CCIE Security lab, part 1


The new server is built, UNL is imported, an issue with the swap location is sorted (VM is on an SSD, which didn't leave enough room to create the swap file), and started.

Let's start configuring the lab. Please note that this is a work in progress, so there will be a number of edits as we go through!

Today I plan to cover part 1 and some of part 2 from my CCIE Security study plan.

First off, let's spend a couple of minutes thinking about the IP addressing scheme.

We need to manage the WSA. We have to configure the switches (3 and 6), the Windows PC, and the WSA.

CCIE security v4 toplogy

By default the WSA will use the IP address 192.168.42.42, with a /24 subnet. It makes sense, then, that we have a management VLAN of 192.168.42.0/24. We have our first requirement. We also need some trunks, and I'll use MST across the board. The VLAN VIP will live on Switch 3, at least for the moment, and will use an IP address of 192.168.42.1. The Windows host will use 192.168.42.7.

Now we have a start to the network.

I do have to make quite a major edit to the topology though. At the moment it has Arista switches. The port count makes it easier to match the INE topology, and the syntax is 90% the same (hence the court-case). However, I get this error:
localhost login:

localhost login: admin

Warning: the following filesystems have less than 10% free space left:
tmpfs                (on /var/log)      0% (948 1K-blocks Available)
Please remove configuration such as tracing and clean up the space.

Unable to connect: Connection refused

localhost login:
So let's replace them with some IOS switches instead.

Back in a minute...
OK, back now. I have swapped the Arista switches (SW3 and SW6) for vIOS (L2).

CCIE security v4 toplogy
Already I hit a road-block - not enough ports to cover my configuration:
Switch>en
Switch#conf t
Switch(config)#ho SW3
SW3(config)#vlan 42
SW3(config-vlan)#exi
SW3(config)#int vlan 42
SW3(config-if)#ip add 192.168.42.1 255.255.255.0
SW3(config-if)#no shut
SW3(config-if)#exi
SW3(config)#int gi3/0
SW3(config-if)#swi tru enc dot
SW3(config-if)#swi mo tru
SW3(config-if)#no sh
SW3(config-if)#int gi 5/0

% Invalid input detected at '^' marker.

SW3(config-if)#

So, I need to make another edit.

CCIE security v4 toplogy

OK, now we can proceed:
SW3(config)#int gi 0/3
SW3(config-if)#swi mo acc
SW3(config-if)#swi acc vl 42
SW3(config-if)#no shu
SW3(config-if)#desc Link to TestPC-B
SW3(config-if)#
Let's set up SW6:
Switch#conf t
Switch(config)#ho SW6
SW6(config)#vlan 42
SW6(config-vlan)#exi
SW6(config)#int gi 3/0
SW6(config-if)#swi trun enc do
SW6(config-if)#swi mo tru
SW6(config-if)#no sh
SW6(config-if)#exit
SW6(config)#int gi 1/1
SW6(config-if)#swi mo acc
SW6(config-if)#swi acc vl 42
SW6(config-if)#int gi 1/0 
SW6(config-if)#swi mo acc
SW6(config-if)#swi acc vl 42
SW6(config-if)#exi
SW6(config)#exi
SW6#
Let's start adding some spanning-tree:
SW3(config)#spanning-tree mode mst
SW3(config)#spanning-tree mst configuration 
SW3(config-mst)#rev 1  
SW3(config-mst)#instance 1 vlan 42
SW3(config-mst)#name 802101-Sec
SW3(config-mst)#exi
SW3(config)#spanning-tree mst 1 root pri
SW3(config)#

SW6(config)#spanning-tree mo mst
SW6(config)#span mst con
SW6(config-mst)#rev 1
SW6(config-mst)#name 802101-Sec
SW6(config-mst)#instance 1 vl 42
SW6(config-mst)#exi
SW6(config)#spanning-tree mst 1 root sec
SW6(config)#
Now we should be able to get to the WSA from our test PC. From the console we need to browse to http://192.168.42.42:8080:
AsyncOS starting services ...
..............................................................................................................................................................

AsyncOS ironport.example.com (cuau0)

login: admin
Password:
Last login: Tue Aug  4 12:02:30 on cuau0
AsyncOS 8.6.0 for Web build 025

Welcome to the Cisco S000V Web Security Virtual Appliance
Please wait while appliance services start up..................
Please run System Setup Wizard at http://192.168.42.42:8080
ironport.example.com>
Woo hoo! Looks good so far:

Cisco vWSA running on UNetLab

I log in with the username admin, and password of ironport and get this:

Cisco vWSA running on UNetLab

OK, so I need to get a license. This part is not going too well:

Licensing Cisco vWSA for UNetLab

Licensing Cisco vWSA for UNetLab

Balls.

Let's look on the bright-side, I have actually covered the first part of my 17 step CCIE Security study plan.

I just need to get a working license.

Stay tuned!



CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »

3 comments

comments
Tom
21 August 2015 at 01:32 delete

Hi Stuart,

just a note here, I understand your point regarding the topology, but just thinking about the switches I'm using today - neither IOU/L2 nor vIOS/L2 don't support the dot1x/mab - Web Authentication, Guest access and sponsor portals. So I just installed one cat3560 and connected that switch to the shared subnet to the ESXi server, just to complete this part. And be aware there has to be IOS at least 12.2(55) to support the 802.1x redirection

The second thing is TrustSec - it's supported on the 3750-X, so not sure if it can be done virtually. haven't tried that yet.

Reply
avatar
21 August 2015 at 03:09 delete

Hi Tom, thanks for the heads up. Yeah, I kind of expected to find a few bits that arn't supported along the way! Looks like the topology will get edited again, or several times! :)

Reply
avatar
21 August 2015 at 23:37 delete

I am keeping an eye on this link http://community.dev-innovate.com/t/mab-on-iosv-l2/4452 - it been raised as a feature request, so maybe soon it will be available on IOSv

Reply
avatar