The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and higher protocols inside the GRE tunnel so routing updates and other multicast traffic can be successfully transferred over the tunnel. The main drawback of GRE protocol is the lack of built-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can be changed by attacker (no integrity checking of IP packets). For this reason GRE tunnel is very often used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.
The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).
Picture 1 - Topology
Note: VyOS installation is described here. You can easily build your own VyOS Qemu appliance using the Expect and Bash script shared in the article.
1. R3 Configuration
R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip Continue reading
Generic Routing Encapsulation - GRE is a tunneling protocol originally developed by Cisco that encapsulates various network protocols inside virtual point-to-point tunnel. It transports multicast traffic via GRE tunnel so it allows passing of routing information between connected networks. As it lacks of security it is very often used in conjunction IP SEC VPN that on the other hand is not capable to pass multicast traffic.
The goal of the tutorial it to show configuration of GRE tunnel on a Cisco router and a device with OS Linux. I have created GNS3 lab consisting of two local networks - 192.168.1.0/24 and 192.168.2.0/24 connected via GRE tunnel. GRE tunnel interface is configured on router R1 (Cisco 7206VXR) and Core Router (Core Linux with Quagga routing daemon installed). The both routers have their outside interfaces connected to a router R3 that is located in the "Internet". To prove that GRE tunnel is working and transporting multicast traffic, the OSPF routing protocol is started on R1 and Core routers and configured on tunnel interfaces and interfaces pointing to local networks.
Note: The Core Linux vmdk image is available for download here.
1. Initial Configuration
First we assign hostnames and Continue reading
Two weeks ago I finished creating a network host based on Linux Core 6.3 installed on WMware x86-64 virtual machine. I loaded Core Linux with several network extensions that allows host to generate, measure, route network traffic and scan networks. I also wrote a short article that contains a list of loaded extension.
Then I went further with the project and my goal was to build L3 switch and router based on Core Linux 6.3 loaded with Open vSwitch, Quagga, Bird and Keepalived extension. Those are the right extensions that turned the network host to routing and switching appliance. Furthermore the routing daemons Quagga and Bird and multilayer switch Open vSwitch are used in many large production networks.
The R&S appliance I built can be used for learning networking on Linux, routing and switching. It is available for download in Download section. For those who are interested in installation steps the whole process of extension installation is described in this article.
The virtual VMware appliance is based on Linux Core network host image and it contains all the extensions listed here plus the following extensions:
openvswitch - 2.4.90
quagga - 0.99.24.1
bird - 1.5.0
keepalived - 1.2.19
Note Continue reading
The Core Linux is a small modular Linux distribution that provides only a command line interface and tools that allows you to build your own application extensions. Thanks to these extensions you can easily turn your Core installation to a custom appliance such as network host, router, switch, server. Moreover choosing the Core Linux as an operating system for your appliance significantly reduces the size of the appliance.
Two weeks ago I started to build a network host that can handle network traffic. I installed the latest 64 bit Linux Core 6.3 on VMware virtual disk and loaded Core with extensions that can generate traffic, measure bandwidth, route, forward and filter traffic. A list of the extensions, their purpose and configuration changes is mentioned here.
I share my own network host VMware disk in Linux Core download section. You can create a new virtual machine (VirtualBox, VMware Workstation/Player, Qemu) with the disk attached and use it in your GNS3 labs in order to simulate network host. The disk contains the following tcz extensions:
bash - 4.3.39(1) with patches up to 39
bash-completion - 2.1
d-itg - 2.8.1-r1023
hping3 - 3.0.0-alpha-1
iperf3 - 3.1b3
iproute2 - 3.14.0
iptables Continue reading
Recently, I have been asked to find a way how to clone Linux machines running in a remote virtual lab. The machines have single disks, they all are accessible over SSH and configured with the same login credentials. The goal is to make identical copies of their disks, download the disks and rebuild machines locally in the virtual lab.
On Linux based systems, utility 'dd' is very often used to make identical copy of a disk. I have used this command together with 'ssh' and 'gzip' commands to copy and compress remote disks and send them on the fly to a local disk over SSH connection. For instance, the command below issued on a local machine copies a disk /dev/sda of a remote Linux machine with IP address 10.10.10.11 to a local disk:
$ ssh [email protected] "/bin/dd if=/dev/sda | gzip -c" | dd of=disk.raw.gz
Explanation:
/dev/sda - disk located on remote machine
disk.raw.gz - gzip compressed copy of disk /dev/sda on local machine
gzip -c - send compressed file to stdout
I wrote a BASH script backup-images-1.0.sh that automates process of cloning disks of remote Linux machines. The script reads IP addresses from Continue reading
Have you ever been in that situation that you needed to apply the same configuration quickly on multiple Cisco routers? If yes, you probably wrote a script that connected to routers and sent appropriate IOS commands. One problem that you certainly had to solved was forcing your script to enter login credentials such as username and password. Moreover if you secure an access to privileged user mode of routers with an enable secret command you had to tell the script how to enter that password as well.
All the issues I have mentioned above can be easily solved with Expect scripting language. Expect sends commands via telnet or ssh session as the human would. However encapsulating IOS commands to syntax recognized by Expect language every time you need to change routers' configuration seems to be not very comfortable. That is why public key authentication for Cisco routers can be handy.
Public key authentication allows you to log in to your routers using RSA key instead of a password. But firstly key-pair - public and private key must be generated and a public key copied into a config file of the router. Then you can connect to the router with your private key. A private key is the key that should Continue reading
Cisco Encapsulated Remote SPAN (ERSPAN) feature allows to monitor traffic on one or more ports and send the monitored traffic to one or more destination ports. Traffic is encapsulated into GRE tunnel and routed via network to ERSPAN destination. Any device that supports ERSPAN can be used as ERSPAN destination. It might be another Cisco device or Linux with installed software that can decapsulate GRE traffic.
The goal of this article is to show methods and tools for decapsulation of ERSPAN traffic. For this purpose I have built simple lab that consists of a Cisco CSR 1000v router and two Linux boxes. Core Linux represents a network host and generates network traffic (ICMP) that is going to be monitored. It is connected to the port GigabitEthernet1 of the Cisco router. The router is configured to monitor traffic on the port Gi1 and it sends traffic encapsulated in GRE tunneling protocol to IP address 10.230.10.1. It is the IP address of the ERSPAN destination configured on Linux Security Union. Security Onion is a unique Linux distro for intrusion detection, network security monitoring, and log management based on Ubuntu however any other Linux distro can be used.
Picture 1 - ERSPAN Lab Topology
Below is an example of ERSPAN Continue reading
The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the support of KVM hypervisor, ASAv can be deployed in a very easy manner on Linux and any mysterious hacks is needed anymore.
Unfortunately until a valid license file is installed, ASAv throughput is limited to 100 Kbps. So far I have not found a way how to bypass this limitation as Cisco does not provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also found out that ASAv keeps rebooting when Qemu is started without enabled KVM option. It limits deployment of ASAv Qemu images on Linux/FreeBSD as KVM is available for these operation systems only. Windows users should download and install ASAv edition for VMware hypervisor.
Software Requirements
• Linux x86_64 with installed Qemu and KVM
• Cisco ASAv Virtual Appliance - Qemu image asav932-200.qcow2 or later
HardwareRequirements
• CPU with VT-X or AMD-V hardware virtualization support
• 2GB RAM dedicated for ASAv virtual machine
1. ASAv Installation
Installation does not requires any special skills and takes only one reboot. Start the ASAv virtual machine Continue reading
The tutorial explains how to set up pfSense VirtualBox appliance in order to use it as a personal firewall on Linux. It shows Linux network configuration to support this scenario and provides an installation script that automatically builds a VirtualBox virtual machine ready for pfSense installation. It also describes pfSense installation and shows minimal web configuration needed for successful connection to the Internet.
pfSense Live CD ISO disk can be downloaded from here.
1. Linux Network Configuration
We are going to install pfSsense from live CD ISO image on a VirtualBox virtual machine. To do so we must reconfigure an existing network interface, create a new one and configure new static default routes. A network topology consists of Linux Fedora with installed VirtualBox virtualizer. is shown below.
Picture 1 - Network Topology
A wireless network card is installed in Linux and presented as an interface wlp3s0. The interface wlp3s0 is the interface that connects Pfsense virtual machine to the outside world. This interface will be bridged with a first network adapter (em0) of the Pfsense virtual machine. Bridging host adapter wlp3s0 with the guest adapter em0 (WAN interface of Pfsense) will be done using vboxmanage utility and shown later in the tutorial.
As the Pfsense appliance is Continue reading
Recently I have read a question on GNS3 forum asking whether Qemu supports more than 8 network adapters. According to Google search, maximum number of adapters for Qemu virtual machines can be configured with a parameter #define MAX_NICS 8 in a file ./include/net/net.h under Qemu source tree. After you set desirable value you must compile and install Qemu from source.
However I have noticed that changing the integer value in the line #define MAX_NICS has no effect on the maximum number of NIC allowed for Qemu VMs. I notice that I can start Core Linux Qemu machine with 18 network adapters even Qemu 2.2.0 was compiled with parameter #define MAX_NICS set to 1.
Now we know that Qemu itself does not limit the maximum network adapters to 8. We will go ahead and investigate GNS3. Navigate to Edit -> Preferences -> QEMU VMs and click on existing Qemu VM. Click on Edit button for this VM and navigate to Network tab. Increase the number of Adapters to 9.
The GNS3 1.2.1 allows to add maximum 8 NICs for a particular Qemu virtual machine. To avoid this limitation we have edit GNS3 source files and recompile GNS3 GUI and server. Here are the the steps for Linux.
1. Download and extract GNS3 1.2.1 Linux Continue reading
The Alcatel-Lucent virtualized Simulator (vSim) is a virtualization-ready version of SR OS called SR OS-VM. This new operating system is designed to run in a virtual machine (VM) on a generic Intel x86 server. In control and management plane aspects, the vSim is functionally and operationally equivalent to an Alcatel-Lucent hardware-based SR OS router.The vSim is intended to be used as a laboratory tool to fully simulate the control and management plane of an SR OS node. The vSim is not intended to be used in a production network environment and the forwarding plane is limited to 250 pps per interface. Furthermore, without a license file it will run for 1 hour before reloading.
Host Software and Hardware Requirements
Virtual Machines Software and Hardware Requirements
Extract image from the zip file.
$ unzip TiMOS-SR-12.0.R6-vm.zip
$ cd vm/7xxx-i386/
Now a virtual disk sros-vm.qcow2 is extracted. To start Qemu virtual Continue reading
ExtremeXOS is a network operating system used in Extreme Networks network switches. Virtualized version of ExtremeXOS - EXOS virtual machine vmdk image can be used to build virtual lab without need to use hardware switches. Although ExtremeXOS virtual machine can be downloaded for free only certain features are known to work. For this reason software should not be used for testing any actual networking setups or performance tests.
The tutorial consist of two parts. The part one explains how to configure Qemu emulator to run ExtremeXOS virtual machine. In part two, ExtremeXOS VM is connected to virtual lab run by GNS3 software. In this lab, features such as VLANs, 802.1q trunks and OSPF routing protocol are tested between multilayer switches from different vendors - Cisco, Arista and Extreme Networks.
Host Software and Hardware Requirements
Virtual Machines Software and Hardware Requirements
EOS (Extensible Operating System) is Linux-based network operating system developed by Arista Networks that runs on all Arista switches. Virtual EOS (vEOS) is single image and can be run in a virtual machine. The article describes how to set up vEOS virtual machine and connects it to GNS3 in order to test EOS functionality.
Host Requirements
Linux x86-64
Qemu or VirtualBox installed
Virtual Machine Requirements
1024 MB RAM
IDE CD-ROM drive with mounted Aboot-veos-serial-2.0.8.iso
2GB flash IDE disk - vEOS-4.14.2F.vmdk
NICs e1000 type
1. Download Bootloader and Virtual EOS
Clik the link to create a new account. The guest account (when no corporate email is used for registration e.g. gmail.com) is sufficient to download vEOS software. Click the link and login with the credentials you entered during the registration. You have to accept License Agreement in order to download vEOS software.
Download the bootloader and a virtual disk:
Aboot-veos-serial-2.0.8.iso
vEOS-4.14.2F.vmdk
2. Arista Switch First Boot on Qemu
Use Qemu to boot Arista switch virtual machine for the first time.
$ /usr/local/bin/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom ./Aboot-veos-serial-2.0.8.iso -boot d vEOS-4.14.2F.vmdk -serial telnet::3355,server,nowait
Connect to the Continue reading
Here are mu notes about installation GNS3 version on Fedora Linux. It shows the basic steps required to successfully install and configure GNS3 for VirtualBox, Qemu, IOU, and Dynamips support. Configuration of individual VirtualBox, Qemu, IOU and IOS images is not discussed.
1. GNS3 GUI and Server Installation and Configuration
1.1 Install Dependencies
$ sudo yum install python3 python3-setuptools.noarch python3-PyQt4 python3-devel gcc
1.2 Download and Extract GNS3 GUI and Server
$ git clone https://github.com/GNS3/gns3-gui.git
$ git clone https://github.com/GNS3/gns3-server.git
$ cd gns3-gui/
$ sudo python3 setup.py install
$ cd ..
$ cd gns3-server/
$ sudo python3 setup.py install
1.3 Configure GNS3 Server Settings
Navigate to Edit-> Preferences-> GNS3 server-> Local server and change path to gns3server.
2. IOU Installation and Configuration
IOU stands for IOS on Unix. IOU images are IOS images that are compiled for x86 / Sparc CPU architecture.
2.1 Install Dependencies
$ sudo yum install gcc gcc-c++ git
2.2 Create Symbolic Link and Prevent IOU to Call Home
$ cd /usr/lib
$ sudo ln -s ./libcrypto.so.10 libcrypto.so.4
$ su -c "echo '127.0.0.127 xml.cisco.com' >> /etc/hosts"
Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.
That is something like ASA capture (https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios) via HTTP/HTTPS.
I tested script on:
Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS
1. Create user and add privilege level 15 (root)
username user secret userpass
username user privilege 15
2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))
For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.
ip http server
ip http authentication local
ip http max-connections 16
3. Configure Monitor settings
Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.
monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular
Next step is to create a capture point. I created the Continue reading
HP VSR is a Comware 7 router software application for a server which provides the same functionality as a physical router. Installed on either VMware or KVM virtual machine it offers routing, Firewall, IPSec, and MPLS VPN security services.
The tutorial gives you some ideas how to install HP VSR1000 (Virtual Service Router) running Comware 7 OS on Qemu disk and connects Qemu appliance to GNS3.
They are HP VSR1001, VSR1004 and VSR1008 models available for download. Differences between models are explained here. As the VSR1001 model has the lowest RAM requirements comparing to other models and we do not have to concern the forwarding performance, VSR 1001 demo ISO image is our choice. The demo is full featured, performance limited and requiring no license and with no expiration date.
HP VSR1001 Minimum Hardware Requirements
1. Download HP VSR1001 Virtual Services Router
Navigate to the Download page here
Picture 1 - HP VSR1001 Virtual Services Router Download Page
Click on the button >> on he right, beside the padlock icon. Either sign in with your HP Passport account or Continue reading
Firefly Perimeter is a virtual security appliance that provides security and networking services at the perimeter in virtualized private or public cloud environments. It runs as a virtual machine (VM) on a standard x86 server and delivers similar security and networking features available on branch SRX Series devices.
However not all the features that are supported by SRX hardware devices are supported. Here is the list of features supported by current firefly 12.1x46-d10 release.
Firefly Perimeter Hardware Specifications
Thanks to Juniper’s software evaluation program we can download the Firefly Perimeter security solution for free and test it out for 60 days. In this tutorial we are going to connect Firefly Perimeter to GNS3 and create a simple lab to test connectivity between two vSRX instances. As GNS3 has built-in support for VirtualBox and Qemu/KVM they both can used as hypervisor.
Firefly Perimeter virtual machines can be download here. You have to use your Juniper account to proceed the download but a valid service contract is not required to to download Firefly Perimeter virtual machine.
Picture 1 - Juniper Login Window
Notice that they Continue reading
The tutorial discuss the use of GNS3 software to run Cisco Virtual IOS (vIOS). Cisco vIOS is shipped and supported as a part of the Cisco's One Platform Kit (onePK) that is distributed in form of virtual machine. It might be downloaded with Cisco.com account. Currently, it is not required to have Cisco account associated with service contracts, Bill-to IDs, or product serial numbers in order to download onePK.
Here is a Linux bash script that helps you to extract vIOS vios-adventerprisek9-m.vmdk from all-in-one VM file. Download all-in-one.ova file from here and assign executable privileges to the script.
$ chmod +x extract_vios.txt
Then you can run the script as it is shown below. The only user input is selecting path to all-in-one VM file Continue reading
VyOS is a community fork of Vyatta, a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality. The VyOS project was started in late 2013 as a community fork of the GPL portions of Vyatta Core 6.6R1 with the goal of maintaining a free and open source network operating system in response to the decision to discontinue the community edition of Vyatta.
VyOS runs on both physical and virtual platforms. It supports paravirtual drivers and integration packages for virtual platforms. It is completely free and open source.
The aim of the tutorial is to show VyOS installation on Qemu virtual machine and get it working on GNS3.
VyOS Qemu and VirtualBox virtual disks can be downloaded here.
I created a Bash script deploy_vyos for automatic deployment of VyOS to Qemu image. The script downloads stable VyOS ISO image from the Internet, creates Qemu disk and starts Qemu virtual machine with attached ISO image. Then is starts Expect script install_vyos that automatically configure all required configuration options without user intervention.
Just copy both scripts to the same directory, assign run privileges to both scripts with the command below and run the deploy_vyos script.
$ chmod +x Continue reading
MikroTik RouterOS is the stand-alone operating system of MikroTik RouterBOARD hardware. It can also be installed on a PC and will turn it into a router with all the necessary features – routing, firewall, bandwidth, management, wireless access point, backhaul link, hotspot, gateway, VPN server and more.
RouterOS x86 installed on Qemu and VirtualBox disks is not licensed, you have 24 hours in total to run these images.
login/pass: admin / password is not set
1. RouterOS x86 6.15
Qemu
https://drive.google.com/file/d/0B6L2h6R5UKMhQUcxMFl2a1pZZGs/edit?usp=sharing
http://sourceforge.net/projects/gns-3/files/Qemu%20Appliances/routeros-6.15-qemu.zip/download
http://www.4shared.com/zip/HG7nubJlba/routeros-615-qemu.html
VirtualBox
https://drive.google.com/file/d/0B6L2h6R5UKMhODYyNm0tWnFjXzA/edit?usp=sharingv
http://sourceforge.net/projects/gns-3/files/VirtualBox%20Appliances/routeros-6.15-vbox.zip/download
http://www.4shared.com/zip/qPN2tmD7ba/routeros-615-vbox.html