Tag Archives: Bacon-Saver

ASA 8.4(2) under OSX 10.8

One of my most popular blogs on Cisco Inferno is the ability to install and run an ASA firewall by Cisco on GNS3. Since then I have shifted to a Macbook Pro and want to run everything in OSX. I have been using GNS3 inside a Windows VM for a while but that is a waste of resource and more. I have yearned for lack of a better word for a way to run everything natively in OSX. Today is the day I share with you how to do this. The requirements are as follows.

A working ASA 8.4 image – (extracted as per previous ASA post)
OSX 10.8 – (I’ve tested this but 10.7 may work)
QEMU 11.0
GNS3 0.8.4RC2

Download and install GNS3 from Sourceforge. This is the latest version from May. It will update the look, feel, and importantly some behind the scenes features. This is rather straight forward.
Next it is time to download the modified QEMU 11.0. Install this self extracting QEMU instance. It is pre-compiled and works with OSX 10.8. It has been patched to support JUNOS devices too.

Now set the path to QEMU as the value below.

/usr/local/bin/QEMU-system-i386

Set your path to the Qemu-img to what is listed below.

/usr/local/bin/qemu-img

So now you have directed GNS3 to the QEMU install you extracted previously, now test. Your results should look like they do below.

Now jump over to the ASA tab. This version of GNS3 has better support for QEMU instances. It actually pre populates fields. From the first drop down menu, Preconfiguration, ensure ASA 8.4(2) is selected. I set my RAM to 1024. Note QEMU options and Kernel command line options are filled. Unlike previously where you had to define them, GNS3 now does this for you.

Now time to select your ASA images.

Initrd

/Users/pandom_/Documents/GNS3/Images/asa842-initrd.gz

ASA Kernel

/Users/pandom_/Documents/GNS3/Images/asa842-vmlinuz

Voila. Now click save and close the preferences pane. Select from the side tab of devices, Security Devices, and drag onto your canvas an ASA firewall. Click the play button and watch it start up. You will have two QEMU windows open. These may appear as not responding but whilst they are open, your ASA runs. If you do close them the ASA will disable itself and turn off so do not do this

Here it is. My final topology. Connect to them all via console (left of the play button) and enjoy the study.

Known Hosts headache

Leave a reply

I have a various number of devices in my lab. I constantly deploy them, rework them, and lab new things. Once up and operating I generally move off a console connection and move to SSH. Well sometimes there poses a problem in SSH known hosts. The function of a known host lists is to help ensure detect a man in the middle attack. If a FTP server goes offline and someone has surreptitiously replaced it with someone more malicious, this function help detects it.

Something like below might appear.

manetheren:/ pandom_$ ssh root@192.168.1.200
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
99:c8:15:52:62:c3:73:39:a8:d5:5f:2d:31:d2:fb:90.
Please contact your system administrator.
Add correct host key in /Users/pandom_/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/pandom_/.ssh/known_hosts:2
RSA host key for 192.168.1.200 has changed and you have requested strict checking.
Host key verification failed.

So as you can see it denies my request for SSH into my SRX. Rather painful. Well with the constant moving and changing in the lab, here is how I rectify my issue.

manetheren:/ pandom_$ ssh-keygen -R 192.168.1.200
/Users/pandom_/.ssh/known_hosts updated.
Original contents retained as /Users/pandom_/.ssh/known_hosts.old

What the command above does is invokes the ssh-keygen program whilst the -R argument will remove all keys associated to the host 192.168.1.200. Now I will attempt to access my SRX again.

manetheren:/ pandom_$ ssh root@192.168.1.200
root@192.168.1.200's password: 

--- JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC
root@A-SRX110-HQ%

There we go. Access restored. Something handy that I hope you will find useful.

i(OS)Message

Leave a reply

Ever needed to deploy a device where multiple engineers are working in tandem. This could possibly be from different sites or someone peer reviewing configurations with you. I have. I have also not be able to access a phone or been somewhere very noisy. You have the ability to chat across vty lines on IOS. This isn’t new and has been around since before I was born but Today I will show you how you can add this tool to your skill set.

Let see what line the other engineer is using. We do have our name stating who we are but in case you forget there is out little asterisk to remind us.

4500-lab-01#sh user
    Line       User       Host(s)              Idle       Location
*  1 vty 0     aburke     idle                 00:00:00 192.168.22.50
   2 vty 1     sburns     idle                 00:00:19 192.168.22.57

  Interface      User        Mode                     Idle     Peer Address

Now I have noticed an error on interface T7/3 with an error count. I can’t call sburns nor do I have internet access. Time to let him know what I want him look to to confirm my findings.

4500-lab-01#send vty 1 
Enter message, end with CTRL/Z; abort with CTRL/C:
Have a look at the interface T7/3's error count. Do you think it is a bit high? 
Lets reset the counters and check.
^Z
Send message? [confirm]
4500-lab-01#

On sburns screen we can see what appears in the console.

4500-lab-01#

***
***
*** Message from tty2 to tty1:
***
Have a look at the interface T7/3's error count. Do you think it is a bit high? 
Lets reset the counters and check.

I have clearly and effectively communicated to my coworker the information I needed to get to him. Rather cool. It is just something you can use in your toolkit. This could also be perfect for those moments when you don’t want to deal with the person on the end of the phone.

Slices and JUNOS

1 Reply

In the land of JUNOS, in the fires of Mount Doom. No, I’ll resist but I felt like I had Eye of Sauron on me. On a UNIX OS a concept of slices exist. The reason these exist are due to the resilient boot architecture of JUNOS. Having dual-boot partitions you have a designated backup copy that allows device boot when something occurs.

JUNOS will slice up your internal flash to separate or partition to ensure resiliency and stability. It also means you won’t lose everything in event of an issue. By default the EX flash is divided into four slices. Two identical copies of JUNOS are stored on slice 1 and slice 2. Slice 3 contains the contents of /var with slice 4 holding /config. Due to the high level of read and writes to /var and the potential chance of corruption, isolation works a treat to avoid entire partition corruption.

Testing some failover mechanisms I was cutting the power to the EX. It generally cannot hurt and in this particular test I was pulling the plug out. I boot back on and I was greeted by this prompt.

****************************************************************************************
** **
** WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE **
** ** 
** It is possible that the primary copy of JUNOS failed to boot up **
** properly, and so this device has booted from the backup copy. **
** **
** Please re-install JUNOS to recover the primary copy in case **
** it has been corrupted. **
** **
****************************************************************************************

I kind of filled my pants. Before researching what had occurred I thought I had broken my new device. Luckily this wasn’t the case. What I had done is I had corrupted the primary boot slice. I had done no damage to the secondary and it booted from this. I powered off and restarted hoping it would work and I was met by the same screen. Not to worry. I noticed there was a red light on the chassis. I checked the system alarms.

user@switch> show chassis alarms
1 alarms currently active
Alarm time Class Description
2013-02-18 09:34:21 PST Minor Host 0 Boot from backup root

Again it had booted from the backup. Time to discover what the onboard help had to offer.

After using help apropos I discovered the command that might save me.

request system snapshot media internal slice alternate

This command allows repair of the primary slice by copying the image from the backup to the primary. Then a reboot is needed to ensure your EX boots of the primary partition.

request system reboot slice alternate media internal

Now it should be happy days once you reboot. You have tested (unintentionally) your backup partition. After the reboot you can confirm JUNOS is installed correctly on each slice by issuing the following.

show system snapshot media internal slice 1
show system snapshot media internal slice 2

At the time I did honestly contemplate zeroing the device.. This restores it to a factory state and I had no issue copying my config back on. I thought though there would have to be a fix for production devices. I am glad I found it. Now with the worry gone I know I have a way to fix it and a way to fix it. If single chassis it will require a restart to clear the alarm but if running with dual RE’s or in a virtual chassis then you could shift the workload and active gateways. +1 to my neck beard skills.

Further reading : Understanding Resilient Dual-Root Partitions on Switches

Interesting limitations or silly Anthony?

1 Reply

As previous blogs have indicated I have my hands on a Juniper Networks EX-2200. This device has great functionality what I found great was the dual-purpose uplink ports. As pictured below these ports are linked and can take either a RJ-45 port or an SFP port. These two ports I had connected via the copper ports up linked to an SRX110. I had some Cisco SFP’s for fiber lying around and I placed them into the slots to protect them.

I boot the device up and happily perform some base configurations. This works well. I establish connection and configure the LLDP settings I wanted from the previous blog. Superb. It was then I noticed I didn’t have a connection upstream to my device. The infamous up/down scenario. I was remotely labbing from the lounge so I didn’t see my front panel which taught me to hunt more in the CLI. I checked configs, interface status and more. Then I thought more about dual-purpose. It dawned on me that maybe it is one or the other. Well it is, kind of.

A SFP module takes priority over a RJ-45. The SFP I plugged in kept me down as it was just chilling there with no fiber cable installed. Juniper has by default an internal priority. Unless you specify otherwise, the SFP takes precedence.

There is a fix and I will show you how I got it working below. With this change my device came up and it was happy days.

root@EX2200# set interfaces ge-0/1/0 media-type copper
root@EX2200# set interfaces ge-0/1/1 media-type copper

So be aware that there are some hardware limitations. The name, dual-purpose port, should have given it away but I have to admit I was excited to get this puppy in the lab. In doing so I may have not read all the manual. RTFM? Yeah, I got bitten. This switch has made a great addition to my lab and expect some cool JUNOS stuff in the future. Awesome features thus far. It is like a mini 3560 without the price-tag.

Disclaimer I do have a disclaimer about my blog and how I operate in the blogging world with integrity. I do declare here and with other posts that this Juniper Networks EX2200-12P switch was provided to me by Francois Prowse, on behalf of Juniper Networks. I was not asked for positive, marketed, vendor drivel. I will blog honestly about the platform and my experiences and share what I find, good or bad.

Don’t let your outage window best you

Leave a reply

Outage windows. They vary from after 5pm, to a 4 hour window per quarter, and even just 17 seconds per year. They are valuable. They are something that shouldn’t be squandered. The sad thing is that some treat them was free overtime pay and don’t give a second thought to the windows value. Generally they don’t do a second one.

I’d like to share to you something my father always loves to slip in “Prior preparation prevents piss poor performance”. You know what? As much as I may have rolled my eyes every time I heard that when I was younger, a wiser self thinks the old bugger was right.

The Change, depending on the process, can be a process that is as simple as a sign off email, notification of affected service(s) to relevant parties, and away you go. The alternative is months of planning and configuration revisions, templating, rollback procedures, last well knowns and more. Co-ordination of assets is important. No one organisation has infinite resources whether it be staff, material, or time.

The aim of this post was to engage though and thinking and not explain every caveat of a change process. Well established guidelines (yes, guidelines, not gospels) are out there such as ITIL, PRINCE, Cisco Lifecycle (think PPDIOO) and plenty others. I see guidelines are required for BAU activities. Skill sets in a team vary. Everyone has something different to bring to the team environment but all need to follow a guideline process.

Each person works in different ways. If your tasks was to provision a new Vlan, assign ports, ACLs, and a HSRP group, how would you go about it? When would you perform verification? How do you identify dependency technologies? Not everyone considers this information and attacking a problem in a sporadic fashion can lead to issues and time wasted troubleshooting. This is why guidelines exist. Picture this workflow and compare it to a haphazard, pin the tail on the donkey approach. A business could outline a workflow for small activities such as Scope, Create, Refine, Test, Implement, Verify, Close. Each step along the way, an engineer using his knowledge could complete a task knowing it would be done to a satisfactory standard. This would ensure consistency with configuration, deployment, and improve change requests.

Just some food for thought next outage window. Try creating an implementation plan or a guideline framework and see how you go?

Prudish behavior

Leave a reply

Back on the juniper posts today, I am going to jump into local user authentication. Juniper offer quite a few options on configuring user based access. I will start to explore these among many other topics this year. I am of the belief that not everyone should have full access to your device. You don’t tell everyone all of your secrets do you?

Now Juniper access control has a lot of ways to achieve one thing and today I will show you only some. This blog will cover local users, setting up a read-only account, and explore some of the retry-options focused on security. By default, you create a root account when you first boot your Juniper device. I would not recommend all users use this to administer the device. Too much power!

First, lets create two users. Rand al’Thor and Lan Mandragoran. I am reading the last book of The Wheel of Time at the moment, hence the names! I’ve assigned user ID’s manually. The device will do it for you automatically preferring the lowest available first.

set system login user lmandragoran full-name "Lan Mandragoran"
set system login user lmandragoran uid 2003
set system login user ralthor full-name "Rand al'Thor"
set system login user ralthor uid 2004

Now to create passwords.

[edit system login]
root@SRX110# set user ralthor authentication plain-text-password    
New password:
Retype new password:

[edit system login]
root@SRX110# 

[edit system login]
root@SRX110# set user lmandragoran authentication plain-text-password    
New password:
Retype new password:

[edit system login]
root@SRX110#

That is all well and good. Assign users to login classes. Rand to the default super-users and Lan to read-only.

set system login user lmandragoran class read-only
set system login user ralthor class super-user

Now lets confirm our settings.

root@SRX110> show configuration system login                     

user lmandragoran {
    full-name "Lan Mandragoran";
    uid 2003;
    class read-only;
    authentication {
        encrypted-password "$1$9fMIL2Zh$j9pzA40WQ.3apKHRlfG4M/"; ## SECRET-DATA
    }
}
user ralthor {
    full-name "Rand al'Thor";
    uid 2004;
    class super-user;
    authentication {
        encrypted-password "$1$GYbzNkRL$.L4KVszsdSeKm92NffG9N."; ## SECRET-DATA
    }
}

Awesome. Now let us test how read-only works for Lan.

root@SRX110% exit
logout
Connection to 192.168.1.200 closed.
telaranrhiod:~ pandom$ ssh lmandragoran@192.168.1.200
lmandragoran@192.168.1.200's password: 
--- JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC
lmandragoran@SRX110> ?
Possible completions:
  file                 Perform file operations
  help                 Provide help information
  load                 Load information from file
  op                   Invoke an operation script
  quit                 Exit the management session
  request              Make system-level requests
  save                 Save information to file
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  start                Start shell
  test                 Perform diagnostic debugging
lmandragoran@SRX110> set ?  
Possible completions:
  cli                  Set CLI properties
lmandragoran@SRX110> request ?   
Possible completions:
  chassis              Perform chassis-specific operations
  dhcp                 Perform DHCP operations
  dhcpv6               Perform DHCPv6 operations
  interface            Perform interface tasks
  lacp                 Request LACP actions
  message              Send text message to other users
  modem                
  multicast            Perform multicast operations
  network-access       Request network-access related information
  pppoe                Perform PPPoE specific operations
  services             Service requests
  snmp                 Request actions from the Simple Network Management Protocol daemon
  wlan                 Wireless LAN related requests
lmandragoran@SRX110> show ?        
Possible completions:
  accounting           Show accounting profiles and records
  arp                  Show system Address Resolution Protocol table entries
  as-path              Show table of known autonomous system paths
  authentication-whitelist  Show 802.1X White List MAC addresses
  bfd                  Show Bidirectional Forwarding Detection information
  bgp                  Show Border Gateway Protocol information

Now you can see that this person can verify existing commands, issue show commands for each stanza, and perform system request. They cannot restart the device or look at the entire configuration.

lmandragoran@SRX110> show configuration    
## Last commit: 2013-01-16 22:19:23 UTC by root
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };
security { /* ACCESS-DENIED */ };
routing-instances { /* ACCESS-DENIED */ };
ethernet-switching-options { /* ACCESS-DENIED */ };
vlans { /* ACCESS-DENIED */ };

Pretty cool. Now to show you some lock down methods. I want to make it hard for someone to gain illegitimate access to the device. I want to slow them down. Junos has a great plethora of options for this. I want to make sure that if you put a wrong password in three times, you’re disconnected. The backoff-threshold of 1 means after the first failed password attempt subsequent attempts increases by the backoff-factor which is 5. Each subsequent failure increases the wait by 5 seconds. If all three are failed the connection is closed. Minimum-time allows this entire transaction 25 seconds else the connection will close.

set system login retry-options tries-before-disconnect 3
set system login retry-options backoff-threshold 1
set system login retry-options backoff-factor 5
set system login retry-options minimum-time 25

Now lets attempt to break an account.

telaranrhiod:~ pandom$ ssh ralthor@192.168.1.200
ralthor@192.168.1.200's password: 
Permission denied, please try again.

ralthor@192.168.1.200's password: 
Permission denied, please try again.

ralthor@192.168.1.200's password: 
Received disconnect from 192.168.1.200: 2: Too many password failures for ralthor
telaranrhiod:~ pandom$

The time between each attempt was annoying. A great way to protect against Brute force attempts of your switches. Now I am going to make one more account to only be able view Routing information. This account needs to be FIPS-140-2 complaint. That means the following permission bits cannot be set – secret, security, and maintenance. I will make a class entitled routing-operator and apply the routing-control and view permission bits. I also am going to allow this class for weekday night shift only. 1800-0600, Monday to Friday. I will include an idle timeout of 2 minutes. No leaving an open CLI!

set system login retry-options minimum-time 20
set system login class router-operator allowed-days monday
set system login class router-operator allowed-days tuesday
set system login class router-operator allowed-days wednesday
set system login class router-operator allowed-days thursday
set system login class router-operator allowed-days friday
set system login class router-operator access-start "18:00:00 +0000"
set system login class router-operator access-end "06:00:00 +0000"
set system login class router-operator permissions routing-control
set system login class router-operator permissions view
set system login class router-operator idle-timeout 2

A FIPS-140-2 Crypto Officer is someone with the secret, security, and maintenance permission bits set. Time to confirm the commands. Important to note is correct time if you are using time based roles and functions. Especially on a global level as different time zones could be a factor.

mcauthon@SRX110> ?
Possible completions:
  file                 Perform file operations
  help                 Provide help information
  load                 Load information from file
  op                   Invoke an operation script
  quit                 Exit the management session
  request              Make system-level requests
  save                 Save information to file
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  start                Start shell
  test                 Perform diagnostic debugging
mcauthon@SRX110> show route ospf     

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 14:37:11
                    > to 192.168.1.254 via fe-0/0/0.0

mcauthon@SRX110> show route         

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 14:37:15
                    > to 192.168.1.254 via fe-0/0/0.0
172.16.10.1/32     *[Local/0] 1w4d 14:18:48
                      Reject
172.16.15.1/32     *[Local/0] 1w4d 14:18:48
                      Reject
172.16.20.1/32     *[Local/0] 1w4d 14:18:48
                      Reject
192.168.1.0/24     *[Direct/0] 3d 14:37:15
                    > via fe-0/0/0.0
192.168.1.200/32   *[Local/0] 1w4d 14:18:37
                      Local via fe-0/0/0.0
192.168.2.1/32     *[Local/0] 1w4d 14:18:49
                      Reject
224.0.0.5/32       *[OSPF/10] 6d 22:54:37, metric 1
                      MultiRecv

R1.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[Direct/0] 1w4d 14:19:19
                    > via lo0.1
2.2.2.2/32         *[OSPF/10] 1w0d 20:41:26, metric 1
                    > to 192.168.10.2 via lt-0/0/0.0
3.3.3.3/32         *[OSPF/10] 1w0d 20:41:26, metric 2
                    > to 192.168.10.2 via lt-0/0/0.0
192.168.10.0/30    *[Direct/0] 1w4d 14:18:36
                    > via lt-0/0/0.0
192.168.10.1/32    *[Local/0] 1w4d 14:18:36
                      Local via lt-0/0/0.0
192.168.10.4/30    *[OSPF/10] 1w0d 20:41:26, metric 2
                    > to 192.168.10.2 via lt-0/0/0.0
192.168.10.8/30    *[Direct/0] 1w4d 14:18:36
                    > via lt-0/0/0.5
192.168.10.10/32   *[Local/0] 1w4d 14:18:36
                      Local via lt-0/0/0.5
224.0.0.5/32       *[OSPF/10] 1w2d 03:13:50, metric 1
                      MultiRecv

mcauthon@SRX110# run show system uptime 
Current time: 2013-01-17 00:55:41 UTC
System booted: 2013-01-05 10:39:40 UTC (1w4d 14:16 ago)
Protocols started: 2013-01-05 10:42:03 UTC (1w4d 14:13 ago)
Last configured: 2013-01-17 00:49:19 UTC (00:06:22 ago) by root
12:55AM up 11 days, 14:16, 2 users, load averages: 0.19, 0.08, 0.01

So you can see, you can issue show commands, edit routing protocols, and the time is during when logged in as Matrim Cauthon.

mcauthon@SRX110> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session

Connection to 192.168.1.200 closed.
telaranrhiod:~ pandom$

Very good. Got distracted by a webpage? Got up for a coffee and didn’t lock your screen? Your personal data may be gone but the network is safe! Easy to configure for powerful results.

Thoughts

I think local AAA is often overlooked. I’ve found the options in JUNOS for local accounts very granular and flexible. Obviously long term and for large scale IT teams, centralized solutions are a much better choice. For a small deployment or environment such as branches or SOHO/SMB it is a great tool. Remember that if you are seeding local accounts to apply these settings and be sparing on the use of super-user class.

Killing Screens

3 Replies

Now some might say this is a silly blog post, especially since I have an Opengear 5004 console server. At this stage I haven’t explored all its uses so it is not in “production” at home.

I currently SSH home to use my lab and screen a console cable into my SRX for these lab posts. By default I have a timer on SSH sessions. Unfortunately Screen doesn’t disconnect. On Linux I’d use byobu for screen emulation but I have got this installed on my OSX box.

I was getting the error that the resource was busy. Painful. I initially was rebooting because I am a bit of a noob but thought there was a better way. I found it. Check this out.

telaranrhiod:~ pandom$ 
telaranrhiod:~ pandom$ screen -ls
There is a screen on:
        322.ttys000.telaranrhiod        (Attached)
1 Socket in /var/folders/m7/m7mJ021cEgCxTMyOSAkHrk+++TQ/-Tmp-/.screen.

Here I confirm current screen sessions. Now, to kill Screen session 322.

telaranrhiod:~ pandom$ screen -X -S 1
Please specify a command.
telaranrhiod:~ pandom$ screen -X -S 1 kill
No screen session found.
telaranrhiod:~ pandom$ screen -X -S 322 kill

Now to access my device again

telaranrhiod:~ pandom$ screen /dev/tty.PL2303-0000101D

root@SRX110> 

root@SRX110>

There we go. Access again. Due to the fact I am playing with screens and firewall rules, having console access is good. For now, screen will do. I will deploy the Opengear device. Hopefully over the Christmas holidays.

I hope you have found this helpful and thank you for reading.

Remote Labbing – Lab long and prosper!

Leave a reply

Certification requires a lot of lab time. I mean a lot. Hundreds of hours of thorough, insightful, and meaningful labbing. Let alone the time invested behind the CLI of a CCIE certification. There are two routes these days that most people go. Hiring rack time or building their own lab. I am going to discuss the latter today including reproducing my setup!

Physical vs Semi-physical

There are two types of physical labs we can create. IF you have access to ex production kit, you are very wealthy, or happen to get lucky on eBay then a full physical topology is great. Routers, Switches, FR devices. When looking into a vendor topology for the CCIE lab you quickly realize it could be quite expensive. In this economic climate it ends up being quite expensive.

http://www.ine.com/topology.htm

Albeit this is classed as a cheaper lab there are a lot of interfaces and expansion cards to get. The price does add up.

I have opted for a hybrid physical/virtual topology. What on Earth? GNS3 + 4 physical switches + a whole lotta NICs. Let us now together build our server.

Physical Checklist

I am lucky enough that my workplace has spare servers. Dell PowerEdge 710 is the flavor. It is highly over powered for what we plan to do.

2 x Xeon QC 2.8ghz
32 GB ram (It did have 96GB)
500GB 15k SAS
3 x Intel QUAD 1GB NIC
1 x Onboard NIC (4x 1GB)

Overkill. What I am doing can be re-produced on i5, 8gb ram, 3-4 quad NIC, machines. GNS3Vault, Matthew Mengelm, and Mellowd have done it on the above or less.

2 x 3560-X (48Port, PoE, 100/1000, 2 x 10GB card)
2 x 3750-G

Install time.

I have installed Ubuntu 12.04 x64 onto this machine. I chose the desktop version and I am a grasshopper. The server is accessible when I am at work but I wanted easy access if I broke something

Install dependencies of GNS3/Dynamips

 sudo apt-get update
 sudo apt-get install python
 sudo apt-get install qt4-dev-tools
 sudo apt-get install pyqt4-dev-tools

Install GNS3 to /opt directory.
( I choose to keep all directories lowercase for sanity reasons)

 cd /opt
 sudo wget http://downloads.sourceforge.net/project/gns-3/GNS3/0.8.2/GNS3-0.8.2-src.tar.bz2
 sudo tar -xjvf GNS3-0.8.2-src.tar.bz2
 sudo mv GNS3-0.8.2-src /opt/gns3
 sudo rm GNS3-0.8.2-src.tar.bz2

Creating subdirectories and adding Read Write permission to projects directory.

 cd /opt/gns3
 sudo mkdir dynamips
 sudo mkdir ios
 sudo mkdir project
 sudo mkdir tmp
 sudo chmod o+rw -R ./project

Time to install the Dynamips backend:

 cd dynamips
 sudo wget http://downloads.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86.bin
 sudo chmod +x ./dynamips-0.2.8-RC3-community-x86.bin

X11 Forwarding

Now – before we begin I want to set up remote access. I use this machine via the internet. So once port forwarding is set up I need to add and change some SSH settings. I want GNS3 GUI to be X11 fowarding so I can access and change a topology and create new ones. My dynamips training wheels aren’t great.

sudo nano /etc/ssh/ssh_config

Remove the # and change ForwardX11 yes

Write these changes.

Access via CLI.

After SSH’ing into your box you land at the command prompt. To launch a GUI based GNS3 from CLI use the following.

sudo python /opt/gns3/gns3.pyw

That will launch GNS3. If you want it to auto boot a file too do the following

sudo python /opt/gns3/gns3.pyw /opt/gns3/project/ine/inev5.net

GNS3 settings

Due to having a bucket load of RAM I do the following to allow myself faster run times. I set the working directory for Dynamips to be my RAM swap. Pewpew!

Edit > Preferences > Dynamips >

Working Directory for Dynamips:
 /run/shm

Now to set up the basics with GNS3/Dynamips.

Edit > Preferences > Dynamips >

Executable path to Dynamips:
 /opt/gns3/dynamips/dynamips-0.2.8-RC3-community-x86.bin

Project directory : /opt/gns3/project
 Image Directory :/opt/gns3/ios

Inside the ios folder I have the c3725-adventerprisek9-mz.124-15.T5 image.
My idle-pc value which selects when the CPU isn’t processing is 0x602649b4. This will change for your machine. Find a value when you calculuate it with a *.
I have also increased the RAM of my 3725 to 256MB.

Fully loaded and running my INEv5 topology uses 8 percent of ram.

Goal Topology

This is the topology I am building. Where a SW is cabled into a router as far as the device is concerned they are adjacent. In the case of SW3 -> BB3 the physical connection is SW3 fa0/24 –> eth1 <— GNS3 cloud bound to eth1 <—- BB3 fa0/0 Rinse and repeat this step and you will find that you easily have this topology but also, IPExpert, Narbik, Cisco360 or any conceivable topology. Oh and you can have more than 4 switches!

INEv5 Ethernet

INEv5 Serial

Presenting the final GNS3 topology

Lab lab baby!

As the little clouds show they reflect which port they connect too. I hope by providing the physical serial, ethernet, and GNS3 diagrams you will be able to reproduce this nicely.

Extras to make labbing easy.

Now let us be cheeky and make full use of our Switches. Telnet to Serial!
I have 4 console cables, 2 USB, 2 Serial to access my switches. I access my switches my “telnetting” the console cables.

Install Serial to Telnet

sudo apt-get install ser2net

Edit the config

sudo nano /etc/ser2net.conf

I change to the TTY lines being used for my config.

6000:telnet:0:/dev/ttyS1:9600 8DATABITS NONE 1STOPBIT banner
6001:telnet:0:/dev/ttyS2:9600 8DATABITS NONE 1STOPBIT banner
6002:telnet:0:/dev/ttyUSB1:9600 8DATABITS NONE 1STOPBIT banner
6003:telnet:0:/dev/ttyUSB2:9600 8DATABITS NONE 1STOPBIT banner

The syntax above is portnumber:protocol:timeout:device:baud. Pretty easy.

Now lets restart the service so the config file is reloaded.

sudo service ser2net restart

To access all of my devices at once, conviniently and securely I use Byobu Terminal emulation over SSH.

sudo apt-get install byobu
sudo byobu

F2 creates a new terminal. F3/F4 navigate across.

It make take a while to get through but now you have a pseudo console server! It will keep your history which is the best part so if you lab remotely you can resume exactly where you left off with the output of previous sessions.

Treats!

I have uploaded my topology to ubuntu pastebin. Feel free to copy and paste this into a .net file and use it yourself. This applies to my computer only so do change it if you have different settings, install locations. Remember to adjust the IDLE-PC to match yours as a .NET file overrides global defaults.

My thoughts

My labbing has increased tenfold. The ability to spin up varying networks with L2/L3 technologies working harmoniously together. CLI access is fantastic and having now quite a few templates to work on I have zero excuse. I believe the hours I spent putting this together has already yielded dividends.

** EDIT – You can easily add in a Firewall using QEMU and ASA 8.4. More delicious topics to get your pretty faces into.

Additional and Supplementary post

Physi-o-logical

4 Replies

A network is a dynamic, living entity. It changes based upon business requirements and needs to be flexible and scalable. Technology jumps ahead by leaps and bounds and as it changes as does the requirements of out networks.

Documentation is something that is rarely kept up to date and if it is more oft than not it is in accurate. I thought I would post some documentation centric posts up to share with some of my processes.

Logical vs Physical

The important point here is distinguish what you are looking at. A physical diagram looks at the physical connection between devices and can include information such as interfaces, medium, and rack/site location. A logical diagram can include information such as IP addresses, traffic flow and type, access control, VLANs, and more. It is very important to maintain up to date copies of both as they are useful in team environments, provide great top down view. Here are two examples. One a logical and one a physical.

Lets get physical!

As you can see the physical diagram includes information about its exact whereabouts, layout, port mappings, physical attached location. Nothing about vlans, dmz, or configuration information.

Logical

The logical diagram represents the areas and connections. My logical diagram shows information such as subnets and how the network is.

Document ALL the networks

Every little change, no matter how small is important. You could be changing some route-maps one day, get hit by a bus on the way home and that knowledge is lost. Yes we will go to your funeral and then rue your name when we cannot figure out why you chose do to what you did. Information that you may have found irreverent or when you think to yourself ”Gee, why would someone want to know this?” may come in handy when you find your DC burnt down, DR scenario, or scoping extra power requirements.

Thoughts

My documentation motto of “Even the smallest change requires documentation” I believe is a good step. By updating these evolving documents you won’t be lost next outage and have a better understanding on the network. I recommending all new people to jobs especially to do this as you find that you have the most to learn and gain. If there is something missing, make it up. Document and investigate yourself. I bet your managers and co-workers will not mind at all.

My Networking Heroes

3 Replies

I don’t have a blog roll yet but there are a few people in the industry that I will read a post from no matter what or take their opinion with far more weight that others. For those new to networking or getting involved in the twitterverse these people are must-read/follow! If any of these people read this, I want you guys to know I personally thank you for helping me get to where I am today!

Defenders of packets against black hole routing!

Ivan Pepelnjak – ipSpace.net @ioshints

One word sums Ivan up. MPLS. This is the man who literally wrote the book on it. Well he wrote two. Oh and a new RFC draft on BGP Security. Ivan hosts webinars on topics such as Data Centers, Virtualization, DMVPN and many more. Frequent blogs on a myriad of topics ranging from opinion pieces right into technical reviews and thorough design analysis.

Tom Hollingsworth - networkingnerd @networkingnerd

Commander Snark! Always informative and ever insight. Tom delivers constant reports. A Tech Field Day veteran of many campaigns it would be safe to say he knows his stuff! I believe Tom’s post are some of the best that come out of TFD regarding the products and engaging all level of readers.

The Packetpushers Podcast – Packetpushers.net @packetpushers

Greg Ferro and Ethan Banks! The podcast that you must listen to. If you are anybody in the industry you would have heard about the podcast! Weekly episodes of networking banter, commercial shows or general banter! Let alone both of these men have networking industry experience combined to almost double my age!

Kurt Bales – Network Janitor @networkjanitor

The Juniper Dingo! Kurt is a down to earth, tell it how it is guy with a strange fascination of ‘these Juniper devices’. My mentor and good friend is extremely knowledgable on ISP, Data Center and Enterprise Routing for IOS and JUNOS. That and we both love musk sticks!

Marko Milivojevic – http://blog.markom.info/ @icemarkom

Many people may not know this but Marko in my opinion is a genious! Building a ISP level network for Vodaphone Iceland! All kinds of epic and makes me wonder if it was purely for Eve online. Marko’s other fame comes from the CCIE Vendor, IPExpert. The master of pain and punishment, Marko delivers bootcamps and CCIE material to potential candidates and grooms some of the best people to become great CCIEs.

Jeremy Stretch – Packetlife.net @packetlife

Stretch. I think everyone on this list owes you. Your community lab is something that everyone has heard about and probably has used. A great free community run lab for anyone to practice one is hosted over at his site. Along with cheatsheets, wiki, armory of tools and a forum, Jeremy’s blog is full of great blogs and insightful topics.

To be continued.

Non Cisco Emergency GBIC/SFP’s

2 Replies

Today saw me in a spot where I had a dead Fiber SFP. You guessed it. 3750 chassis. Well I only had a few laying around and some were Linksys and one was stripped of stickers.

Needing this link back up whilst I waited for a new one I plugged in a non-Cisco SFP. Behold the error.

%PHY-4-UNSUPPORTED_TRANSCEIVER: Unsupported transceiver found in Gi1/0/1
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc

All SFP/GBIC’s contained burnt in Hardware ID, Vendor Name, Serial and CRC. The following command which is undocumented allows to bypass this error and brings up the interface!

LAB-SW-A(config)# service unsupported-transceiver
LAB-SW-A(config)# no errdisable detect cause gbic-invalid

Voila! There you go. Quick fix. Just note that when you issue a Show Tech for TAC, it will reveal that you have suppressed this message and that you have overridden support of Cisco Only SFP/GBICs. That means no help!