING USING FILE ‘$ORACLE_BASE/orcl_b
lock_track.log’;
$ rman TARGET rman/rman@orcl CATALOG rman/rman@orcl
RMAN> BACKUP INCREMENTAL LEVEL 0 DATABASE;
Datos son grabados en $ORACLE_BASE/orcl/backupset/
$ sqlplus / AS SYSDBA;
SQL> CREATE TABLE FOO;
SQL> CREATE TABLE BAR;
$ rman TARGET rman/rman@orcl CATALOG rman/rman@orcl
RMAN> BACKUP INCREMENTAL LEVEL 1 DATABASE;

4. RMAN ARCHIVELOG BACKUP.

$ rman ARCHIVELOG ALL DELETE ALL INPUT;

5. Cargar RMAN FULL BACKUP.

$ rman TARGET rman/rman@orcl NOCATALOG
RMAN> BACKUP DATABASE PLUS ARCHIVELOG DELETE INPUT;

SQL> SHUT DOWN IMMEDIATE;
$ rm $ORACLE_BASE/oradata/orcl/{rman,system,users}.dbf
SQL> STARTUP;
ERROR!!! NO DATAFILES!!!
$ rman TARGET rman/rman@orcl NOCATALOG
RMAN> RESTORE DATABASE;
RMAN> RECOVER DATABASE;
RMAN> ALTER DATABASE OPEN;

6. Cargar RMAN INCOMPLETE BACKUP.

SQL> ALTER SYSTEM SWITCH LOGFILE;
SQL> @ /home/logfiles.sql;
SQL> ALTER SYSTEM SWITCH LOGFILE;
SQL> SHUTDOWN ABORT;
SQL> STARTUP;
SQL> SHUTDOWN ABORT;
SQL> STARTUP;
ERROR!!!
$ rman TARGET rman/rman@orcl NOCATALOG;
RMAN> RESTORE DATABASE;
RMAN> RECOVER DATABASE UNTIL SEQUENCE # thread 1;
RMAN> ALTER DATABASE OPEN RESETLOGS;
SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP MOUNT;
$ rman TARGET rman/rman@orcl NOCATALOG;
RMAN> BACKUP DATABASE;
RMAN> ALTER DATABASE OPEN;

Apuntes de ORACLE: Recuperacion de datos.

Saludos.
Algunos apuntes sobre recuperacion de datos en ORACLE.

1. Recovery Database utilizando FLASHBACK.

$sqlplus / AS SYSDBA;
SQL> ALTER SYSTEM SET db_flashback_retention_target=4320;
SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP MOUNT;
SQL> ALTER DATABASE FLASHBACK ON;
SQL> ALTER DATABASE OPEN;
SQL> SELECT flashback_on FROM v$database;
SQL> DROP TABLE scott.emp;
SQL> SELECT * FROM scott.emp;
SQL> flashback table scott.emp TO BEFORE DROP;
SQL> SELECT 8 FROM scott.emp;

2. Recovery TABLESPACE y password file.

$ cp $ORACLE_HOME/database/orapwdorcl orapwdorcl.bak
$ sqlplus / AS SYSDBA;
SQL> ALTER TABLESPACE USERS READ ONLY;
SQL> ALTER SYSTEM SWITCH LOGFILE;
SQL> SHUTDOWN IMMEDIATE;
SQL> EXIT;
$ cp -r $ORACLE_BASE/oradata/orcl orcl.bak
$ rm $ORACLE_BASE/oradata/orcl/users01.dbf
$ sqlplus / AS SYSDBA;
SQL> STARUP;
ERROR pwdfile!!!
SQL> SHUTDOWN IMMEDIATE;
$ cp orapwdorcl.bak $ORACLE_HOME/database/orapwd
o
$ orapwd file=$ORACLE_HOME/database/orapwdorcl password=foo
$ sqlplus / AS SYSDBA;
SQL> STARTUP;
ERROR NO DATAFILE!!!
SQL> SHUTDOWN IMMEDIATE;
$ cp orcl.bak/users01.dbf $ORACLE_BASE/oradata/orcl/
$ sqlplus / AS SYSDBA;
SQL> STARTUP;

3. IMCOMPLETE RECOVERY utilizando SQL.

$ sqlplus / AS SYSDBA;
SQL> STARTUP;
SQL> ALTER TABLESPACE USERS READ WRITE;
SQL> SHUTDOWN IMMEDIATE;
$ export NLS_DATE_FORMAT=”DD-MON-YYYY HH24:MI:SS”;
$ rm $ORACLE_BASE /oradata/users01.dbf
$ sqlplus / AS SYSDBA;
SQL> STARTUP;
ERROR!!!
SQL> SHUTDOWN IMMEDIATE;
$ cp orcl.bak/users01.dbf $ORACLE_BASE/oradata/orcl/
$ sqlplus / AS SYSDBA;
SQL> STARTUP MOUNT;
SQL> RECOVER DATABASE UNTIL TIME ‘DD-MON-YYYY HH:MM:SS’;
SQL> ALTER DATABASE OPEN RESETLOGS;

4. DATABASE RECOVERY AFTER OPEN RESETLOGS.

SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP MOUNT;
SQL> ALTER DATABASE ARCHIVELOG;
SQL> ALTER DATABASE OPEN;
SQL> SELECT LOG_MODE FROM v$database;
SQL> ARCHIVE LOG LIST;
SQL> ALTER SYSTEM SWITCH LOGFILE;
SQL> SELECT GROUP# STATUS FROM v$log;
SQL> SELECT NAME FROM v$datafile;
SQL> SELECT * FROM v$controlfile;
SQL> SHUTDOWN IMMEDIATE;
$ cp -r $ORACLE_BASE/oradata/orcl orcl.bak
$ cp -r $ORACLE_BASE/flash_recovery_area/orcl/archivelog archivelog.bak
SQL> STARTUP;
SQL> SELECT TABLESPACE_NAME FROM dba_tablespaces;
Modificar datos en la tabla.
SQL> EXIT;
$ sqlplus / AS SYSDBA;
SQL> ALTER SYSTEM ARCHIVE LOG CURRENT;
SQL> SHUTDOWN ABORT;
Copiar oradata.bak
Copiar flashback ../archivelog/ .
Borrar $ORACLE_BASE/oradata/orcl/redo*
SQL> STARTUP MOUNT;
SQL> ALTER DATABASE FLASHBACK OFF;
SQL> RECOVER DATABASE USING BACKUP CONTROLFILE;
SQL> RECOVER DATABASE USING BACKUP CONTROL FILE UNTIL CANCEL;
CANCEL
SQL> ALTER DATABASE OPEN RESETLOGS;
SQL> ALTER DATABASE BACKUP CONTROL FILE TO ‘/home/oracle/control.ctl.bak’;
Modificar algunos cambios en las tablas.
SQL> ALTER SYSTEM ARCHIVELOG CURRENT;
SQL> SELECT GROUP# STATUS FROM v$log;
SQL> SHUTDOWN ABORT;
$ rm -r $ORACLE_BASE/oradata/orcl/*
$ cp -r /home/oracle/orcl.bak/* $ORACLE_BASE/oradata/orcl/
$ rm $ORACLE_BASE/oradata/orcl/*.log
$ sqlpus / NOLOG;
SQL> CONNECT / AS SYSDBA;
SQL> STARTUP MOUNT;
SQL> ALTER DATABASE FLASHBAK OFF;
SQL> RECOVER DATABASE USING BACKUP CONTROLFILE;
[ENTER]
SQL> CANCEL;
SQL> SHOW PARAMETER CONTROL_FILES;
SQL> ALTER SYSTEM SET CONTROL_FILES=’/home/oracle/control.ctl.bak’ SCOPE=SPFILE;
SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP MOUNT;
SQL> RECOVER DATABASE USING BACKUP CONTROLFILE;
SQL> ALTER DATABASE OPEN RESETLOGS;
SQL> RECOVER DATABASE USING BACKUP CONTROLFILE UNTIL CANCEL;
CANCEL
SQL> ALTER DATABASE OPEN RESTLOGS;
SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP MOUNT;
SQL> ALTER DATABASE FLASHBACK ON;
SQL> ALTER DATABASE OPEN;

Conexion serial PPP+PAP y PPP+CHAP en Cisco

El día de hoy: Apuntes para Cisco.

Resulta que tenemos un par de routers y queremos establecer un enlace serial punto-a-punto autenticado con PAP o CHAP.

Caso 1: PPP + PAP.

Diagrama de Red

R1(config)# username R2 password bar
R1(config)# interface serial 0/0
R1(config-if)# description Enlace Serial DCE PPP+PAP de R1 a R2
R1(config-if)# ip address 192.168.0.1 255.255.255.252
R1(config-if)# encapsulation ppp
R1(config-if)# clockrate 125000
R1(config-if)# ppp authentication pap
R1(config-if)# ppp pap sent-username R1 password 0 foo
!

R2(config)# username R1 password foo
R2(config)# interface serial 0/0
R2(config-if)# description Enlace Serial DTE PPP+PAP de R2 a R1
R2(config-if)# ip address 192.168.0.2 255.255.255.252
R2(config-if)# encapsulation ppp
R2(config-if)# ppp authentication pap
R2(config-if)# ppp pap sent-username R2 password 0 bar
!

Caso 2: PPP + CHAP.

Diagrama de Red PPP+CHAP

R3(config)# username R4 password bar
R3(config)# interface serial 0/0
R3(config-if)# description Enlace Serial DCE PPP+CHAP de R1 a R2
R3(config-if)# ip address 192.168.0.5 255.255.255.252
R3(config-if)# encapsulation ppp
R3(config-if)# clockrate 125000
R3(config-if)# ppp authentication chap
!

R4(config)# username R3 password foo
R4(config)# interface serial 0/0
R4(config-if)# description Enlace Serial DTE PPP+CHAP de R2 a R1
R4(config-if)# ip address 192.168.0.6 255.255.255.252
R4(config-if)# encapsulation ppp
R4(config-if)# ppp authentication chap
!

Instalacion de Oracle 10g r2 en Debian GNU/Linux.

El presente documento muestra el proceso de instalacion de Oracle 10g r2 en Debian GNU/Linux.

Para futuras referencias, espero sea de utilidad.

oracle10g_debian_install.pdf