Archive for February 2015

Unetlab - NX-OS (Titanium)

I know I said in the last post that I was saving NX-OS (Titanium) for another day, well, today is that day!

Finding a suitable vmdk file to use was the hardest part.. but in the end I did. I copied it to the tmp directory and tried the usual:

root@iou:/tmp# ls
N7K.vmdk
root@iou:/tmp# qemu-img convert -f vmdk -O qcow2 N7K.vmdk hda.qcow2
root@iou:/tmp# mkdir /p /opt/unetlab/addons/qemu/titanium-7
root@iou:/tmp# mv hda.qcow2 /opt/unetlab/addons/qemu/titanium-7/
root@iou:/tmp# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@iou:/tmp# ls -l /opt/unetlab/addons/qemu/
total 16
drwxr-xr-x 2 root root 4096 Feb 19 14:26 asa-8.42
drwxr-xr-x 2 root root 4096 Feb 19 16:16 titanium-7
drwxr-xr-x 2 root root 4096 Feb 19 13:53 vios-adventerprisek9-m15.4-1.2.0-173
drwxr-xr-x 2 root root 4096 Feb 17 11:02 xrv-k9-5.2.2
root@iou:/tmp#

We have the files loaded and they are visible in Unetlab:

Topology:

Do they run?

Nope. They refuse to start.

From the documentation for CSR1000v it says to run:

# /usr/bin/qemu-system-x86_64 --enable-kvm -serial mon:stdio -nographic -boot order=c,once=d -smp 1 -m 3072 -usb -hda hda.qcow2 -cdrom csr1000v-universalk9.03.13.00.S.154-3.S-ext.iso

However, this is not working for me:

root@iou:/opt/unetlab/addons/qemu/titanium-7# /usr/bin/qemu-system-x86_64 --enable-kvm -serial mon:stdio -nographic -boot order=c,once=d -smp 1 -m 3072 -usb -hda hda.qcow2 -cdrom nexus.iso
Could not access KVM kernel module: No such file or directory
failed to initialize KVM: No such file or directory
root@iou:/opt/unetlab/addons/qemu/titanium-7#

This link would indicate that the module is not installed. I get the same when trying in VirtualBox. I did some googling and tried everything I can, turns out that my bargain ESXi box is missing one vital piece:

So I imported it into VMWare Fusion.
Now the message that the necessary bits arn't working has gone.

If you are having a similar issue then this is the screen that you don't want:

This is what you do want:

I can check that Qemu will be happy by doing this:

More importantly, the NX-OS routers fire up:

Running NXOS in UNetLab on VMWare fusion

We have connectivity...

NXOS1# sh ver
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Titanium is a demo version of the Nexus Operating System

Software
  loader:    version N/A
  kickstart: version 7.0(1) [build 7.0(1)ZD(0.216)]
  system:    version 7.0(1) [build 7.0(1)ZD(0.216)]
  kickstart image file is: bootflash:///titanium-d1-kickstart.7.0.1.ZD.0.216.bin
  kickstart compile time:  6/13/2014 20:00:00 [06/14/2014 05:45:18]
  system image file is:    bootflash:///titanium-d1.7.0.1.ZD.0.216.bin
  system compile time:     6/13/2014 20:00:00 [06/14/2014 09:32:30]


Hardware
  cisco Nexus7000 C7018 (18 Slot) Chassis ("Unknown Module")
  Unknown CPU with 2042092 kB of memory.
  Processor Board ID TM00010000B

  Device name: NXOS1
  bootflash:          0 kB

Kernel uptime is 0 day(s), 1 hour(s), 7 minute(s), 29 second(s)


plugin
  Core Plugin, Ethernet Plugin
NXOS1#
NXOS1# sh cdp neigh
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater,
                  V - VoIP-Phone, D - Remotely-Managed-Device,
                  s - Supports-STP-Dispute

Device-ID          Local Intrfce  Hldtme Capability  Platform      Port ID
NXOS2(TB00020000B)
                    Eth2/1         141    R S s     N7K-C7018     Eth2/1        
NXOS1# 
NXOS2# sh cdp neigh
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater,
                  V - VoIP-Phone, D - Remotely-Managed-Device,
                  s - Supports-STP-Dispute

Device-ID          Local Intrfce  Hldtme Capability  Platform      Port ID
NXOS1(TB00010000B)
                    Eth2/1         175    R S s     N7K-C7018     Eth2/1        
NXOS2#

There we have it... NX-OS (Titanium) running inside of Unetlab. So if your virtualization platform supports a KVM guest, and you don't see "Warning: neither Intel VT-x or AMD-V found", then you should be OK.

Unetlab image folder naming convention

Unknown 02:10:00 Add Comment

Unknown

Morning! Hope everyone had a good weekend.

I need to start of by saying that I don't claim credit for this, "Anonymous" left a comment on a previous post about First steps with Unetlab. However, I fat fingered clicking "Publish" and deleted it instead, so thank you to whoever left the comment, apologies I deleted it by mistake!

Thankfully, I still have the details of the comment - so here they are (I have tidied it up a little, but have not added or removed anything):

Thanks to Stuart Fordham below URL on
http://www.802101.com/2015/02/unetlab-vios-and-asas.html

After which below is what I found.
The image directory is based on below mandatory reference node (case-sensitive as you mentioned in your above URL. ASA post follow by "-", then XXX which is any characters ASA/ASAv is asa-XXX /asav-XXX IPS is cips-XXX

Below is the reference node in UNL: "/opt/unetlab/html/includes/init.php"

['clearpass', 'Aruba ClearPass'],
['timos', 'Alcatel 7750 SR'],
['veos', 'Arista vEOS'],
['cpsg', 'CheckPoint Security Gateway VE'],
['asa', 'Cisco ASA'],
['asav', 'Cisco ASAv'],
['csr1000v', 'Cisco CSR 1000V'],
['cips', 'Cisco IPS'],
['c1710', 'Cisco IOS 1710'],
['c3725', 'Cisco IOS 3725'],
['c7200', 'Cisco IOS 7206VXR'],
['iol', 'Cisco IOL'],
['titanium', 'Cisco Titanium'],
['vios', 'Cisco vIOS'],
['viosl2', 'Cisco vIOS L2'],
['vwaas', 'Cisco vWAAS'],
['xrv', 'Cisco XRv'],
['bigip', 'F5 BIG-IP LTM VE'],
['fortinet', 'Fortinet FortiGate'],
['hpvsr', 'HP VSR1000'],
['olive', 'Juniper Olive'],
['vsrx', 'Juniper vSRX'],
['paloalto', 'Palo Alto VM-100 Firewall'],
['vyos', 'VyOS']

So, thank you to the original poster. This finding will certainly make adding images easier!

Unetlab - vIOS and ASAs

Unknown 06:57:00 35 Comments

Unknown

More fun with UnetLab today!

I am back to running it on the ESXi server, so have plenty of memory and CPU cores. It should be nice and fast!

Yesterday was fun, I added IOL images and XRv, so today let's add vIOS, and, if I can, an ASA!

vIOS on UnetLab

I am going to try and get the vIOS images from the OnePK (all in one image) running. Andrea already has a guide to this, so it shouldn't be too hard. The original documentation is here.

Firstly you can see the amount of space I have free, I then copy (using FileZilla) the OVA file onto the VM, and again you can see the space taken up. I then follow Andrea's steps (though I did play with the folder name...)

Following the documentation through (or so I thought), I then created a lab, added a network, and tried to add a vIOS node.

But the list was empty.

So, I read through the doc again, and some of the comments. Andrea tells us what the image name should be, so I created a folder to match the version, and moved the HDA file into there:

Now we are good!

The topology looks like this:

So let's try configuring the routers!

Router(config)#ho vIOS-1
vIOS-1(config)#int gi 0/0
vIOS-1(config-if)#ip add 10.1.1.1 255.255.255.0
vIOS-1(config-if)#no shut
vIOS-1(config-if)#cdp enable 
vIOS-1(config-if)#exit
vIOS-1(config)#cdp run 
vIOS-1(config)#exit
vIOS-1#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.1.1.1        YES manual up                    up      
GigabitEthernet0/1     unassigned      YES unset  administratively down down    
GigabitEthernet0/2     unassigned      YES unset  administratively down down    
GigabitEthernet0/3     unassigned      YES unset  administratively down down    
vIOS-1#

Router(config)#ho vIOS-2
vIOS-2(config)#int gi 0/0
vIOS-2(config-if)#ip add 10.1.1.2 255.255.255.0
vIOS-2(config-if)#no shut
vIOS-2(config-if)#cdp en 
vIOS-2(config-if)#exit
vIOS-2(config)#cdp run
vIOS-2(config)#exit
vIOS-2#s
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.1.1.2        YES manual up                    up      
GigabitEthernet0/1     unassigned      YES unset  administratively down down    
GigabitEthernet0/2     unassigned      YES unset  administratively down down    
GigabitEthernet0/3     unassigned      YES unset  administratively down down    
vIOS-2#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
vIOS-1           Gig 0/0           150              R B   IOSv      Gig 0/0

Total cdp entries displayed : 1
vIOS-2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/5/12 ms
vIOS-2#

Easy.

I took the first screen shot at 13:22, its now 13:58, and I have written this whilst setting it all up. 30 minutes or less!

ASA on Unetlab

Not sure how this will go. There isn't a guide for it, so It's going to be a lot of guess work!

I start by copying the two VMDK files I have to the /tmp directory:

root@iou:/# ls /tmp
ASA-8.42-1.vmdk  ASA-8.42.vmdk
root@iou:/#

Then I convert them:

root@iou:/tmp# qemu-img convert -f vmdk -O qcow2 ASA-8.42.vmdk hda.qcow2
root@iou:/tmp# qemu-img convert -f vmdk -O qcow2 ASA-8.42-1.vmdk hdb.qcow2
root@iou:/tmp#

I then move to the right directory, and move the files there:

root@iou:/opt/unetlab/addons/qemu# mkdir ASA-8.42
root@iou:/opt/unetlab/addons/qemu# mv /tmp/hda.qcow2 ASA-8.42/
root@iou:/opt/unetlab/addons/qemu# mv /tmp/hdb.qcow2 ASA-8.42/
root@iou:/opt/unetlab/addons/qemu# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@iou:/opt/unetlab/addons/qemu#

Surprisingly... There is nothing there when I try and add a node:

At this point I started reading some of the other documents. I went through all of them until I got to the F5 BIG-IP document. Here we have another example of a 2 part system. I was happy that I had named the files hda and hdb, but then I thought - let's just try making the folder name lower case. So I edited it in FileZilla:

root@iou:~# ls /opt/unetlab/addons/qemu/
asa-8.42  vios-adventerprisek9-m15.4-1.2.0-173  xrv-k9-5.2.2
root@iou:~#

And all of a sudden.. I have the option for ASAs!

So. let's create a new lab and connect everything up!

This has all been a bit of a shot in the dark. Not knowing if I could get them running, I thought I would give it a go. But here is the thing.... are they usable?

There is a moment of wonder, as I sit staring at a blank telnet session, then suddenly...

Let's just prove we can run them, and have connectivity between them:

ciscoasa(config)# hostname ASA1
ASA1(config)# int gi 0  
ASA1(config-if)# ip add 10.1.1.1 255.255.255.0
ASA1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA1(config-if)# 
ASA1(config-if)# no shut
ASA1(config-if)# 

ciscoasa(config)# hostname ASA2
ASA2(config)# int gi 0
ASA2(config-if)# ip add 10.1.1.2 255.255.255.0
ASA2(config-if)# no shut
ASA2(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA2(config-if)#  

ASA1# ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# 

ASA2# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2#

Wow!

So, in two days, with a total of about three hours, I now have one environment that will run IOL routers, XRv routers, vIOS routers and ASAs.

Now that is impressive!

I might even try and add Titanium as well! But not today.

First steps with Unetlab

Unknown 05:26:00 41 Comments

Unknown

Andrea, the guy behind the great IOU-WEB, has released Unetlab (Unified Networking Lab). It's still in beta at the moment, but I thought I would have a look.

Even though I have not finished my CCIE R&S yet, I am looking towards the Service Provider CCIE, which I plan to do straight after the R&S. With the SP track (as it stands at the moment), you need to get your hands on the XRv. This will run, happily, on ESXi, and can be connected to IOU, or even into GNS3 (using VirtualBox). I had started to play around with this, but it's not exactly the easiest thing in the world. So I was very pleased when Unetlab came out, as everything can be within one environment.

So I decided to get my hands dirty and have a go.

I am using an ESXi server, with 32GB ram, but it'll run in VMWare player, workstation, Fusion, and VirtualBox as well.

Once I had downloaded it (its about 300Mb give or take), and imported it into ESXi, I followed the Unetlab install guide. It's a simple process, and you are guided through it. It's well worth doing an update as well to get the home page displayed below.

The interface is sparse (at the moment, remember this is a beta), but has everything that I need at the moment.

My first step was to import the IOU images. The caveat here is that you need to generate the IOU license, I won't go into details, but it's easy to google how to do this. The only gotcha I came across was that the images must have a .bin extension - so make sure that you add this first.

Following the install doc I copied the files, using FileZilla, to /opt/unetlab/addons/iol/bin, and fixed the permissions using the command "/opt/unetlab/wrappers/unl_wrapper -a fixpermissions". Then I went back into the gui and created my first lab.

From the Actions menu, I create a new lab, and call it IOL test

From the Actions menu, I then create a network:

Then I add a Node, also from the Actions menu:

I add 2 nodes, and from the drop down select an IOL image (that I have already uploaded through FileZilla):

My two nodes appear on the screen:

I then right click on a node, and select "Interfaces", and point R1 to use the network I just created:

My first node is added to the network

I then repeat on R2, and my two nodes are connected:

From the Actions menu I then select "Open this Lab", and now I can start my two routers:

If you havn't followed the guide on the website, then you will find that the nodes do not start, so please do follow the guides to the letter.

Give them a few minutes to fire up, assign an IP address, and all works well:

So far memory usage is pretty good (remember that this is on a 4GB VirtualBox VM):

Let's add the XRv image.

This is slightly more complex, but again the documentation for importing XRv into Unetlab explains every step.

Now I can add multiple XRv routers, and connect them to the IOU images.

I am going to edit my original lab, so we need to go to the Actions menu, and select "Edit this lab":

I then add the XRv router:

Connect to interfaces to our network

Once we add the network to the new router, and also set another interface on both of the IOL routers, we get something like this:

Going back to the Actions menu, select Open this lab, and start the router. Here I did see an error, but after a few attempts, it did start:

Memory usage has now pretty much hit the ceiling, as the XRv takes quite a chunk (3GB), but nonetheless, it serves to prove that the system works. Adding more memory is clearly required here if you want to run a decent sized topology with a range of devices.

It takes a long time for the XRv to fire up, again this is down to the memory I have available, it worked much better on my ESXi server, but it does work:

It's a little untidy at the moment, so let's do a bit of reconfiguration:

We'll add a new network, and set the XRv to use this, as well as moving the E0/1 interface of both the IOL routers to use this:

Now the topology looks much cleaner!

Still, let's clean it up even more, and add another network, and reconfigure it a bit:

Much cleaner!

CDP looks a bit funky, and pings don't work, but then I think I just need to play around with it a bit. It's only my first real go at playing with this, so there are bound to be teething troubles!

With this in mind, I shut everything down, and fired them all up again. Now things look much better:

RP/0/0/CPU0:XRv-1(config)#interface Gi0/0/0/0
RP/0/0/CPU0:XRv-1(config-if)#ipv4 address 10.1.1.1 255.255.255.0
RP/0/0/CPU0:XRv-1(config-if)#cdp
RP/0/0/CPU0:XRv-1(config-if)#no shut
RP/0/0/CPU0:XRv-1(config-if)#int gi 0/0/0/1
RP/0/0/CPU0:XRv-1(config-if)#ipv4 address 10.1.2.1 255.255.255.0
RP/0/0/CPU0:XRv-1(config-if)#cdp
RP/0/0/CPU0:XRv-1(config-if)#no shut
RP/0/0/CPU0:XRv-1(config-if)#exit
RP/0/0/CPU0:XRv-1(config)#cdp
RP/0/0/CPU0:XRv-1(config)#commit
RP/0/0/CPU0:XRv-1(config)#exit
RP/0/0/CPU0:XRv-1#sh ip int bri
Wed Feb 18 13:18:20.485 UTC

Interface                      IP-Address      Status         Protocol
MgmtEth0/0/CPU0/0              unassigned      Shutdown       Down
GigabitEthernet0/0/0/0         10.1.1.1        Up             Up
GigabitEthernet0/0/0/1         10.1.2.1        Up             Up
GigabitEthernet0/0/0/2         unassigned      Shutdown       Down
RP/0/0/CPU0:XRv-1#ping 10.1.1.2
Wed Feb 18 13:18:26.475 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/61/279 ms
RP/0/0/CPU0:XRv-1#ping 10.1.2.2
Wed Feb 18 13:18:32.994 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/9/29 ms
RP/0/0/CPU0:XRv-1#sh cdp neigh
Wed Feb 18 13:22:11.959 UTC
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID       Local Intrfce    Holdtme Capability Platform  Port ID
R1              Gi0/0/0/0        163     R          Linux Uni Et0/1
R2              Gi0/0/0/1        138     R          Linux Uni Et0/1
RP/0/0/CPU0:XRv-1#


R2#sh ip int bri | e unas
Interface                  IP-Address      OK? Method Status  Protocol
Ethernet0/0                192.168.1.2     YES NVRAM  up      up
Ethernet0/1                10.1.2.2        YES NVRAM  up      up

R2#ping 10.1.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/14 ms
R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#

R1#sh ip int bri | e unas
Interface                  IP-Address      OK? Method Status  Protocol
Ethernet0/0                192.168.1.1     YES NVRAM  up      up
Ethernet0/1                10.1.1.2        YES NVRAM  up      up

R1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms
R1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/10 ms
R1#

There we have it, two IOL routers, one XRv router, all communicating happily, all contained within one environment.

Where Unetlab is superb, is that everything is within the same environment. There is no mucking about with creating multiple networks in VMWare. To be honest, some will probably find that easy, but I like to have it all contained, like Unetlab does.

Running two XRv routers did cause the default memory to top out, so I shut down the VM, and increased the memory to 20GB. Now I can run loads of routers, and the memory usage (as reported on the "Home" page remains within reasonable levels. Please note though that I am showing screenshots from a VirtualBox install, with a lower amount of memory.

So what's next?

The vendor support in Unetlab is very wide-ranging. I havn't tried all of them, but will add some dynamips images, CSR1000v and the vIOS images this week.

At the moment the supported images are:

Aruba ClearPass
Alcatel 7750 SR
Arista vEOS
CheckPoint Security Gateway VE
Cisco ASA (porting)
Cisco ASAv
Cisco CSR 1000V
Cisco IPS (porting)
Cisco IOS 1710 (dynamips, ethernet only)
Cisco IOS 3725 (dynamips, ethernet only)
Cisco IOS 7206VXR (dynamips, ethernet only)
Cisco IOL (for Cisco internal use only)
Cisco Titanium (for VIRL customers only)
Cisco vIOS (for VIRL customers only)
Cisco vIOS L2 (for VIRL customers only)
Cisco XRv
F5 BIG-IP LTM VE
Fortinet FortiGate (new)
HP VSR1000
Juniper Olive (porting)
Juniper vSRX
Palo Alto VM-100 Firewall
VyOS

The scope of Unetlab is immense. Clearly this will work well for when I do the SP track, as the IOL and XRv images are supported, and work nicely.

This also gives scope for the Security track as well. It will "natively" run the ASAs and the IPS, and you can connect clouds to run things like an Active Directory server, WSA (Web Security Appliance), ACS (Access Control Server), WLC (Wireless Lan Controller), ISE, and all the rest (there is a LOT of components in the Security track). I would probably need to invest in a second ESXi server in order to run all of the above, but then for the sum of £200, it's a worthwhile investment.

Unetlab is superb, already, and it is still very early days. While the interface can be a little slow to update (such as moving objects around, but then this is less of a concern than the amazing functionality that it offers), Andrea has excelled himself again, he deserves a big thanks for all his hard work and dedication to the community. It's just a shame that he hasn't done a kickstarter, like GNS3 did as I am sure that people would support him. I'd certainly give him some money!