Virtual Test Lab With VMWare, Cisco and Microsoft

In the past few days I had to prepare the virtual lab for two pilot projects. First one is upgrade System Center Configuration Manager (SCCM) and second is implementation of EMC RSA SecurID Authentication Server.  Because some cute things needed to be done, I would like to share this expirience with you guys….

The lab is virtual because it’s trendy and is pretty hard to do in the physical world. You would need lots of computers and space. It would be nice if this lab would be completelly separate from your production environment. This is because you might want to use the same computer names and addresses. It’s easier this way to do migration to the production environment. At least that. I came out with this network topology:

Let me explain the basic idea behind this setup. I would like to test three modes of installation and set up for SCCM: Primary Central Site, which is at the top of hierarachy, then Primary Child Site, with SQL database of its own, and finally, Secondary Child Site, without a database. I have variety of clients and servers in different segments, so I can play around with discovery methods and slow-fast client boundaries.

Now several questions came up. How do I set up networking? How to do routing? How to access outside world if needed (I will explain why I do need some type of access to the outside world)? More questions will arise later on, as I build this lab…

As for the equipment/software I will use VMWare ESXi 5.x, Cisco switches and Microsoft Windows clients and servers.

Let’s think a little bit about networking. How do I connect clients and servers together? I will use Virtual Switches. Each segment will have its own switch as it would in the physical world, but in this case it will be virtual. In the vCenter console, this would look like this:

This switch represents segment.

This switch represents segment.

This switch represents segment.

At this point, all clients and servers within its own LAN segment have a basic connectivity. If the addressing scheme is right, of course. But what about “seeing” computers in other segments? This could be solved several ways. First, I could use Windows/Linux based router as a virtual machine. This is cool! Second, I could make use of a L3 physical device such as a switch or a router to do a routing. Cool, but not so cool. Then, I *could* use a virtual Cisco router or firewall within a GNS3 installed in a virtual machine. This is awesome!!! But: I did put asterisks around “could” in previous sentence. This is because I did not try this in this type of environment. I did so with VMWare Workstation and I will show you how in the upcoming blog.

Let’s go with the second choice. Suddenly I remembered the good old times when we all did the routing with Windows 2000 Server and RRAS (Routing and Remote Access ). Remember this one? I did played a lot with this one and I was wandering if I still had it 🙂

With Windows 2008 Server, RRAS didn’t change much. From the configuration standpoint of view at least. It is now called “Network Policy and Access Services” and is installed as a role. After installation, I had to right-click it in the server manager and enable it and configure. This is done via simple wizard in which I have chosen custom setup. But before I could do that, let’s see how to configure this virtual RRAS server’s virtual adapters.

Fow now, let’s forget about VLAN109. Other interfaces represent “physical” interfaces of this RRAS router. Inside the server we can see these adapters as well:

The same goes with VLAN2 and VLAN3 interfaces. I said forget VLAN109 for now 🙂

Please note that I don’t have the default gateway configured. This is because I want a total isolation for virtual machines. I could use the DG on any physical adapter that connects to the real world, but I won’t do that in this blog.

Now would be a good time to test basic connectivity. I should be able to ping computers in all three segments and they should ping RRAS server’s IP addresses in their segments. If firewall permits, of course.  I will now install and set up RRAS…

This is how IPv4/General tab should look like. If some interface is missing I could add it by right-clicking “General”. Here I can verify correct IP address setups. At this time all computers from all segments should be able to connect to each other. This should be verified before going any further.

Let’s deal with external connectivity now. Why would I need this in a lab environment? I can think of several reasons: I need the internet access for activating Windows7/2008 machines, may need to do Windows update, … In this specific case, I need to download updates for distributing to clients with SCCM. So, how to achieve this?

Because I want to have as much separation as possible, I won’t be using a DG, but rather a static route to my border router, firewall or proxy server. This is done under IPv4/Static Routes section:

This is plain old static route. To reach my shaded router/firewall/proxy, use Cisco physical L3 switch on which I have a SVI interface for this VLAN109. This is how it looks like in vCenter with a little help from a Visio icon:

If this poses some doubts, here is explanation: “vmnic1” is connected to L3 switch port, say GigabitEthernet0/5. In the virtual world I have RRAS VLAN109 adapter with the IP address of In the real world I have a SVI interface with the IP address of, which is also our static route destination. This link can be done two ways. First, it could be a trunk link. In that case vSwitch1 on ESXi side should be configured like this:

The Cisco side:

interface GigabitEthernet0/5
description Trunk connection to the real world
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 109
switchport mode trunk
spanning-tree portfast trunk

 It could be done as a access link. In that case, ESXi side would look like this:

And the Cisco side:

interface GigabitEthernet0/5
description Access connection to the real world
switchport access vlan 109
switchport mode access
spanning-tree portfast

In both cases the SVI interface on Cisco switch could be configured as simple as:

interface Vlan109
 description A DG for ESX
 ip address

There is one more thing to have in mind with this scenario. If I had virtual networks in the real world (overlapping between virtual and physical networks), I had to do one more step: NAT virtual addresses to something. This could be a pool  of addresses in range, or simply the interface IP address. In this case this is called PAT. I will use this option. In RRAS, this looks like:

And the NAT properties for the “public” interface looks like this:

Now everything should be fine.

If I wanted to restrict traffic going from virtual to physical world or another way around, I could set up a RRAS server as a basic firewall by turning on the inbound or outbound filters on appropriate interface:

Finally, this saga is over? Not just yet!!! I kinda forgot a DHCP. Now just a second, what about DHCP? Well, in this case,  DHCP server is located in VLAN1 segment. All PCs will obtain addresses with no problems, but VLAN2 and VLAN3 segment PCs won’t! Why is that? Because a DHCP client requests are broadcasts and broadcasts won’t go across a router. To solve this problem I have to enable a DHCP Relay Agent on VLAN2 and VLAN3  interfaces and provide a IP address of DHCP server:

This is configuration on an interface. The IP address of my DHCP server is

And finally DHCP Relay Agent setup looks like this:

Well I guess this is it. Now I have a fully functional virtual test lab. Personally I will use it for Configuration Manager and Authentication Manager for now, but it can be used for many other purposes.

This entry was posted in Cisco, Microsoft, Virtualization, VMWare and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s