Security Home Lab
Still alive, just been busy with work and various other stuff.
For the last couple of months my study has been mainly some light reading here and there. Virtually no labbing yet because for one I don’t have any study material yet (ie: workbooks) and secondly I don’t have a lab to study on. Work are supporting my second IE, but there’s just some finalization to be done before the material is purchased – which will be from Internetwork Expert. With regard to practical study, unless I have a fully functional lab at my disposal anytime I want it, then there’s very little chance I’ll study at all. But that has all changed since yesterday!
A few days ago IE release the specs for their new Security racks. So with some free time off, and using what I already had prepared a few months ago, I’ve now got a fully functioning lab that almost matches their topology exactly. And the best part is that its pretty much all virtual, idling on my Windows XP Quad core 3GB at 30% utilization.
So here’s what I have:
Virtual (Dynamips)
R1 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R2 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R3 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R4 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R5 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R6 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
BB1 – 3640 (c3640-is-mz.124-23)
BB2 – 3640 (c3640-is-mz.124-23)
BB3 – 3640 (c3640-is-mz.124-23)
Virtual (Other)
ACS Server 4.2 Trial – Running on Windows 2003 Server in VMware
IPS 5.1 – Running in VMware
2 x ASA 8.0(2) – Running in QEMU
Real Equipment
Cisco 3548XL Switch
2 x Cisco 3550 24 Port EMI
Test PC (my home laptop)
Now in terms of how I get all this working, I’ll start with a diagram:
The key to getting the whole topology working is in the Intel Server NIC and the 3548XL switch. I created a VLAN (which shows as a logical interface in windows) for every device that needs to ‘physically’ connects to the 3550 switches. In total there are 21 VLAN interfaces.
Each virtual device’s interface is then mapped to one of these VLAN interfaces either through dynamips, Qemu, or VMware.
The physical Intel NIC (which is set to trunk all the VLAN’s) connects to the 3548XL. So now we have 21 separate vlans for 21 seperate interfaces all being trunked through to a physical switch. At this point the devices still have no way of communicating with each other…..
I’ve then configure 21 ports on the 3548XL switch using the same VLAN id’s and then used very short Ethernet cables to patch each port to the corresponding ports on the real 3550’s as per the Internetwork experts racks.
For example, ASA1 port E0/1 is supposed to be on SW Fa0/13. So I assigned it VLAN 113 on on the PC and then assigned port Fa0/13 VLAN 113 on the 3548XL, and then patched it through to SW1 Fa0/13. Oh, and I turned off spanning-tree for all the VLAN’s to make sure BPDU’s dont start coming in on the 3550’s. They are all host ports remember :)
As far as getting the other virtual devices running here’s what I did:
ASA
- http://7200emu.hacki.at/viewtopic.php?t=4936&postdays=0&postorder=asc&start=0 – Look for the posts by ‘thumpercisco’
- QEMU is configured to map ASA interfaces to MS Loopback interfaces (3 for each ASA)
IPS
- http://7200emu.hacki.at/viewtopic.php?t=3095
- 3 VMware virtual adapters (only two required for topology)
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.
ACS
- Trial version from Cisco, just save the VMware image once installed so you can reload it after 90 days
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.
Other Stuff
To make things even easier I purchased a 2 port RS232 PCI card from eBay and installed it in my server. I then use a program called “Serial to Ethernet connector” so that I cant telnet from my Test PC to a TCP port on the server and it maps my session to the Serial ports of the physical switches.
.NET file
If you want a copy of my .NET file please look at more recent posts.
Fully virtual?
I did consider doing the whole thing in dynamips, and it is very possible. The only thing that annoyed me was the switch ports would be different on my setup than they would be in the workbooks (16 ports on the NM modules as opposed to 24). This meant some ports would be changed, meaning the diagrams would all be wrong, and the initial configs would all need to be changed.
——
The CPU’s idle nicely at 30% (full topology), and memory usage is about 1.5GB total.
With this i’ll be able to test most technologies and even be able to do most full scale labs with this setup.
I hope this helps anyone thinking about or pursuing their Security track. Feel free to drop me a line if you have any questions.
March 29, 2009 at 3:20 am
Hi Paul,
I’ve been keeping a good eye on your blog. It’s great to see the tools and resources you are using to pursue your CCIE Security. Glad to see your still about and keeping us updated with your progress. Best of luck.
p.s. please could you forward me a copy of your .net file for dynamips. it would be excellent to compare it to myown setup.
April 12, 2009 at 10:42 pm
Hi Paul,
Amazing work you did with the lab, in a month or so I plan to start working on this certification and like to get a virtual lab up and running. Could you send me your .net file for dynamips? Thanks in advance.
April 15, 2009 at 2:02 pm
Hi Pau,
i’m interesting in your lab topology. Could you send me your .net file? Regards
April 23, 2009 at 10:21 am
Great work, and I like the use of the trunk to connect to your real switches. Could I please see your .net file too. Thanks
April 25, 2009 at 11:46 pm
Your topology can provide me with enuff pratcice for me to take the CCIE security LAB. Pls send me the .NET file.
Thanks
April 27, 2009 at 1:18 am
now in my rss reader)))
————————
sponsor: http://xabul.ru/
May 1, 2009 at 6:02 pm
Paul,
I’d like to review the NET file if you’re still willing to share it.
Thanks
HJS
May 13, 2009 at 7:19 am
Paul – I tried trunking the GNS3 soft switch in the same manner you have shown in your blog to no avail. I am only successfull if using VLAN 1 which i suspect is because it is not tagging the frames. Once I change to a vlan other than 1 I received encapsulation failed messages. Did you experience any problems along these lines when first setting it up. You mentioned that your NIC card is also trunking! How do you create a trunk on an Intel NIC. Any help you could provide would be greatly appreciated.
May 13, 2009 at 8:17 pm
Hi paul,
I new to qemu can u please send me the .net file.
thanks & regards
mak
May 16, 2009 at 12:24 pm
Hi,
i need the .NET file for CCIE security Lab.
thanks & regards
Pradeep Sah
May 18, 2009 at 1:06 am
Hi, Good work i must say. i am thinking to sit my lab too and probably the new exam very soon. can i also please get the .NET file.
May 26, 2009 at 5:14 pm
Hi,
I’m trying to get some good idlepc values for my 3725 ios image. I’m qiute interested in taking a peek at the values you’re using for your setup.
May I please get a copy of your .net file as well.
Many thanks
gomson
June 28, 2009 at 6:15 pm
Good work on the lab. I especially like how you made the interfaces work for the switches. Can I get a copy of your .net file and switch configs?
Thanks!
July 23, 2009 at 9:35 am
Hi, well done! I’m interested to know your hardware setup. I have assembled my own PC, a GAME PC!, but the more I tinker with GNS3 with my laptop the more I think I may have to use my game PC.
PC setup – Quad Core, 4 NICS (2 RealTek and 2 Intel) and runs on Windows 7. I am having trouble connecting to my real networks, especially when using trunking between my real switch and NM-16ESW module on a router. Any advice is greatly appreciated.
Thanks!
August 4, 2009 at 3:10 am
I am looking for long time to have my own lab with dynamips. Thanks i got your website to know about the same.
Please send me .net file to build my own.
Thnaks
Tirumala
August 10, 2009 at 11:13 am
Hi,
I am doing my CCIE Security. Today only i gone through this web page.
I am interested with this. I have VMware 6.5, IPS VMware Package for IPS5.1, GNS3, ASA for Pemu, 2- 3560 Switches.
I want to emulate IPS 6.1.x & ASA 8.0 In VMWARE. Can anybody Help me for this.
Please guide me for that to build my Own lab for my CCIE Security Preparation.
September 11, 2009 at 6:27 pm
Hi Paul
I recently started my CCIE prep as well but gave up on dynamips as I thought it was too much of a hassle. I will be relying on rented racks mostly and some small features I can test using two three routers on dynamips.
I am writing about the journey here http://iptechtalk.wordpress.com
And since we are both almost on the same page, I think it would be a good idea to stay in touch and discuss the technologies together.
If you agree, ping me on the blog and we can add each other up on msn etc
P.S
I had no lucj with ASA simulation in GNS3. The reason I gave up was I was too lazy to look into that. Maybe during conversations, you can inspire me a bit:)
Regards
September 12, 2009 at 3:23 pm
Emailed you on the email you left with the comment.
Lets meet up on msn of gtalk :)
October 7, 2009 at 7:31 pm
Great work, any chance of the .net file Thanks
October 30, 2009 at 4:35 am
Hi~~
I want to emulate IPS 6.1.x & ASA 8.0 In VMWARE and .net file.
Can anybody Help me for this.
Could you send e-mail … PLZ
Thank you..
October 30, 2009 at 4:48 am
I need to your virtual programs..
ACS Server 4.2 Trial – Running on Windows 2003 Server in VMware
IPS 5.1 – Running in VMware
2 x ASA 8.0(2) – Running in QEMU
.net file
QEMU
PLZ.. could you send me mail… ?? (^_^) ..
thank you..
November 3, 2009 at 5:32 am
I need to your virtual programs..
ACS Server 4.2 Trial – Running on Windows 2003 Server in VMware
IPS 5.1 – Running in VMware
2 x ASA 8.0(2) – Running in QEMU
.net file
QEMU
PLZ.. could you send me mail… ?? (^_^) ..
thank you..
my e-mail is catsiyi@chol.com … PLZ
November 12, 2009 at 6:32 am
hi~~~
PLZ~~~ I need your .NET file .. PLZ… Give me your .NET file..
T,.T .. my mail is catsiyi@chol.com