From Internetworkpro

This page contains configuration examples or information on dynamips The examples on this page are intended for use with dynamips, the Cisco router emulator. This information is not intended for use on hardware routers, and is primarily used for troubleshooting, testing, and certification lab study. Support of Dynamips is found on Hackis_Forum. For other dynamips pages see Category:Dynamips

[edit] Introduction

[edit] The goal

I wanted to have a lab environment where I can prepare myself for the CCIE Security lab exam. Dont get me wrong, rack rentals are probably the best and cost efficient way to play with real gear (besides owning the complete equipment). On the other hand, it can be quite frustrating trying to align your schedule with free rental time slots, so if you have some spare time (you should study right now, shouldnt you? ;-)) and dont fear a shell prompt, lets get started.

The final layout is very close to the topology that Internetworkexpert uses in their excellent workbooks.

[edit] Description

With the help of dynamips, dynagen and pemu, Cisco routers - including switch modules - and pix devices can be emulated on a single PC. Recently I wrote a howto of how to run the Cisco IPS software in VMware, so except for ASA firewalls, VPN concentrators and some security features on the catalyst switches, everything the current CCIE lab blueprint lists can be emulated on a PC.

In my environment, I have one external Cat3750, one ASA 5505 and a VPN 3005 concentrator. If you dont have these devices, you still can master a lot of the blueprint topics and rent a rack to make yourself familiar with the VPN concentrator and some of the features a PIX does not offfer (WebVPN).

[edit] What you need

[edit] Hardware

• a powerful PC
  • P4/Core2Duo or AMD equivalent
  • lots of RAM (2+GB)
  • 2 NICs
• USB to serial adapters (optional, see below)

[edit] OpenSource Software

• Linux distribution of your choice (I use debian etch)
• dynamips
• dynagen
• pemu registration required to view/download attachments
• Howto run Cisco IPS in VMware

[Update] ASA emulation is now also possible, please refer to Thread at hackis forum, please login to download attachments

[edit] Commercial Software

• VMware Workstation (5 or 6)

[edit] Cisco Firmware/Software

• Cisco IOS 12.2T or 12.3 mainline for the 3640, Enterprise/FW/IDS PLUS IPSec 3DES (as outlined in the Blueprint)
• Cisco PIX OS 7.2
• Cisco IPS Software, Release 5.1
• Cisco ACS software 4.x (30 day trial available)
• Cisco VPN Client 4.8
• Cisco Trust Agent

Access to software requires a CCO account and a support contract bound to your profile. Check with your Cisco AM/SE if you are allowed to use the software outside of real devices.

[edit] Installation

[edit] Overview

[edit] System Preparation

Usually you will have one NIC in your PC that provides connectivity to the rest of your network. Because of some limitations in linux, a NIO_eth bridged instance cannot connect to local network resources on the same host, for this reson you have to drop the physical interface connection and use bridging instead.

Install bridge-utils and uml-utils for bridge and tun/tap support:

aptitude install bridge-utils uml-utilities

Modify the settings of your network card to the following settings (example shows debian):

auto br0
iface br0 inet static
   pre-up tunctl -t tap0
   pre-up ifconfig eth0 0.0.0.0 promisc up
   pre-up ifconfig tap0 0.0.0.0 promisc up
   pre-up brctl addbr br0
   pre-up brctl stp br0 off
   pre-up brctl setfd br0 1
   pre-up brctl sethello br0 1
   pre-up brctl addif br0 eth0
   pre-up brctl addif br0 tap0
   post-down tunctl -d tap0
       address 192.168.10.4
       netmask 255.255.255.0
       network 192.168.10.0
       broadcast 192.168.10.255
       gateway 192.168.10.2
       [...}

The second NIC provides connectivity to the real switch via .1q, so it does not need any IP configuration:

auto eth1
iface eth1 inet manual

You need to make sure your ethernet card supports frames exceeding the standard Ethernet MTU of 1500 bytes. The 802.1q trunk adds 4 bytes of additional header information. If you experience problems and cannot bring your NIC to cooperate, try to lower the MTU on the devices to 1496 bytes (this is dangerous and a very ugly workaround!)

[edit] outside serial consoles

At the moment, I have 3 real devices. For console access, I would need 3 COM ports - my modern PC doesnt even have one ;-) So I bought some USB/serial adapters (yes, I know) that are supposed to work under linux:

The adapters are recognized as

Prolific Technology Inc., USB-Serial Controller, Vendor=067b ProdID=2303 Rev= 3.00

On the box they were labelled as "Digitus USB 1.1 to serial Converter". Install ser2net to make the usb serial ports accessible via tcp:

aptitude install ser2net

The file /etc/ser2net should look like this

 #SW1
 2011:telnet:600:/dev/ttyUSB0:9600 8DATABITS NONE 1STOPBIT banner
 #VPN1
 2024:telnet:600:/dev/ttyUSB1:9600 8DATABITS NONE 1STOPBIT banner
 #ASA1
 2023:telnet:600:/dev/ttyUSB2:9600 8DATABITS NONE 1STOPBIT banner

[edit] Dynamips and Dynagen

Download both programs and install it to a common location. Here you can find a very good step-by-step installation guide:http://ubuntuforums.org/showthread.php?t=791768. I use the following directory layout:

/opt/dynamips           <- main directory
/opt/dynamips/src/...   <- source directory
/opt/dynamips/bin       <- bin directory
/opt/dynamips/images    <- IOS/PIX images
/opt/dynamips/lab       <- the actual LAB environment

I prefer to download the source code, compile it and symlink the binaries to /opt/dynamips/bin.

configobj.py -> /opt/dynamips/src/dynagen-0.9.3/configobj.py
configspec -> /opt/dynamips/src/dynagen-0.9.3/configspec
console.py -> /opt/dynamips/src/dynagen-0.9.3/console.py
dynagen -> /opt/dynamips/src/dynagen-0.9.3/dynagen
dynagen.ini
dynamips -> /opt/dynamips/src/dynamips-0.2.7/dynamips
dynamips_lib.py -> /opt/dynamips/src/dynagen-0.9.3/dynamips_lib.py
validate.py -> /opt/dynamips/src/dynagen-0.9.3/validate.py

YMMV.

The Dynamips hypervisors should start at system boot. Create a init script that launches

/opt/dynamips/bin/dynamips -H 7200
/opt/dynamips/bin/dynamips -H 7201

Dynagen will be started within a GNU screen session, more on this later in the tutorial.

Place the IOS image for the 3640 under /opt/dynamips/images/3640

[edit] pemu

Get the pemu binary distribution and place everything at /opt/dynamips/bin. For limiting cpu usage (pix will not idle and eats up all available cpu cycles), install cpulimit

aptitude install cpulimit

Place your PIX image at /opt/dynamips/images/pix

If you are using 64-bit Linux you have to install ia32-libs. It will pull down more packages, which are necessary:

apt-get install ia32-libs

Note: The newest version of Dyngen 0.11< contains the pemu itself.

[edit] IPS

Follow my howto posted at 7200emu.hacki.at. (this is also posted at http://www.zengl.net/Cisco_IPS/ )

Following most of einvals instructions, i found that intel speedstep was being a major jerk in calculating mhz properly for the device identification.

I just changed line 248 in /etc/init.d/ids_functions to elif true ; then

this basically forces the model to $IDS4215. All the further scripts work great, and I didn't need to mess with DMI or system bios; otherwise a vanilla install :)

[edit] AAA/CA and TestPC

Create two new VMs, each should have two network adapters. One adapter shall be bridged to your inside (real) network card so that you are able to RDP to the systems as well as to access the ACS GUI directly over the network, which is much faster than using the VMware screen.

Ubuntu + Virtualbox with tap interfaces 1. Install the following packages:

apt-get install bridge-utils virtualbox-3.0 uml-utilities

2. Follow the instructions here: http://www.roadtoccnp.com/

[edit] Configuration

[edit] dynagen and pemu

YOU CAN SKIP THIS STEP IF YOU ARE USING DYNAGEN 0.11<

Create a directory where dynamips lab files are stored, I use /opt/dynamips/lab/iewb. In this directory, create a dynagen .net file (iewb.net, see Appendix). Now in that directory, create two shell scripts to launch the pemu instances:

pix1.sh

#!/bin/bash
/opt/dynamips/bin/pemu \
       -net nic,vlan=1,macaddr=00:00:00:00:10:00 -net udp,vlan=1,sport=51100,dport=41212,daddr=127.0.0.1 \
       -net nic,vlan=2,macaddr=00:00:00:00:10:01 -net udp,vlan=2,sport=51101,dport=41213,daddr=127.0.0.1 \
       -net nic,vlan=3,macaddr=00:00:00:00:10:02 -net udp,vlan=3,sport=51102,dport=41312,daddr=127.0.0.1 \
       -net nic,vlan=4,macaddr=00:00:00:00:10:03 -net udp,vlan=4,sport=51103,dport=41313,daddr=127.0.0.1 \
       -serial telnet::2021,server,nowait -m 128 pix1 &
/usr/bin/cpulimit -p $! -l 20 &

pix2.sh

#!/bin/bash
/opt/dynamips/bin/pemu \
       -net nic,vlan=1,macaddr=00:00:00:00:20:00 -net udp,vlan=1,sport=51200,dport=41214,daddr=127.0.0.1 \
       -net nic,vlan=2,macaddr=00:00:00:00:20:01 -net udp,vlan=2,sport=51201,dport=41215,daddr=127.0.0.1 \
       -net nic,vlan=3,macaddr=00:00:00:00:20:02 -net udp,vlan=3,sport=51202,dport=41314,daddr=127.0.0.1 \
       -net nic,vlan=4,macaddr=00:00:00:00:20:03 -net udp,vlan=4,sport=51203,dport=41315,daddr=127.0.0.1 \
       -serial telnet::2022,server,nowait -m 128 pix2 &
/usr/bin/cpulimit -p $! -l 20 &

Also, dont forget to create a pemu.ini in this directory that contains image, bios and serial numer information:

serial=0x0000000   # change to real value
image=/opt/dynamips/images/pix/pix.722
key=0x000000,0x000000,0x000000,0x000000 # change to real value
bios1=/opt/dynamips/bin/mybios_d8000
bios2=/opt/dynamips/bin/bios.bin
bios_checksum=1

To launch dynamips, you already created the init-scripts. For dynagen and pemu startup, we use GNU screen (install it now if it is not present on your system). Create a .screenrc in you lab directory (/opt/dynamips/lab/iewb)

hardstatus alwayslastline '%{= kG}[ %{G}%H %{g}][%= %{= kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u\)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B} %d.%m %{W}%c %{g}]'
defutf8 off
sessionname IEWB
screen -t dgen 0 /opt/dynamips/bin/dynagen /opt/dynamips/lab/iewb/iewb.net
screen -t pixa 1
screen -t pixb 2
at pixa stuff " cd /opt/dynamips/lab/iewb; ./pix1.sh \015"
at pixb stuff " cd /opt/dynamips/lab/iewb; ./pix2.sh \015"

You can now do a test by launching the screen session:

screen -c .screenrc

3 "windows" will open, one for dynagen, and one for each pemu instance.

[edit] automating startup

dynamips hypervisors already startuop on system boot. There are several ways to do this for the screen session containing dynagen and pemu as well as for the VMware instances.

Lazy as I am, my peecee automatically starts X after booting, and the login manager automagically logs me in. So I deceided to make use of the Autostart feature provided by kde (should be available in other desktop managers too), launching VMware and the screen immediately.

IEWBLAB.sh

#!/bin/sh
exec konsole -T "IEWB LAB" -e sudo screen -c /opt/dynamips/lab/iewb/.screenrc

vmwarestart.sh

#!/bin/sh
exec /opt/vmware/vmware -x -q ~/AAA/AAA.vmx ~/TestPC/TestPC.vmx ~/Cisco_IPS/Cisco_IPS.vmx

Thats it!

[edit] Usage

The heart of the environment is the terminal server dynamips instace. It has one interface that is bridged to the "inside" interface of the PC, you usually assign a new IP address from that network to the TermSRV E0/0 interface (192.168.10.230 in my example). You can easily telnet to the TS once booted and access all the device consoles within one session. In the TermSRV configuration, make the necessary entries for reverse telnet (replace 192.168.10.4 with the IP address of your br0 interface):

ip host R1 2001 192.168.10.4
ip host R2 2002 192.168.10.4
ip host R3 2003 192.168.10.4
ip host R4 2004 192.168.10.4
ip host R5 2005 192.168.10.4
ip host R6 2006 192.168.10.4
ip host SW1 2011 192.168.10.4
ip host SW2 2012 192.168.10.4
ip host SW3 2013 192.168.10.4
ip host BB1 2007 192.168.10.4
ip host BB2 2008 192.168.10.4
ip host BB3 2009 192.168.10.4
ip host ASA1 2023 192.168.10.4
ip host PIX1 2021 192.168.10.4
ip host PIX2 2022 192.168.10.4
ip host VPN1 2024 192.168.10.4

The rest it pretty straightforward and equals to a remote rack session. You want to be a CCIE, figure it out ;-)

For console access to the IPS, create a virtual serial port in VMware ("named pipe", is actually a unix domain socket) and use "socat" to relay to tcp:

socat /path/to/domain/socket tcp4-listen:<port>    or for direct console access
socat /path/to/domain/socket stdio

You even can share your lab experience by telnetting in a GNU screen session and make the session multi-user capable. For this, modify your .screenrc and add these lines

multiuser on
acladd <unix account(s) that you want to share the session with>

Make the screen binary suid root (the only drawback), and the other user(s) can connect with

$ screen -r <user that has started the screen session>/IEWB

[edit] Appendix

[edit] Topology

[edit] dynagen .net file

 autostart=true
 [localhost:7200]
 workingdir = /opt/dynamips/lab/iewb/working

 [[3640]]
  image = /opt/dynamips/images/3640/c3640-jk9o3s-mz.122-15.T16.unzip
  ram = 128
  disk0 = 0
  disk1 = 0
  idlepc = 0x604354d0
  mmap = false
  ghostios = true
  sparsemem = true

 [[Router R1]]
    model = 3640
    console = 2001
    E0/0 = SW2 F1/1
    S1/0 = FRSW 1

 [[Router R2]]
    model = 3640
    console = 2002
    E0/0 = SW2 F1/2
    S1/0 = FRSW 2

 [[Router R3]]
    model = 3640
    console = 2003
    E0/0 = SW2 F1/3
    E0/1 = SW3 F1/3
    S1/0 = FRSW 3
    S1/1 = FRSW 13
    S1/2 = R1 S1/1
    S1/3 = R2 S1/1

 [[Router R4]]
    model = 3640
    console = 2004
    E0/0 = SW2 F1/4
    E0/1 = SW3 F1/4
    S1/0 = FRSW 4
    S1/1 = R5 S1/1

 [[Router R5]]
    model = 3640
    console = 2005
    E0/0 = SW2 F1/5
    E0/1 = SW3 F1/5
    S1/0 = FRSW 5

 [[Router R6]]
    model = 3640
    console = 2006
    E0/0 = SW2 F1/6
    E0/1 = SW3 F1/6
    S1/0 = FRSW 6

 [[Router SW2]]
    model = 3640
    console = 2012
    slot1 = NM-16ESW
    # Inter-Switch trunk
    F1/0 = SW3 F1/0
    # VMWare IPS Ma0/0
    F1/7 =  NIO_linux_eth:vmnet1
    # VMWare ACS Lab intercace
    F1/8 =  NIO_linux_eth:vmnet4
    # VMWare TestPC Lab intercace
    F1/9 =  NIO_linux_eth:vmnet5
    # Trunk to external SW1
    F1/11 = NIO_linux_eth:eth1
    # pix1
    F1/12 =  NIO_udp:41212:127.0.0.1:51100
    F1/13 =  NIO_udp:41213:127.0.0.1:51101
    # pix2
    F1/14 =  NIO_udp:41214:127.0.0.1:51200
    F1/15 =  NIO_udp:41215:127.0.0.1:51201

 [[Router SW3]]
    model = 3640
    console = 2013
    slot1 = NM-16ESW
    # VMWare IPS gi0/1
    F1/7 =  NIO_linux_eth:vmnet2
    # VMWare IPS gi0/2
    F1/8 =  NIO_linux_eth:vmnet3
    # pix1
    F1/12 =  NIO_udp:41312:127.0.0.1:51102
    F1/13 =  NIO_udp:41313:127.0.0.1:51103
    # pix2
    F1/14 =  NIO_udp:41314:127.0.0.1:51202
    F1/15 =  NIO_udp:41315:127.0.0.1:51203


 [localhost:7201] 
 udp = 11000     

 workingdir = /opt/dynamips/lab/iewb/working

 [[3640]]
  image = /opt/dynamips/images/3640/c3640-jk9o3s-mz.122-15.T16.unzip
  ram = 128
  disk0 = 0
  disk1 = 0
  idlepc = 0x604354d0
  mmap = false
  ghostios = true
  sparsemem = true

 [[Router BB1]]
    model = 3640
    console = 2007
    slot1 = NM-4T
    E0/0 = SW2 F1/10
    S1/0 = BB3 S1/0
    S1/1 = FRSW 21

 [[Router BB2]]
    model = 3640
    console = 2008
    slot0 = NM-4E
    E0/0 = SW3 F1/9

 [[Router BB3]]
    model = 3640
    console = 2009
    slot0 = NM-4E
    slot1 = NM-4T
    E0/0 = SW3 F1/10

 [[Router TermSRV]]
    model = 3640
    console = 2050
    E0/0 = NIO_tap:tap0

 [[FRSW FRSW]]

  # R1 to FRSW
  1:102 = 2:201
  1:103 = 3:301
  1:113 = 13:311
  1:104 = 4:401
  1:105 = 5:501

  # R2 to FRSW
  2:203 = 3:302
  2:213 = 13:312
  2:204 = 4:402
  2:205 = 5:502

  # R3 to FRSW
  3:304 = 4:403
  3:305 = 5:503
  13:314 = 4:413
  13:315 = 5:513

  # R4 to FRSW
  4:405 = 5:504
  
  # R6 to FRSW
  6:51 = 21:51
  6:100 = 21:100
  6:101 = 21:101
  6:201 = 21:201
  6:301 = 21:301
  6:401 = 21:401