Computer Networking Studies with GNS3: 3. CCNA Security with GNS3

3. CCNA Security with GNS3

Started Aug 5, 2015

Introduction

In this portion of blog I'll try to share my CCNA Security study experience.
Below is a brief list of Software and Hardware I have.
I also promise to explain how to use it and overcome all those annoying little problems which slows you down and try to make regular updates as study progresses.

Study materials:

CCNA Security 640-554, Official Cert Guide, Keith Barker
CCNA Security Lab Manual Version 1.2
CCNA Security Course Booklet Version 1.2 - This one is quite useless unless you find the way to get all graphic content which is missing. The only reason I bought it because it has materials from Cisco Network Academy CCNA Security course.

Hardware:

PC Intel I5, 16GB RAM, 300GB HDD
2 Dual Port PCI RS-232 Cards
USB2.0 8 Ports HUB
5 USB 2.0 Ultrabook Ethernet Adapters (Low Power) from Monoprice. Small remark - do not mess with cheap USB2.0-Ethernet Adapters. They do not have all the functionality i.e. don't support duplex and so on.
3 Cisco 2960 or higher switches
Bunch of straight through and crossover cables

Software:

Ubuntu 14.04 LTS OS installed as second OS on my PC
GNS3 Network Simulation Software
C7200 Cisco Router IOS Image
Various OS images i.e. Windows XP, FreeBSD and so on
VirtualBox
PuTTY

Virtual Lab Hardware Configuration:

There are few words have to be said about this subject.

I'm trying to reproduce configurations found in Lab Manual.
Proposed configuration maximizes utilization GNS3 abilities to run different virtual hardware.

Cisco switches is a piece of hardware which is not supported by GNS3. They are vital part of Lab exercises. Therefore real hardware has to be used.

Fig 1. - Lab 9A, CISCO Network Academy

Let's take a look at Lab 9A configuration proposed in the manual.
According to this diagram I need 3 routers, switches and workstations.
It is going to cost me lots of money and occupy lots of space in my cave.
The same configuration can be built using virtual hardware without significant lose of functionality (if any).

I would name configuration shown on Fig 1 as Logical Diagram opposite to Physical presented below:

Fig 2.

GNS3 allows to emulate many different pieces of hardware.
I'm not going to spend time explaining things already well documented by GNS3 team. All the information about routers and hosts configuration within GNS3 is available at their web site.

Comparison of "Logical" and "Physical" diagrams reviles that all 3 routers and 3 hosts are replaced by single PC (Ubuntu Box). Also all three switch console cables are connected there. Use PuTTY terminal emulator (or any other emulator you like) to bring consoles to your computer desktop.

S1 switch has three connections. It is connected to S2 using crossover cable. Two straight through cables are necessary to connect S1 interfaces (see Fig 2.) to USB-Ethernet adapters representing Switch to Router and Switch to PC-A host connections.
One more USB-Ethernet Adapter is occupied by S2 to PC-B connection. S3 is connected to router and PC-C in the same way as S1 thus using two more straight through cables and USB-Ethernet adapters.

The same idea can be used to create topologies for other CISCO training courses - CCNA and CCNP for example.

Simple topology example

Let's start from simple topology. It can be used as a brick to build all topologies required to complete the course lab manual.

Fig 3. Topology sample

I'm using GNS3 ver 1.3.0 on Ubuntu 14.04.2 workstation.
Why Ubuntu and not Windows? There are few things that do not work under Windows OS and some which are easier to implement on Linux.
For example trunking protocol doesn't work between virtual router and real switch on windows.

Make sure at least one USB-Ethernet adapter is connected to the PC USB port or USB Hub. Adapters mentioned earlier do not require configuration and recognized by Ubuntu automatically. Use lsusb command to see if adapters are present.

gns@gns3lab:~$ lsusb
.
.
Bus 002 Device 013: ID 0b95:772b ASIX Electronics Corp. AX88772B
Bus 002 Device 012: ID 0b95:772b ASIX Electronics Corp. AX88772B
.
.

Check Ethernet adapters availability with ifconfig command.

gns@gns3lab:~$ ifconfig
eth0      Link encap:Ethernet HWaddr f4:6d:04:44:1c:1c
          inet addr:192.168.10.10 Bcast:192.168.75.255 Mask:255.255.255.0
          inet6 addr: fe80::f66d:4ff:fe44:1c1c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:22939 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15567 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:27156850 (27.1 MB) TX bytes:1667763 (1.6 MB)
          Interrupt:18 Memory:fb600000-fb620000

eth1      Link encap:Ethernet HWaddr 00:50:b6:0f:b8:ad
          inet addr:169.254.9.43 Bcast:169.254.255.255 Mask:255.255.0.0
          inet6 addr: fe80::250:b6ff:fe0f:b8ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:804 errors:0 dropped:73 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:55142 (55.1 KB) TX bytes:11425 (11.4 KB)

eth2      Link encap:Ethernet HWaddr 00:50:b6:0f:b8:e3
          inet addr:169.254.10.57 Bcast:169.254.255.255 Mask:255.255.0.0
          inet6 addr: fe80::250:b6ff:fe0f:b8e3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:147 errors:0 dropped:126 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23957 (23.9 KB) TX bytes:12114 (12.1 KB)

Do not assign IP Address to the adapter.

Console connection to the switch has to be established and straight through cable connected to both adapter and switch port.

I wont discuss technical details about how to configure GNS3. I've done my home work already. Instead let's focus on details important to create particular topology.

Start GNS3.
In some cases to make program work properly run it from terminal window using sudo command.

For example - while trying to connect router to cloud I got error message -Server error from 127.0.0.1:8000: R1: unable to create generic ethernet NIO

Run using "sudo" and forget about the problem.

I recommend to use C7200 router IOS image as it works with CCP.
(IOS image is used strictly for educational purposes.)

My router image is configured with the following parameters:

Fig 4.

Drop router node in GNS3 workspace. Add cloud node.
Right click on cloud node and change hostname to S1 and symbol to Ethernet switch.

Configure cloud node by adding nio_gen_linux:eth{1} interface.

Fig 5.

Connect one of router's Fast Ethernet interfaces to the newly created cloud.

Fig 6.

In order to be able to talk to the switch console install PuTTY SSH Client and configure it to use one of Serial ports available.
To check availability of serial ports do the following:

gns@gns3lab:~$ dmesg | grep tty
[    0.000000] console [tty0] enabled
[    0.778716] 00:07: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    0.800361] 0000:08:00.0: ttyS4 at I/O 0xc290 (irq = 18, base_baud = 115200) is a 16550A
[    0.821103] 0000:08:00.1: ttyS5 at I/O 0xc280 (irq = 18, base_baud = 115200) is a 16550A
[    0.841842] 0000:08:01.0: ttyS6 at I/O 0xc100 (irq = 19, base_baud = 115200) is a 16550A
[    0.862502] 0000:08:01.0: ttyS7 at I/O 0xc000 (irq = 19, base_baud = 115200) is a 16550A

or

gns@gns3lab:~$ setserial -g /dev/ttyS?
/dev/ttyS0, UART: 16550A, Port: 0x03f8, IRQ: 4
/dev/ttyS1, UART: unknown, Port: 0x02f8, IRQ: 3
/dev/ttyS2, UART: unknown, Port: 0x03e8, IRQ: 4
/dev/ttyS3, UART: unknown, Port: 0x02e8, IRQ: 3
/dev/ttyS4, UART: 16550A, Port: 0xc290, IRQ: 18
/dev/ttyS5, UART: 16550A, Port: 0xc280, IRQ: 18
/dev/ttyS6, UART: 16550A, Port: 0xc100, IRQ: 19
/dev/ttyS7, UART: 16550A, Port: 0xc000, IRQ: 19
/dev/ttyS8, UART: unknown, Port: 0x0000, IRQ: 0
/dev/ttyS9, UART: unknown, Port: 0x0000, IRQ: 0

In my case I use /dev/ttyS4 device file to communicate to switch S1.
Configure this connection as shown on Fig 6.
Do not forget to save changes.
Use putty -load S1_Serial command to start console terminal, where S1_Serial is the name of saved configuration.

Fig 7.

You can create desktop shortcut to open Switch console.
Make as many shortcuts as you need. Modify the name and command for each of them to console to different switches.

Now it is time to start router and switch.

Fig 8.

Be sure to check CPU power consumption after starting the router.
Recalculate new Idle-PC value if it is high.

Assign IP address to the router fa 0/1 interface:

R1(config)#int fa0/1
R1(config-if)#ip addr 192.168.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#do wr
Building configuration...
[OK]

For the switch enable fa 0/1 interface and configure vlan1 interface:

S1(config)#int fa0/1
S1(config-if)#no shut
S1(config-if)#
*Mar 1 00:14:25.519: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:14:26.526: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
S1(config-if)#int vlan1
S1(config-if)#ip addr 192.168.1.2 255.255.255.0
S1(config-if)#no shut
S1(config-if)#
*Mar 1 00:15:09.115: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Mar 1 00:15:09.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#do wr
Building configuration...
[OK]

Ping router interface:

S1(config-if)#do ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/209/1015 ms

We have finished first task connecting real equipment with virtual world of GNS3.
Congratulations!

As a next step we need to install Oracle VirtuaBox software.
I'll use it to create virtual windows hosts.

Download VirtualBox here.
Documentation is found here.

Important! Start VirtualBox using sudo command if your GNS3 started the same way. Otherwise all VirtualBox hosts created are not going to be visible to GNS3.

Second Ethernet-USB adapter should be connected to the PC before the moment we start doing host configuration. Connect it to the switch port FA 0/8 and enable the port.

Create Windows XP virtual machine.
Good video on how to install and configure VirtualBox can be found here.

Configuration of Windows host shell look like example below.

Fig 9.

Few words about host network configuration.


Fig 10.

Select Bridged Adapter for "Attached to:" dialog option.
Select second Ethernet-USB adapter for "Name:".
Set the rest of configuration according to Fig 10.
Launch Windows XP host by clicking Start button.
When operating system starts assign Static IP address, subnet mask and default gateway.
Let's use IP 192.168.1.10/24 , Default gateway 192.168.1.1 for our exercise.
Shut host down and exit VirtualBox.

In GNS3 click on Edit from top menu, Preferences and then VirtualBox VMs.
Click New button and add host available from drop down list, click Finish.

Fig 11.

Click Edit button and set following parameters:
RAM - 2048MB
Adapter Intel PRO/1000MT Desktop

Now we are ready to drop VirtualBox host to GNS3 workspace.
Click Browse End Devices icon and drag and drop PC_A host.
Right click on host icon and choose Start.

When OS is started check if network configuration is the same as preconfigured earlier (Fig 10).
Use Devices -> Network -> Network Settings from menu found at the top of virtual host screen.
If it is not then correct it.

Check host IP address with ipconfig command. At this point we should be able to ping switch and router already. Don't be confused that there is no connection drawn between switch and host in GNS3. Physical connection is established and because we are using Bridged adapter for the host, it is already can talk to the switch.

Ping switch and router IPs to verify it.

Use Draw Rectangle option to draw the line representing connection between host and switch in GNS3 topology. Unfortunately there is no other way to draw the line there.

The ping result along with resource monitor window is shown on picture below.

Fig 12.

This simple topology is the building block for lab examples found in Lab Manual. Therefore start building lab from loading it. Then before making customizations save it as. Also using topology snap shots is a smart idea. It can help to roll back changes in router's configurations without changing parameters one by one.

Note that instead of using real switches, GNS3 Ethernet Switch can be used in exercises where switch configuration is not required i.e. Lab 2A.

The only difference would be PC_A host network configuration. Instead of "Bridged adapter" option choose "Not Connected" and GNS3 will take care about the rest.