Still alive, just been busy with work and various other stuff.
For the last couple of months my study has been mainly some light reading here and there. Virtually no labbing yet because for one I don’t have any study material yet (ie: workbooks) and secondly I don’t have a lab to study on. Work are supporting my second IE, but there’s just some finalization to be done before the material is purchased – which will be from Internetwork Expert. With regard to practical study, unless I have a fully functional lab at my disposal anytime I want it, then there’s very little chance I’ll study at all. But that has all changed since yesterday!
A few days ago IE release the specs for their new Security racks. So with some free time off, and using what I already had prepared a few months ago, I’ve now got a fully functioning lab that almost matches their topology exactly. And the best part is that its pretty much all virtual, idling on my Windows XP Quad core 3GB at 30% utilization.
So here’s what I have:
Virtual (Dynamips)
R1 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R2 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R3 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R4 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R5 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R6 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
BB1 – 3640 (c3640-is-mz.124-23)
BB2 – 3640 (c3640-is-mz.124-23)
BB3 – 3640 (c3640-is-mz.124-23)
Virtual (Other)
ACS Server 4.2 Trial – Running on Windows 2003 Server in VMware
IPS 5.1 – Running in VMware
2 x ASA 8.0(2) – Running in QEMU
Real Equipment
Cisco 3548XL Switch
2 x Cisco 3550 24 Port EMI
Test PC (my home laptop)
Now in terms of how I get all this working, I’ll start with a diagram:
The key to getting the whole topology working is in the Intel Server NIC and the 3548XL switch. I created a VLAN (which shows as a logical interface in windows) for every device that needs to ‘physically’ connects to the 3550 switches. In total there are 21 VLAN interfaces.
Each virtual device’s interface is then mapped to one of these VLAN interfaces either through dynamips, Qemu, or VMware.
The physical Intel NIC (which is set to trunk all the VLAN’s) connects to the 3548XL. So now we have 21 separate vlans for 21 seperate interfaces all being trunked through to a physical switch. At this point the devices still have no way of communicating with each other…..
I’ve then configure 21 ports on the 3548XL switch using the same VLAN id’s and then used very short Ethernet cables to patch each port to the corresponding ports on the real 3550’s as per the Internetwork experts racks.
For example, ASA1 port E0/1 is supposed to be on SW Fa0/13. So I assigned it VLAN 113 on on the PC and then assigned port Fa0/13 VLAN 113 on the 3548XL, and then patched it through to SW1 Fa0/13. Oh, and I turned off spanning-tree for all the VLAN’s to make sure BPDU’s dont start coming in on the 3550’s. They are all host ports remember :)
As far as getting the other virtual devices running here’s what I did:
ASA
- http://7200emu.hacki.at/viewtopic.php?t=4936&postdays=0&postorder=asc&start=0 – Look for the posts by ‘thumpercisco’
- QEMU is configured to map ASA interfaces to MS Loopback interfaces (3 for each ASA)
IPS
- http://7200emu.hacki.at/viewtopic.php?t=3095
- 3 VMware virtual adapters (only two required for topology)
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.
ACS
- Trial version from Cisco, just save the VMware image once installed so you can reload it after 90 days
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.
Other Stuff
To make things even easier I purchased a 2 port RS232 PCI card from eBay and installed it in my server. I then use a program called “Serial to Ethernet connector” so that I cant telnet from my Test PC to a TCP port on the server and it maps my session to the Serial ports of the physical switches.
.NET file
If you want a copy of my .NET file please look at more recent posts.
Fully virtual?
I did consider doing the whole thing in dynamips, and it is very possible. The only thing that annoyed me was the switch ports would be different on my setup than they would be in the workbooks (16 ports on the NM modules as opposed to 24). This meant some ports would be changed, meaning the diagrams would all be wrong, and the initial configs would all need to be changed.
——
The CPU’s idle nicely at 30% (full topology), and memory usage is about 1.5GB total.
With this i’ll be able to test most technologies and even be able to do most full scale labs with this setup.
I hope this helps anyone thinking about or pursuing their Security track. Feel free to drop me a line if you have any questions.
