Competition: Design and Win!

It is time for a new competition!

For this one you will need UNetLab, some routers and switches and other good things, and a little imagination (and maybe a paint or design program).

The challenge

Design us a lab. Simple as that.

The lab must have the following:

A PDF file with:

1: A list of the images used, including memory requirements.
2: A number of objectives, clearly stating the level of experience (Beginner, intermediate, Advanced). The objectives should include basic connectivity, some switching, some routing, and some verification. Extra points will be awarded for troubleshooting exercises.

A UNL file with the topology.

Points will be deducted for sending us labs used in real exams (i.e. don't send us a CCIE lab).

Submitting your design

Please post your designs on the competitions topic on the forum: here.

The prizes

First prize

• All three volumes of my books; that's the BGP one, the MPLS one and the VPNs one.
• An "I survived the #UNetLab challenge" t-shirt* 
• Your lab will be included in the official repo, with full credits to you.

3 Runners-up prizes

• A copy of MPLS for Cisco Networks
• An "I survived the #UNetLab challenge" t-shirt* 
• Your lab will be included in the official repo, with full credits to you.

* The design of the t-shirt may differ

We might even throw in some other stuff that we have lying about.

The competition closes on October 31st 2015.

O CCIE where art thou?

A friend of mine, Bernd, has just started a new site, and I think it's a neat idea.

Meet Bernd:

Ok, that's actually Bernd's bookshelf, but I have been waiting for an excuse to post this cool photo he sent me.

Anyway, Bernd has started a website called cciemap.com. You can go there and add your CCIE details (which will then be verified), and see how many other CCIEs are near to you.

So far it's just me and him:

Think of the possibilities!

You could meet up for coffee or a beer (other drinks are also available, please ask your waitress), you can chat about access-lists and what is your favourite subnet (mine is 255.255.240.0), or even something interesting.

I think it's a cool idea.

Please, if you have a CCIE, visit the site and get yourself added on.

How to run Barracuda NG Firewall on UNetLab

Sometimes you need to step outside of your usual sphere of technologies, and this is one of those times. I have, for a project, needed to become quite conversant with the Barracuda NG Firewall.

So, it makes sense that I can get one to play with at home. It will run on KVM, Xen, Citrix XenServer, Hyper-V and VMWare. But will it run in UNetLab?

Let's find out. Before we do that though I am going to do a very quick review.

Barracuda NG Firewall review

I must say that when I was given the options of what firewall to run (the choices being either Check Point or Barracuda, I immediately banged my hand on the table and proclaimed my desire to run Check Point.

Have you every tried to download a trial from Check Points website? It's almost impossible without having to sacrifice a goat or something. Barracuda, on the other hand, make getting an eval a very simple task.

So, we rolled out our first NG Firewall and, with a lot of help from Barracuda, I must say I am rather impressed.

Coming from an ASA background, some things don't seem to work as easily, such as the firewall ruleset, but in reality, this is just a mindset issue, and really, it does work well if you stop thinking like an ASA.

There are a couple of things I really love about the NG Firewalls, and that is the ability to cut and paste. Now I know that cutting and pasting has been around for ages, but it's nice that if you have two firewalls, one already set up with Site to Site VPNS, you can copy the VPN settings to the clipboard, and paste them onto the new firewall.

It makes life so much easier, you can do this access-rules as well, and it will even change the box IPs for you, and automatically create any custom objects required for the rule.

It's early days yet, but as I get more to grips with the NG, the more I like it.

Anyway, that's my three minute Barracuda NG Firewall review. Let's set one up in UNetLab.

Running the Barracuda NG Firewall in UNetLab

This is my very simple topology.

The router (lazily named "R") will have the IP address 192.168.100.1 (/24), and the NGF will use 192.168.100.10, the Windows PC will use 192.168.100.21.

To install the NG Firewall in UNetlab you need to download the OVA file from Barracuda. You can sign up for free at https://www.barracuda.com/purchase/evaluation. Select Firewall NG and fill out the form.

To install it you need to copy the OVA file to your UNetLab machine, extract, convert, rename, move it and run the fixpermissions wrapper:

root@unl01:/tmp# cd /tmp/
root@unl01:/tmp# tar -xvf GWAY-6.1.0-112-VC610.ova
root@unl01:/tmp# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 GWAY-6.1.0-112-VC610-disk1.vmdk hda.qcow2
root@unl01:/tmp# mkdir /opt/unetlab/addons/qemu/win-barracuda-6.1.0
root@unl01:/tmp# mv hda.qcow2 /opt/unetlab/addons/qemu/win-barracuda-6.1.0/
root@unl01:/tmp# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Once this is done, you can create the topology add it. Note that there will soon be a proper UNetLab template for this! All being well, it will boot up:

The VM will then enter ART (Active Recovery Technology), here you can set a static IP address:

Now save it. If you are using a Mac, then press fn + F3 to save.

You should now have connectivity:

Router(config)#int e0/1
Router(config-if)#ip add 192.168.100.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#end
Router#ping 192.168.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.10:
!!!!!
Success rate is 100 percent (5/5)
Router#

The tricky part is how to get the NGAdmin utility loaded on the Windows VM, this was a neat little thing I learnt today. It also deserves (well I think so) a post of it's own, so click here to find out how to load files into a Qemu VM.

So once we have our files loaded into the Windows VM, we can fire up the NGAdmin console.

It shows us the splash screen:

And we can log in using root and the password of "ngf1r3wall".

Click on Trust at the Authentication check box

If (like me) you havn't got your UNetLab network hooked into your main network, then click on Cancel at this box:

After a few moment, we have logged into the box, and we have two days in which to register it with Barracuda. So, it will need to have proper internet access.

A couple more screenshots:

it all looks pretty happy. I havn't done any of the configuration yet, but will do posts on those later on. Need to get my NG licensed first.

How to get files into a Qemu VM

Picture the scene, you have created a Windows VM for use in UNetLab. You loaded it with all your go-to applications, and are good to go.

A week or so down the line you have a new requirement, that demands a certain application to be loaded on to the VM.

What do you do? Delete the VM and recreate it? That would be a waste of a license. VNC doesn't handle cut and paste, and you can't get it connected to your internal network in order to download it.

I had this issue today. For a post on how to run Barracuda NG Firewall in UNetLab, I needed to run the NGAdmin program. But the pnet0 interface wouldn't play ball, and I can't cut and paste form my Mac into the VNC.

So, I mulled over my options for a moment, then realised that I could copy the files I needed to the /tmp/ directory on the UNetLab box and make an ISO of that folder. This can then be used by the Qemu guest as a standard CDRom!
UNetLab does not come with the mkisofs program by default, so you'll need to install this:

root@unl01:~# sudo apt-get install mkisofs
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'genisoimage' instead of 'mkisofs'
The following packages were automatically installed and are no longer required:
  linux-headers-3.13.0-61 linux-headers-3.13.0-61-generic
  linux-headers-3.13.0-62 linux-headers-3.13.0-62-generic
  linux-image-3.13.0-61-generic linux-image-3.13.0-62-generic
Use 'apt-get autoremove' to remove them.
Suggested packages:
  wodim cdrkit-doc
The following NEW packages will be installed:
  genisoimage
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 587 kB of archives.
After this operation, 1,580 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty/main genisoimage amd64 9:1.1.11-2ubuntu3 [587 kB]
Fetched 587 kB in 0s (840 kB/s)
Selecting previously unselected package genisoimage.
(Reading database ... 129086 files and directories currently installed.)
Preparing to unpack .../genisoimage_9%3a1.1.11-2ubuntu3_amd64.deb ...
Unpacking genisoimage (9:1.1.11-2ubuntu3) ...
Setting up genisoimage (9:1.1.11-2ubuntu3) ...
root@unl01:~#

You will need to make sure that the exe file is on your UNetLab machine:

root@unl01:~# ls /tmp/
netio32768  ngadmin_6-1-0-150 (1).exe  vmware-root
root@unl01:~# cd /tmp/

It's there, so let's make a fiolder and copy it into it:

root@unl01:/tmp# mkdir Barracuda
root@unl01:/tmp# mv ngadmin_6-1-0-150\ \(1\).exe Barracuda/

Now we can create a cdrom image in the win-7-pro directory, called cdrom.iso (do not name it anything other than this), using the folder /tmp/Barracuda as the source:

root@unl01:/tmp# mkisofs -o /opt/unetlab/addons/qemu/win-7-Pro/cdrom.iso /tmp/Barracuda/
I: -input-charset not specified, using utf-8 (detected in locale settings)
 47.84% done, estimate finish Tue Sep  8 10:42:26 2015
 95.75% done, estimate finish Tue Sep  8 10:42:26 2015
Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 116
Path table size(bytes): 10
Max brk space used 0
10452 extents written (20 MB)
root@unl01:/tmp#

Now we can turn on the Windows VM and access the CDRom drive. If the VM was turned on before the cdrom.iso file was copied to the directory then shut it down and start it up again.

Bingo, the CD Rom is there. And so are my much needed files:

UNetLab 0.9.0-68 is out, with cool new stuff!

I feel like a kind of voyeur watching the UNL guys at work. I am kind of at the periphery of the group, I pitch in when I can, and I know what I bring/will bring to the table, and that will be in paperback format, it just takes time. But it's kinda fun watching them work. I am still very much in awe of the stuff they are pulling off, and all still while maintaining their regular jobs.

And boy, do they work hard. What is really cool is that all that fun stuff that you guys request does get considered, and if suitable, implemented.

Version 0.9.0-68 has just been released, with some big changes, more fixes, more features and more support!

Let's have a look at the fixes first.

In this release there are fixes to:

• Issues with Dynamips nodes not exporting the startup-config
• IGMP/Multicast issues using bridges
• Performance related fixes (including Alcatel, Juniper and Windows)

Already UNL is making some noise in it's handling of resources (memory/CPU). UNetLab  completely spanked VIRL when running the same number of XRv routers, and did really well running 6 instances of the 7750SR routers.
So, new features, well, there are some really cool additions with this release:

You can import and export labs! Now you can create your own and post them on a website, share them with you friends, or send them to your grandmother!

You can now move, clone and rename labs. Nice little feature, and here's a video about it:

Saving the best for last.. we now have Wireshark integration! How awesome is that? Here's another video on that very subject:

You can watch more videos on the UNetLab YouTube channel.

Lastly we get to new supported images, and entering the UNL family this time we have:

• Cisco ACS
• Cisco Context Directory Agent
• Cisco ISE
• Cisco vNAM
• Cumulus VX
• Linux (generic)
• MikroTik RouterOS
• Ostinato Traffic Generator

I am very pleased to see Linux on the list!

As you can see from the videos, the interface is also going through some tweaks. It's clean and makes navigation much easier. 

How do you get this wicked shiny new release? Just follow the steps here to update UNetLab.

Cisco ASA firewall basics

I am nearly at the stage for configuring the ASAs in my CCIE Security lab, well, the HQ part at least.

Before we do that though it would probably be a good idea to go through some of the more basic aspects of the Cisco ASA firewall.

Cisco ASA firewall fundamentals

Cisco ASA models

Cisco ASAs come in a two flavors, physical and virtual. The virtual one is relatively new, and is known as the ASAv ("v" for virtual, it makes sense). The physical range of ASA firewalls (5500 series) has been around for a number of years, and replaced the PIX firewalls.

The current product range starts with the 5505, which would be your typical SOHO router firewall combo, and then the range moves into the -X models, starting with the 5506-X.

The X denotes that these models are the next-generation of ASA, and come with FirePOWER, which we'll look at in a different post. So, what is the difference between the 5505 and the 5506-X? It's pretty big actually.

Despite the minor number jump, the 5506 is a far more uprated device. Here are some of the comparative stats from the Cisco website:

Cisco ASA Model	ASA 5505 / Security Plus	ASA 5506-X / Security Plus
Image
Stateful inspection throughput (max)	Up to 150 Mbps	750 Mbps
Maximum concurrent sessions	10,000 / 25,000	20,000/50,000
Packets per second (64 byte)	85,000	246,900
Maximum site-to-site and IPsec IKEv1 client VPN user sessions	10 / 25	10 / 50
Maximum Cisco AnyConnect IKEv2 remote access VPN or clientless VPN user sessions	25	2 / 50
VLANs	3 (trunking disabled) / 20 (trunking enabled)	5 / 30
High-availability support	Stateless A/S only (active / standby)	A / S
Integrated I/O	8-port FE with 2 Power over Ethernet (PoE) ports	8 x 1 Gigabit Ethernet (GE)

As you can see, you can push a far greater amount of traffic through the 5506-X than the 5505.

Prices for the 5505 start at about £250, and go up to around £800, the one above falls into the latter price range. The 5506-X range is not much more expensive, prices start at around £400.

As you move higher up the model line, naturally the prices start to enter enterprise kind of money (lots of zeros at the end). But, again, you do get more bang for your buck.

Sizing a firewall is tricky business. You need to look at the number of users you have, both on site and remote, the number that will be connecting via VPN, both site to site, and client VPN, such as AnyConnect. You also need to look at what kind of application traffic the firewall will be passing.

For example the 5512-X could easily support around 2000 users, with around 500 of those being remote users. Prices for this are around £2300.

Basic Cisco ASA firewall configuration

Cisco ASA firewalls are anything but basic. But don't be put off by their complexity. Getting them up and running can be done in a short space of time.

Let's start off with our interfaces, and how they relate to firewall function. A firewall separates traffic between different areas. The ASA interfaces can be assigned to different areas, we will need one on the outside, connecting us to our upstream service provider, one on the inside for our users, and maybe one for our public facing servers, which is known as a DMZ, or Demilitarised Zone.

In our example below, we have an ISP, our ASA (ASAv), and our client (user) machine:

We will, for a little while, need to use VNC to control the ASA.

Our Gi0/0 interface will be our "Outside" interface, and our Gi0/1 interface will be our "Inside" interface. There is a reason we name them these, and that is because the ASA will automatically assign a security level to these interfaces, as we will see in a moment.

Let's get started.

ISP:

Router(config)#ho ISP
ISP(config)#int fa0/0
ISP(config-if)#ip add 10.1.1.1 255.255.255.252
ISP(config-if)#no shu
ISP(config-if)#int lo0
ISP(config-if)#ip add 8.8.8.8 255.255.255.255    
ISP(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
ISP(config)#

User-PC:

Router(config)#ho User1
User1(config)#int fa0/0
User1(config-if)#ip add 192.168.1.17 255.255.255.0
User1(config-if)#no shu
User1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
User1(config)#

Cisco ASA interface configuration

OK, let's configure the ASA up, starting with setting the hostname and the outside interface:

Now we configure the Inside interface:

Notice how the ASA will set the security levels according to the interface names, with 0 for the Outside interface, and 100 for the Inside interface. 0 is a "least trusted" level and 100 is the "most trusted" level. We can set these manually if we want to, using the command "security-level <0-100>".

At this stage we should have connectivity from the User1 "PC", and from the ISP:

User1#ping 192.168.1.254 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/7/12 ms
User1#

ISP#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/28 ms
ISP#

The ASAv needs to be aware of the 8.8.8.8 "server", so we can create a default route on the ASAv to do this:

Notice that unlike traditional IOS based devices, the ASA is actually a little less clever here, we need to specify the interface, or direction, that the route affects.

Allowing SSH access to Cisco ASA

Now, let's set ourselves up to manage the ASA from our User1 "PC". Firstly we need to generate our general-keys, using the command "crypto key generate rsa modulus 1024", ideally (in production), you should use 2048:

Notice that I also set the domain name, and the version.

The rest of the commands are being shown through show commands, once I have successfully connected from User1:

User1#ssh -l stu 192.168.1.254
Password: 
Type help or '?' for a list of available commands.
ASAv> en
Password: ******
ASAv# sh run | i username
username stu password QFwZO2R.a0n6RaA/ encrypted privilege 15
ASAv# sh run | i aaa
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
ASAv# sh run | i ssh
aaa authentication ssh console LOCAL 
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ASAv# sh run | i management
 management-only
management-access Inside
ASAv#

We will need a user to connect with. Notice the the password gets automatically encrypted. We have two AAA commands, one for SSH access, another for enable level access. We also enable ssh access from the 192.168.1.0/24 subnet, and have allowed management access from anything behind the Inside interface.

Now we can work a little easier. The final step it to get the User1 PC to access the 8.8.8.8 server out on the Internet. To do this the ASA needs to perform a bit of Network Address Translation (NAT).

Internet access for inside hosts on a Cisco ASA

Let's give access for our inside hosts. To do this does not take many steps, we just need to create a network to match everything, and then NAT this:

ASAv(config)# object network OBJ_OUTSIDE
ASAv(config-network-object)# subnet 0.0.0.0 0.0.0.0
ASAv(config-network-object)# exi
ASAv(config)# nat (Inside,Outside) source dynamic OBJ_OUTSIDE interface
ASAv(config)# 

Although ping does not work, telnet does:

ASAv(config)# exi
ASAv# exi
[Connection to 192.168.1.254 closed by foreign host]
User1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
User1#telnet 8.8.8.8
Trying 8.8.8.8 ... Open


Password required, but none set

[Connection to 8.8.8.8 closed by foreign host]
User1#

We can prove that this works, by setting a password on the ISP router:

ISP(config)#line vty 0 4
ISP(config-line)#password 802101
ISP(config-line)#exi
ISP(config)#enable password 802101
ISP(config)#

User1#telnet 8.8.8.8
Trying 8.8.8.8 ... Open


User Access Verification

Password: 
ISP>en
Password: 
ISP#who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:24   
*  2 vty 0                idle                 00:00:00 10.1.1.2

  Interface    User               Mode         Idle     Peer Address

ISP#

So, you can see that the ASAv has performed NAT for User1. We can check this on the ASAv:

So, telnet worked fine, what about http requests? Well, the ASAv will perform NAT (well, PAT to be precise) for us. We can see this by setting up the ISP router to be an HTTP server:

ISP(config)#ip http server
ISP(config)#

User1#telnet 8.8.8.8 80
Trying 8.8.8.8, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Sat, 05 Sep 2015 14:28:30 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 8.8.8.8 closed by foreign host]
User1#

As you can see, it does not take long to get up and running with an ASA. Now that we have had our little introduction to ASAs, I can start configuring them up in my lab (in a day or two).

New Networking forum now live

Hi all!

I have now added a forum to the website. It's primary for Cisco certifications, from CCNA through CCNP, up to CCIE.

I can (and will) add other, relevant, topics, so do please feel free to request anything you'd like to see.

It is for free discussion of all things networking, including virtualization (UNetLab, GNS3 etc) and there will be a place for off-topic discussion (keep it clean).

Please note that it is not for asking, or posting, dumps or copyrighted material. 

You can visit the forum by clicking the link in the navigation bar above, or by visiting http://forum.802101.com/.

Thanks!

Cisco is not the only fruit. Check out this excellent Alcatel-Lucent blog

I must admit that I have never really got any hands-on experience with Alcatel-Lucent stuff, I've just not worked somewhere that used them. But I caught a post on noshut.ru about how easily you can run Alcatel SR OS on UNetLab.

Time to virtualize the Alcatel Router

It is a really well written post, and highlights some of the benefits of UNetLab, but also the ease at which Timos can be deployed, so that you can start playing with the wide range of features that it offers (MPLS, BGP, ISIS). The biggest and most important thing about this post is that the author, Roman, works for Alcatel-Lucent.

This is great news for UNetLab!

You can check out the full description of Alcatel-Lucent Virtualized Service Router (VSR) to see what is does.

There is a video on the site, which is definitely worth checking out:

I will definitely be checking out more Alcatel-Lucent stuff, especially as it runs so easily in UNetLab.

Please do check out the blog: http://noshut.ru/

Wireshark integration with UNetLab on OSX

Why should those Windows users have all the fun? Wouldn't you like to be able to capture traffic in Wireshark on your Mac? Well, you have come to the right place!

So, the idea is that when you select Capture from the right-click pop-up menu, and select the interface in UNL, then Wireshark should launch.

The problem is that there is no handler for the "capture://" part of the URL. We can edit handlers if they already exist, but it's not easy to create them as and when we want them.

So, we need to create one, and the program to actually run Wireshark.

This can be done through AppleScript, and actually can perform both actions - launching Wireshark, and associating "capture://" with the program.

After a couple of hours digging around I came across a workable solution.

I created a script, and after a bit of testing, it's now turned into a workable solution.
To install it, you can download the app from the link below, just unzip it, and copy the app to your Applications directory.

Here is a video of it in action:

Download link:
https://sites.google.com/site/802101files/books/UNL_Wireshark.app.zip
Check this link for the updated file!

Changing URL handlers in OSX

A little background first, the default (native) OSX VNC program sucks when trying to use it with UNetLab.

Chicken of the VNC, on the other hand, works great. But there is nowhere in Chicken to set it as the default app.

There is a little program that will come to the rescue, and this is RCDefaultApp. It is a little download, and installs an app (Default Apps) in the System Preferences.

From there you have a much more granular control over what gets launched. For example, I can now set Chicken to be the default app for VNC connections:

Now when I click on a VNC node in UNL, it launches Chicken instead. I still need to click "Connect", but it launches Chicken:

Much easier!

This does not allow the addition of custom handlers though. So this means that we cant add one for Wireshark. But I have that solved, and once it's tidied up a bit, I'll do a post for it.