This is a bit of a jump, I had originally planned to concentrate on the upper part of the topology, but this is just a quick post, as I set up a core component - the Active Directory server. This will be needed for authenticating to devices, website access through proxy rules, and a whole bunch of other stuff.
One of the things I love about UNetLab is that you can create a folder, chuck in a cdrom.iso file, create a harddisk, and it will install (OK, for the most-part. Windows 10 doesn't seem happy yet) - but I can quickly roll out my AD server.
root@unl01:/opt/unetlab/addons/qemu# mkdir win-2008R2 root@unl01:/opt/unetlab/addons/qemu# cd win-2008R2/ root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls 2008.R2.SP1.iso root@unl01:/opt/unetlab/addons/qemu/win-2008R2# mv 2008.R2.SP1.iso cdrom.iso root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls cdrom.iso root@unl01:/opt/unetlab/addons/qemu/win-2008R2# /opt/qemu/bin/qemu-img create -f qcow2 hda.qcow2 40G Formatting 'hda.qcow2', fmt=qcow2 size=42949672960 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16 root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls cdrom.iso hda.qcow2 root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls -lah total 3.3G drwxr-xr-x 2 root root 4.0K Aug 13 09:58 . drwxr-xr-x 36 root root 4.0K Aug 13 09:49 .. -rwx------ 1 root root 3.3G Aug 13 09:56 cdrom.iso -rw-r--r-- 1 root root 193K Aug 13 09:58 hda.qcow2 root@unl01:/opt/unetlab/addons/qemu/win-2008R2# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions root@unl01:/opt/unetlab/addons/qemu/win-2008R2#You don't magically get the ISO file once you create the folder, I copied it over using FileZilla. Renamed it to cdrom.iso, created a 40G harddisk, and ran the wrapper.
Install starts:
After a while, a few clicks of "next" and the install is completed, and I can start the AD installation. Running Windows 2008 R2 on UNetLab really is that easy:
I have given this server, which will be my primary AD box the IP address 192.168.10.13, which means that I have also added another component to my internal network structure - the 192.168.10.0/24 network.
So why did I use this particular address? Well, it's a geek thing - if you can work it out then you win 10 points*.
I have used CCIELAB as the AD domain as it wouldn't let me use 802101.local. :(
OK, so now let's add this bit of the network (vlan 10) to the switches.
It really doesn't make sense that as I go forward I add each VLAN to each switch, so let's set up VTP on SW3 and SW4
SW3(config)#vtp domain CCIELAB Changing VTP domain name from NULL to CCIELAB SW3(config)#vtp pass ccielab Setting device VTP password to ccielab SW3(config)#vtp mode ser Device mode already VTP Server for VLANS. SW3(config)#vtp ver 2 SW3(config)# SW4(config)#vtp dom CCIELAB Domain name already set to CCIELAB. SW4(config)#vtp mo cli Setting device to VTP Client mode for VLANS. SW4(config)#vtp pass ccielab Setting device VTP password to ccielab SW4(config)# SW3(config)#vlan 10 SW3(config-vlan)#name AD VLAN SW3(config-vlan)#exi SW3(config)#int vlan 10 SW3(config-if)#ip add 192.168.10.1 255.255.255.0 SW3(config-if)#no sh SW3(config)#int gi 2/2 SW3(config-if)#swi mode acc SW3(config-if)#swi acc vl 10 SW3(config-if)#exi SW3(config)# SW4(config)#do sh vlan bri VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3 Gi1/2, Gi1/3, Gi2/0, Gi2/1 Gi2/2, Gi2/3, Gi3/1, Gi3/2 Gi3/3 10 AD VLAN active 42 VLAN0042 active Gi1/0, Gi1/1 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup SW4(config)#do sh int trun Port Mode Encapsulation Status Native vlan Gi3/0 on 802.1q trunking 1 Port Vlans allowed on trunk Gi3/0 1-4094 Port Vlans allowed and active in management domain Gi3/0 1,10,42 Port Vlans in spanning tree forwarding state and not pruned Gi3/0 1,10,42 SW4(config)#What we need now, in the words of my children, is some peoples to play with. I will need at least two user accounts, and two security groups.
UserA will be an admin for all things, he'll have access to the routers and ASAs, the switches, all the websites, and everything you can think of. UserA will be in the Admins group.
UserB will not have the same level of access, it will have access to one website, but not another - still not sure where these websites will be, exactly, but we'll cross that bridge when we come to it. UserB won't have admin access to the routers, ASAs etc, and I am sure I can find some other ways to be Captain Buzzkill for this imaginary user!
Scripting is a bit more interesting than screenshots, it also makes it easier to cut and paste if you are following along at home.
First we need to create an OU (called Staff), and two users (UserA and UserB):
dsadd ou "ou=Staff, dc=CCIELAB, dc=local" dsadd user "cn=UserA, ou=Staff, dc=CCIELAB, dc=local" dsadd user "cn=UserB, ou=Staff, dc=CCIELAB, dc=local"Now we are going to create an OU (called RBAC), and add a couple of groups to it (Admins and Basic):
dsadd ou "ou=RBAC, dc=CCIELAB, dc=local" dsadd group cn=Admins,ou=RBAC,dc=CCIELAB,dc=local dsadd group cn=Basic,ou=RBAC,dc=CCIELAB,dc=localUsers need passwords, and they need to be activated, so lets do this:
dsmod user "CN=UserA,OU=Staff,DC=CCIELAB,DC=local" -pwd Cisco123! -mustchpwd no dsmod user "CN=UserB,OU=Staff,DC=CCIELAB,DC=local" -pwd Cisco123! -mustchpwd no dsmod user "CN=UserA,OU=Staff,DC=CCIELAB,DC=local" -disabled no dsmod user "CN=UserB,OU=Staff,DC=CCIELAB,DC=local" -disabled noLastly, let's add then to the RBAC groups:
dsmod group cn=Admins,ou=RBAC,dc=CCIELAB,dc=local -addmbr CN=UserA,OU=Staff,DC=CCIELAB,DC=local dsmod group cn=Basic,ou=RBAC,dc=CCIELAB,dc=local -addmbr CN=UserB,OU=Staff,DC=CCIELAB,DC=localA quick check on the GUI and we can confirm that the users are where they should be:
Although I do seem to be jumping around the topology a tad, this was more of a side-step. But doing quick things like this earlier on, will allow a more rapid approach later. It also helps me plan how the network will run, from both the top-down (IP addressing) and bottom-up (services and integration).
I hope. That's the plan at least.
4 comments
commentsBut what if you already have Windows 7 or XP in your Windows Directory ? It is not detecting WIN-2008 folder when i try to add Windows Device ? am i missing something here ?
ReplyWhat do you have under /opt/unetlab/addons/qemu/ ?
ReplyHave you actually added a windows server qemu image?
If so, have you run the wrapper?
That was fine, actually issue resolved when i renamed the folder from "Win" to "win" which means caps-lock matters in UNL :) Nice Article though !
Replyyes, it's Linux based, so caps are important :)
Reply