Connecting VMware Workstation and Cisco GNS3 Lab

One of the most fascinating things now days for us network/security/virtualization guys is possibility to carry our labs with us. We go on a business trip and not only we present something with the Power point, but we also demonstrate the solution. Not to mention that we can practice technologies without having or renting expensive equipment.

In this blog we will see how to connect two worlds: VMware and Cisco. Actually it is a something-to-Cisco. This something is Widows CA, AAA server, Linux syslog server, Windows Active Directory, … Today we will connect a Cisco network done via GNS3 and an (also) Cisco ACS 5.x for AAA purposes.

Let’s see our topology:

SNAGHTML1dd27b6d

I could do a simple topology, but I picked this one for a purpose: this is my actual MPLS lab and can be considered a real world scenario. This illustrate how complex our topology can be. We could insert here Cisco ASA, Cisco IPS and even Juniper products. The funniest thing is this: I’m running this on a “Windows 2008 R2” virtual machine that is running on a “VMware ESXi 5.x” hypervisor, and my AAA server is yet another virtual machine running inside “VMware Workstation” that is installed on “Windows 2008 R2”. Man I love this concept of being virtual inside of virtual 🙂

Now we will focus on connecting NB2 router to a central AAA server for Authentication/Authorization/Accounting purposes. We will then try to test the authentication from this router, although with a proper routing, any device from the topology could follow the same pattern.

Let’s suppose that we have “GNS3” and “VMware Workstation” installed on our “Windows 2008 R2”. This “Windows 2008 R2” sure can be physical and running on my laptop, but in my case it is virtual and running somewhere in my datacenter.

First we add a “Microsoft Loopback Adapter” and reboot our Windows server. Actually we need two of them. Then we rename them, because we could have many of these, so we can tell them apart:

SNAGHTML1df2531a

The “ACS” adapter will be used for communicating between our Windows server and “ACS 5.x” for administration purposes. It will have the IP address 1.1.1.1/30 and the “ACS 5.x” will have the IP address 1.1.1.2/30 assigned through the VMware VMnet virtual adapter:

SNAGHTML1df73180

The “NBtoACS” adapter will be used to connect the GNS3 world to VMware world, so that the NB2 router can talk to the AAA server, or any other router can talk to the AAA server through NB2. On the Windows server side we will have the IP address 3.3.3.1/30 and the interface on the NB2 connecting to the AAA server will have the IP address 3.3.3.2/30:

SNAGHTML1df81f1c

Now inside of “VMware Workstation Network Editor” we set up a “VMnet1” virtual adapter to be bridged to the “ACS Microsoft Loopback Adapter”:

 SNAGHTML1dfce130

We create a “VMware workstation” virtual machine for “ACS 5.x” installation. How to do that we can find here. It is important that we select proper virtual adapter (in this case VMnet1) during virtual machine setup. Then we complete the ACS installation and setup and give it an appropriate IP address:

!
interface GigabitEthernet 0
  ip address 1.1.1.2 255.255.255.252
!

After the setup we can try our connectivity from Windows server to the ACS. For example, from the ACS:

ACS52/admin#
ACS52/admin# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=0 ttl=128 time=0.446 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=128 time=0.291 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=128 time=0.222 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=128 time=0.167 ms

— 1.1.1.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.167/0.281/0.446/0.105 ms, pipe 2

ACS52/admin#

 

Now it’s time to connect the NB2 to the ACS. For this to work, we must power down the NB2. Then we  drag a “Cloud” icon from the “Node Types” pane and drop it inside our network drawing part of the window. We can optionally right click the cloud and select “Change Symbol” to change the icon appearance from cloud to a server, for example. We can also change the name from generic “C1” to something more meaningful, such as “AAA” or a server name, in my case it’s “gia”. Then we right click the symbol and select “Configure”, then click the name. The “Node configurator” dialog opens:

SNAGHTML1e3e1052

For windows GNS3 installation we chose “NIO Ethernet” as a connection type and then select the appropriate loopback adapter, “NBtoACS” in our case. The picture from above can be deceiving. We can see inside the second red square the “ACS” string, which could lead us to believe that we are connecting to the ACS loopback, but actually it is “NBtoACS” loopback adapter. This can be verified from the command prompt’s command “netsh trace show interfaces” by witch we match its output to the GNS3 cloud settings. We match the “Interface GUID values”:

SNAGHTML1e3c95b8

 

We then connect the NB2’s free network adapter, “FastEthernet0/1” in our case to the cloud node we just created. Now we can power the NB2 on. The network setup on NB2 is simple and match to the setup of the loopback adapter “NBtoACS”:

NB2#
NB2#show run int f0/1
Building configuration…

Current configuration : 94 bytes
!
interface FastEthernet0/1
ip address 3.3.3.2 255.255.255.252
duplex auto
speed auto
end

NB2#

And we can verify that we reach the other side:

NB2#
NB2#ping 3.3.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/44 ms
NB2#

Which means that we can reach the other side of the link, which is Windows server. But can we reach the ACS server?

NB2#
NB2#ping 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
NB2#

And it’s obvious why we cannot: there is no a route on NB2 to point to the ACS. So we add one:

ip route 1.1.1.0 255.255.255.252 3.3.3.1

And now we can reach the ACS server:

NB2#
NB2#ping 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/64 ms
NB2#

Of course, if we want other networks to reach the ACS, we need to change the routing on the Windows server itself. For example, the network 192.168.2.0/24 that exists on the NB2 cannot reach the ACS server:

NB2#
NB2#ping 1.1.1.2 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
…..
Success rate is 0 percent (0/5)
NB2#

So on the Windows server we need to route for that network back to 3.3.3.2, which is the NB2’s part of GNS3-to-VMware link:

SNAGHTML1e503121

Now we try again:

NB2#
NB2#ping 1.1.1.2 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/25/60 ms
NB2#

 

Now we setup our router for AAA:

!
aaa new-model
!
aaa authentication login default group radius
aaa authentication login CONSOLE none
!
!
radius-server host 1.1.1.2 auth-port 1645 acct-port 1646 key spop123
!

And our ACS:

SNAGHTML1e54abdc

SNAGHTML1e55bf30

Now we can try authenticating this user from the NB2 router:

NB2#
NB2#test aaa group radius spop somepassword new
User successfully authenticated

NB2#

And finally we can verify this login attempt on the ACS:

SNAGHTML1e5a95a7

 

Having this possibility to connect these two worlds gives us great opportunity to learn stuff, to prepare for exams, to demonstrate solutions, try something in the lab prior going to production, …

 

Thanks for reading.

Advertisements
This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, Cisco, GNS3, Virtualization, VMWare and tagged , , , . Bookmark the permalink.

7 Responses to Connecting VMware Workstation and Cisco GNS3 Lab

  1. Reblogged this on Shadowed Reflections and commented:
    Network+Security+`virtualization ! Beginning of a generation !

  2. Petar says:

    I am curious about this part:
    I’m running this on a “Windows 2008 R2” virtual machine that is running on a “VMware ESXi 5.x” hypervisor, and my AAA server is yet another virtual machine running inside “VMware Workstation” that is installed on “Windows 2008 R2”
    So you have an ESXi that has Windows 2008R2 VM, in which you have GNS3 installed and VMware Workstation installed, and in that VMware Workstation you have ACS installed? It’s a proper way of nested virtualization, that’s for sure, but my question is, can I do it in single VMware workstation?

    For example, to spin up VMware Workstation on Windows 7, and in it have one VM for GNS3 and other for ACS? For them to be siblings, not parent-child virtualization environment?

    Thanks,

    Petar

    • Sasa says:

      Well, I guess this can be done, but better way would be to run the GNS3 directly on top of Windows7 and run the ACS from within VMware workstation.

      I don’t see any benefit of running GNS3 as a VM inside of Workstation.

    • Eazy says:

      If you are running on ESXi, you can as well use the Cisco Nexus Virtual Switch/Router/Firewall instead of GNS3.

  3. Petar says:

    Thanks Sasa, maybe I’ll do that as well. I was just thinking not to mess up my workstation with GNS3 and keep a clean system.

  4. Very nice set up, thanks for sharing !!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s