Archive

Category Archives for "Brezular’s Blog"

GRE over IPSec Tunnel Between Cisco and VyOS

The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and higher protocols inside the GRE tunnel so routing updates and other multicast traffic can be successfully transferred over the tunnel. The main drawback of GRE protocol is the lack of built-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can be changed by attacker (no integrity checking of  IP packets). For this reason GRE tunnel is very often used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.

The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).

Picture1-Topology

Picture 1 - Topology

Note: VyOS installation is described here. You can easily build your own VyOS Qemu appliance using the Expect and Bash script shared in the article.

1. R3 Configuration

R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown

R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip Continue reading

GRE Tunnel Between Cisco and Linux

Generic Routing Encapsulation - GRE is a tunneling protocol originally developed by Cisco that encapsulates various network protocols inside virtual point-to-point tunnel. It transports multicast traffic via GRE tunnel so it allows passing of routing information between connected networks. As it lacks of security it is very often used in conjunction IP SEC VPN that on the other hand is not capable to pass multicast traffic.

The goal of the tutorial it to show configuration of GRE tunnel on a Cisco router and a device with OS Linux. I have created GNS3 lab consisting of two local networks - 192.168.1.0/24 and 192.168.2.0/24 connected via GRE tunnel. GRE tunnel interface is configured on router R1 (Cisco 7206VXR) and Core Router (Core Linux with Quagga routing daemon installed). The both routers have their outside interfaces connected to a router R3 that is located in the "Internet". To prove that GRE tunnel is working and transporting multicast traffic, the OSPF routing protocol is started on R1 and Core routers and configured on tunnel interfaces and interfaces pointing to local networks.

Note: The Core Linux vmdk image is available for download here.

Picture1-TopologyPicture 1 - Topology

1. Initial Configuration

First we assign hostnames and Continue reading

Linux Core 6.3 as Routing and Switching VMware Appliance

Two weeks ago I finished creating a network host based on Linux Core 6.3 installed on WMware x86-64 virtual machine. I loaded Core Linux with several network extensions that allows host to generate, measure, route network traffic and scan networks. I also wrote a short article that contains a list of loaded extension.

Then I went further with the ​project and my goal was to build L3 switch and router based on  Core Linux 6.3 loaded with Open vSwitch, Quagga, Bird and Keepalived extension. Those are the right extensions that turned the network host  to routing and switching appliance. Furthermore the routing daemons Quagga and Bird and multilayer switch Open vSwitch are used in many large production networks.

The R&S appliance I built can be used for learning networking on Linux, routing and switching. It is available for download in Download section. For those who are interested in installation steps the whole process of extension installation  is described in this article.

The virtual VMware appliance is based on Linux Core network host image and it contains all the extensions listed here plus the following extensions:

openvswitch - 2.4.90
quagga - 0.99.24.1
bird - 1.5.0
keepalived - 1.2.19

Note Continue reading

Linux Core 6.3 as Network Host on VMware Disk

The Core Linux is a small modular Linux distribution that provides only a command line interface and tools that allows you to build your own application extensions. Thanks to these extensions you can easily turn your Core installation to a custom appliance such as network host, router, switch, server. Moreover choosing the Core Linux as an operating system for your appliance significantly reduces the size of the appliance.

Two weeks ago I started to build a network host that can handle network traffic. I installed the latest 64 bit Linux Core 6.3 on VMware virtual disk and loaded Core with extensions that can generate traffic, measure bandwidth, route, forward and filter traffic.  A list of the extensions, their purpose and configuration changes is mentioned here.

I share my own network host VMware disk in Linux Core download section. You can create a new virtual machine (VirtualBox, VMware Workstation/Player, Qemu) with the disk attached and use it in your GNS3 labs in order to simulate network host. The disk contains the following tcz extensions:

bash - 4.3.39(1) with patches up to 39
bash-completion - 2.1
d-itg - 2.8.1-r1023
hping3 - 3.0.0-alpha-1
iperf3 - 3.1b3
iproute2 - 3.14.0
iptables Continue reading

Cloning Remote Linux Machines

Recently, I have been asked to find a way how to clone Linux machines running in a remote virtual lab. The machines have single disks, they all are accessible over SSH and configured with the same login credentials. The goal is to make identical copies of their disks, download the disks and rebuild machines locally in the virtual lab.

On Linux based systems, utility 'dd' is very often used to make identical copy of a disk. I have used this command together with 'ssh' and 'gzip' commands to copy and compress remote disks and send them on the fly to a local disk over SSH connection. For instance, the command below issued on a local machine copies a disk /dev/sda of a remote Linux machine with IP address 10.10.10.11 to a local disk:

$ ssh [email protected] "/bin/dd if=/dev/sda | gzip -c" | dd of=disk.raw.gz

Explanation:
/dev/sda - disk located on remote machine
disk.raw.gz - gzip compressed copy of disk /dev/sda on local machine
gzip -c - send compressed file to stdout

I wrote a BASH script backup-images-1.0.sh that automates process of cloning disks of remote Linux machines. The script reads IP addresses from Continue reading

Public Key Authentication on Cisco IOS

Have you ever been in that situation that you needed to apply the same configuration quickly on multiple Cisco routers? If yes, you probably wrote a script that connected to routers and sent appropriate IOS commands. One problem that you certainly had to solved was forcing your script to enter login credentials such as username and password. Moreover if you secure an access to privileged user mode of routers with an enable secret command you had to tell the script how to enter that password as well.

All the issues I have mentioned above can be easily solved with Expect scripting language. Expect sends commands via telnet or ssh session as the human would. However encapsulating IOS commands to syntax recognized by Expect language every time you need to change routers' configuration seems to be not very comfortable. That is why public key authentication for Cisco routers can be handy.

Public key authentication allows you to log in to your routers using  RSA key instead of a password. But firstly  key-pair - public and private key must be generated and a public key copied into a config file of  the router. Then you can connect to the router with your  private key. A private key is the key that should Continue reading

Decapsulation ERSPAN Traffic With Open Source Tools

Cisco Encapsulated Remote SPAN (ERSPAN) feature allows to monitor traffic on one or more ports and send the monitored traffic to one or more destination ports.  Traffic is encapsulated into GRE tunnel and routed via network to ERSPAN destination. Any device that supports ERSPAN can be used as ERSPAN destination. It might be another Cisco device or Linux with installed software that can decapsulate GRE traffic.

The goal of this article is to show methods and tools for decapsulation of  ERSPAN traffic. For this purpose I have built simple lab that consists of a Cisco CSR 1000v router and two Linux boxes. Core Linux represents a network host and generates network traffic (ICMP) that is going to be monitored. It is connected to the port GigabitEthernet1 of the Cisco router. The router is configured to monitor traffic on the port Gi1 and it sends traffic encapsulated in GRE tunneling protocol to IP address 10.230.10.1. It is the IP address of the ERSPAN destination configured on Linux  Security Union. Security Onion is a unique Linux distro for intrusion detection, network security monitoring, and log management based on Ubuntu however any other Linux distro can be used.

Picture1_Toplogy

Picture 1 - ERSPAN Lab Topology

Below is an example of ERSPAN Continue reading

Qemu ASAv Appliance as Personal Firewall on Linux

The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the support of KVM hypervisor, ASAv can be deployed  in a very easy manner on Linux and any mysterious hacks is needed anymore.

Unfortunately until a valid license file is installed, ASAv throughput is limited to 100 Kbps. So far I have not found a way how to bypass this limitation as Cisco does not provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also found out that ASAv keeps rebooting when Qemu is started without enabled KVM option. It limits deployment of ASAv Qemu images on Linux/FreeBSD as KVM is available for these operation systems only. Windows users should download and install ASAv edition for VMware hypervisor.

Software Requirements
• Linux x86_64 with installed Qemu and KVM
• Cisco ASAv Virtual Appliance - Qemu image asav932-200.qcow2 or later

HardwareRequirements
• CPU with VT-X or AMD-V hardware virtualization support
• 2GB RAM dedicated for ASAv virtual machine

1. ASAv Installation

Installation does not requires any special skills and takes only one reboot. Start the ASAv virtual machine Continue reading

PfSense VirtualBox Appliance as Personal Firewall on Linux

The tutorial explains how to set up pfSense VirtualBox appliance in order to use it as a personal firewall on Linux. It shows Linux network configuration to support this scenario and provides an installation script that automatically builds a VirtualBox virtual machine ready for pfSense installation. It also describes pfSense installation and shows minimal web configuration needed for successful connection to the Internet.

pfSense Live CD ISO disk can be downloaded from here.

1. Linux Network Configuration

We are going to install pfSsense from live CD ISO image on a VirtualBox virtual machine. To do so we must reconfigure an existing network interface, create a new one and configure new static default routes. A network topology consists of Linux Fedora with installed VirtualBox virtualizer. is shown below.

Picture1-Network_Topology

Picture 1 - Network Topology

A wireless network card is installed in Linux and presented as an interface wlp3s0. The interface wlp3s0 is the interface that connects Pfsense virtual machine to the outside world. This interface will be bridged with a first network adapter (em0) of the Pfsense virtual machine. Bridging host adapter wlp3s0 with the guest adapter em0 (WAN interface of Pfsense) will be done using vboxmanage utility and shown later in the tutorial.

As the Pfsense appliance is Continue reading

How to configure GNS3 installed on Linux to support more than 8 NIC for Qemu Instances

Recently I have read a question on GNS3 forum asking whether Qemu supports more than 8 network adapters. According to Google search, maximum number of adapters for Qemu virtual machines can be configured with a parameter #define MAX_NICS 8 in a file ./include/net/net.h under Qemu source tree. After you set desirable value you must compile and install Qemu from source.

However I have noticed that changing the integer value in the line #define MAX_NICS  has no effect on the maximum number of NIC allowed for Qemu VMs. I notice that I can start Core Linux Qemu machine with 18 network adapters even Qemu 2.2.0 was compiled with parameter #define MAX_NICS set to 1.

Now we know that Qemu itself does not limit the maximum network adapters to 8. We will go ahead and investigate GNS3. Navigate to Edit -> Preferences -> QEMU VMs and click on existing Qemu VM. Click on Edit button for this VM and navigate to Network tab. Increase the number of Adapters to 9.

The GNS3 1.2.1 allows to add maximum 8 NICs for a particular Qemu virtual machine. To avoid this limitation we have edit GNS3 source files and recompile GNS3 GUI and server. Here are the the steps for Linux.

1. Download and extract GNS3 1.2.1 Linux Continue reading

Alcatel-Lucent Virtualized Simulator on GNS3

The Alcatel-Lucent virtualized Simulator (vSim) is a virtualization-ready version of SR OS called SR OS-VM. This new operating system is designed to run in a virtual machine (VM) on a generic Intel x86 server. In control and management plane aspects, the vSim is functionally and operationally equivalent to an Alcatel-Lucent hardware-based SR OS router.The vSim is intended to be used as a laboratory tool to fully simulate the control and management plane of an SR OS node. The vSim is not intended to be used in a production network environment and the forwarding plane is limited to 250 pps per interface. Furthermore, without a license file it will run for 1 hour before reloading.

Host Software and Hardware Requirements

  • Linux x86-64
  • Qemu emulator version 2.1.2 (qemu-system-x86_64 or i386)
  • GNS3 version 1.2 or later
  • RAM - at least 4 GB
  • CPU with hardware virtualization support (VT-x or AMD-V)

Virtual Machines Software and Hardware Requirements

  • TiMOS-B-12.0.R6 ALCATEL SR 7750, TiMOS-SR-12.0.R6-vm.zip
  • RAM 2048 MB, CPU x86-32
  • Qemu additional parameters: -nographic -enable-kvm

1. Installation Steps

Extract image from the zip file.

$ unzip TiMOS-SR-12.0.R6-vm.zip
$ cd vm/7xxx-i386/

Now a virtual disk sros-vm.qcow2 is extracted. To start Qemu virtual Continue reading

ExtremeXOS, Arista and Cisco vIOS-Layer2 Virtual GNS3 Lab

ExtremeXOS is a network operating system used in Extreme Networks network switches. Virtualized version of ExtremeXOS - EXOS virtual machine vmdk image can be used to build virtual lab without need to use hardware switches. Although ExtremeXOS virtual machine can be downloaded for free only certain features are known to work. For this reason software should not be used for testing any actual networking setups or performance tests.

The tutorial consist of two parts. The part one explains how to configure Qemu emulator to run ExtremeXOS virtual machine. In part two, ExtremeXOS VM is connected to virtual lab run by GNS3 software. In this lab, features such as VLANs, 802.1q trunks and OSPF routing protocol are tested between multilayer switches from different vendors - Cisco, Arista and Extreme Networks.

Host Software and Hardware Requirements

  • Linux x86-64,
  • Qemu emulator version 2.1.2 (qemu-system-x86_64, qemu-system-i386 ) or later,
  • GNS3 version 1.1 or later,
  • RAM - at least 4 GB,
  • CPU with hardware virtualization support (VT-x or AMD-V)

Virtual Machines Software and Hardware Requirements

  • ExtremeXOS VM 15.3.2, exosvm.vmdk,
    RAM 256 MB ,CPU x86-64
    Qemu additional parameters: -nographic -enable-kvm
  • Vios_l2-ADVENTERPRISEK9-M), Version 15.0, vIOS-L2.vmdk,
    RAM 512MB, Continue reading

Arista vEOS on GNS3

EOS (Extensible Operating System) is Linux-based network operating system developed by Arista Networks that runs on all Arista switches. Virtual EOS (vEOS) is single image and can be run in a virtual machine. The article describes how to set up vEOS virtual machine and connects it to GNS3 in order to test EOS functionality.

Host Requirements
Linux x86-64
Qemu or VirtualBox installed

Virtual Machine Requirements
1024 MB RAM
IDE CD-ROM drive with mounted Aboot-veos-serial-2.0.8.iso
2GB flash IDE disk - vEOS-4.14.2F.vmdk
NICs e1000 type

1. Download Bootloader and Virtual EOS

Clik the link to create a new account. The guest account (when no corporate email is used for registration e.g. gmail.com) is sufficient to download vEOS software. Click the link and login with the credentials you entered during the registration. You have to accept License Agreement in order to download vEOS software.

Download the bootloader and a virtual disk:

Aboot-veos-serial-2.0.8.iso
vEOS-4.14.2F.vmdk

2. Arista Switch First Boot on Qemu

Use Qemu to boot Arista switch virtual machine for the first time.

$ /usr/local/bin/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom ./Aboot-veos-serial-2.0.8.iso -boot d vEOS-4.14.2F.vmdk -serial telnet::3355,server,nowait

Connect to the Continue reading

GNS3 on Fedora Linux

Here are mu notes about installation GNS3 version on Fedora Linux. It shows the basic steps required to successfully install and configure GNS3 for VirtualBox, Qemu, IOU, and Dynamips support. Configuration of individual VirtualBox, Qemu, IOU and IOS images is not discussed.

1. GNS3 GUI and Server Installation and Configuration

1.1 Install Dependencies

$ sudo yum install python3 python3-setuptools.noarch python3-PyQt4 python3-devel gcc

1.2 Download and Extract GNS3 GUI and Server

$ git clone https://github.com/GNS3/gns3-gui.git
$ git clone https://github.com/GNS3/gns3-server.git

$ cd gns3-gui/
$ sudo python3 setup.py install
$ cd ..

$ cd gns3-server/
$ sudo python3 setup.py install

1.3 Configure GNS3 Server Settings

Navigate to Edit-> Preferences-> GNS3 server-> Local server and change path to gns3server.

2. IOU Installation and Configuration

IOU stands for IOS on Unix. IOU images are IOS images that are compiled for x86 / Sparc CPU architecture.

2.1 Install Dependencies

$ sudo yum install gcc gcc-c++ git

2.2 Create Symbolic Link and Prevent IOU to Call Home

$ cd /usr/lib
$ sudo ln -s ./libcrypto.so.10 libcrypto.so.4
$ su -c "echo '127.0.0.127 xml.cisco.com' >> /etc/hosts"

2. Continue reading

How to show captured data from Cisco IOS on the fly in Wireshark/tcpdump

Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.

That is something like ASA capture (https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios) via HTTP/HTTPS.

I tested script on:

Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS

1. Create user and add privilege level 15 (root)

username user secret userpass
username user privilege 15

2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))

For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.

ip http server
ip http authentication local
ip http max-connections 16

3. Configure Monitor settings

Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.

monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular

Next step is to create a capture point. I created the Continue reading

HP VSR1001 Virtual Services Router on GNS3

HP VSR  is a Comware 7 router software application for a server which provides the same functionality as a physical router. Installed on either VMware or KVM virtual machine it offers routing, Firewall, IPSec, and MPLS VPN security services.

The tutorial gives you some ideas how to install HP VSR1000 (Virtual Service Router) running Comware 7 OS on Qemu disk and connects Qemu appliance  to GNS3.

They are HP VSR1001, VSR1004 and VSR1008 models available for download. Differences between models are explained here.  As the VSR1001 model has the lowest RAM requirements comparing to other models and we do not have to concern the forwarding performance,  VSR 1001 demo ISO image is our choice. The demo is  full featured, performance limited and requiring no license and with no expiration date.

HP VSR1001 Minimum Hardware Requirements

  • CPU: 2.0 GHz
  • Memory: 1 GB
  • Disk space: 8 GB
  • Network interfaces: 2 virtual NICs, E1000 and VirtIO virtual NICs are recommended, maximum 16 NICs supported

1. Download HP VSR1001 Virtual Services Router

Navigate to the Download page here

Picture1-Download_VSR100_7.10.R0202

Picture 1 - HP VSR1001 Virtual Services Router Download Page

Click on the button >> on he right, beside the padlock icon. Either sign in with your HP Passport account or Continue reading

How to run Juniper Firefly Perimeter vSRX on GNS3

Firefly Perimeter is a virtual security appliance that provides security and networking services at the perimeter in virtualized private or public cloud environments. It runs as a virtual machine (VM) on a standard x86 server  and delivers similar security and networking features available on branch SRX Series devices.

However not all the features that are supported by SRX hardware devices are supported. Here is the list of features supported by current firefly 12.1x46-d10 release.

Firefly Perimeter Hardware Specifications

  • Memory 2 GB
  • Disk space 2 GB
  • vCPUs 2
  • vNICs Up to 10
  • Virtual Network Interface Card type (NIC) E1000

Thanks to Juniper’s software evaluation program we can download the Firefly Perimeter security solution for free and test it out for 60 days. In this tutorial we are going to connect Firefly Perimeter to GNS3 and create a simple lab to test connectivity between two vSRX instances. As GNS3 has built-in support for VirtualBox and Qemu/KVM they both can used as hypervisor.

Firefly Perimeter virtual machines can be download here. You have to use your Juniper account to proceed the download but a valid service contract is not required to to download Firefly Perimeter virtual machine.

Picture1-Login_to_Juniper_Web

Picture 1 - Juniper Login Window

Notice that they Continue reading

Cisco Virtual IOS on GNS3

The tutorial discuss the use of  GNS3 software to run Cisco Virtual IOS (vIOS). Cisco vIOS is  shipped and supported as a part of the Cisco's One Platform Kit (onePK) that is distributed in form of virtual machine. It might be downloaded with Cisco.com account. Currently, it is not required to have Cisco account associated with service contracts, Bill-to IDs, or product serial numbers in order to download onePK.

Software Prerequisites

  • Host OS - any 64 bit Linux OS
  • Qemu emulator and virtualizer compiled with x86_64 support
  • KVM
  • GNS3 0.8.7 - the last version that has Qemu support included
  • Cisco all-in-one-VM-1.2.1-194.ova virtual machine

Minimum Hardware Requirements

  • CPU with hardware virtualization support (AMD-V or VT-X virtualization extensions)
  • Storage - 10 GB
  • RAM - 2000 MB
  • RAM vIOS - 384 MB

Script for Extracting vIOS from All-In-One VM

Here is a Linux bash script that helps you to extract vIOS  vios-adventerprisek9-m.vmdk  from  all-in-one VM file. Download all-in-one.ova file from here  and assign executable privileges to the script.

$ chmod +x extract_vios.txt

Then you can run the script as it is shown below.  The only user input is selecting path to all-in-one VM file Continue reading

VyOS x64 Installation on Qemu

VyOS is a community fork of Vyatta, a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality. The VyOS project was started in late 2013 as a community fork of the GPL portions of Vyatta Core 6.6R1 with the goal of maintaining a free and open source network operating system in response to the decision to discontinue the community edition of Vyatta.

VyOS runs on both physical and virtual platforms. It supports paravirtual drivers and integration packages for virtual platforms. It is completely free and open source.

The aim of the tutorial is to show VyOS installation on Qemu virtual machine and  get it working on GNS3.

VyOS Qemu and VirtualBox virtual disks can be downloaded here.

I created a Bash script deploy_vyos for automatic deployment of VyOS to Qemu image. The script downloads stable VyOS ISO image from the Internet,  creates Qemu disk and starts Qemu virtual machine with attached ISO image. Then is  starts Expect script install_vyos that automatically configure all required configuration options  without user intervention.

deploy_vyos
install_vyos

Just copy both scripts to the same directory, assign run privileges to both scripts with the command below and run the deploy_vyos script.

$ chmod +x Continue reading

RouterOS x86 Qemu and VirtualBox Appliances Download

MikroTik RouterOS is the stand-alone operating system of MikroTik RouterBOARD hardware. It can also be installed on a PC and will turn it into a router with all the necessary features – routing, firewall, bandwidth, management, wireless access point, backhaul link, hotspot, gateway, VPN server and more.

RouterOS x86 installed on Qemu and VirtualBox disks is not licensed, you have 24 hours in total to run these images.

login/pass: admin / password is not set

1. RouterOS x86 6.15

Qemu
https://drive.google.com/file/d/0B6L2h6R5UKMhQUcxMFl2a1pZZGs/edit?usp=sharing
http://sourceforge.net/projects/gns-3/files/Qemu%20Appliances/routeros-6.15-qemu.zip/download
http://www.4shared.com/zip/HG7nubJlba/routeros-615-qemu.html

VirtualBox
https://drive.google.com/file/d/0B6L2h6R5UKMhODYyNm0tWnFjXzA/edit?usp=sharingv
http://sourceforge.net/projects/gns-3/files/VirtualBox%20Appliances/routeros-6.15-vbox.zip/download
http://www.4shared.com/zip/qPN2tmD7ba/routeros-615-vbox.html

1 6 7 8