Day 4: Going Splunking

Getting Started

I decided to branch this off into its own day, since it's kind of removed from what I was doing before.

I had decided to build a FreeRADIUS config from scratch so I could remove any unnecessary options that were included in the (rather large) default config file, and set my own baseline configuration to move forward.

Not too far into the configuration, I encountered log{} directive, which gave me a handful of logging options... including logging to syslog.

It occurred to me at this point that it might be worth actually setting up a syslog server, considering the breadth of all the things I'm trying to do, so I can have a single place to review log files.

So I did some research and settled on the free version of Splunk (partly because that seems like a helpful skillset in the outside world.)

Installation

First minor complication: virtually everything I've installed so far on CentOS has been available through the default yum repositories. Splunk is not - it comes as an RPM (or a .tgz, or a .deb package.) yum does use RPMs, but normally they're downloaded from repositories.

Anyways. I downloaded the RPM from Splunk to /root, and from there, it wasn't much different from a normal yum install - except for specifying a filename instead of a package name.

splunk installs slightly different from most packages, by putting everything under /opt/splunk. Not a huge deal, except that /opt/splunk/bin is not in my search path, so I just symlinked /usr/bin/splunk to /opt/splunk/bin/splunk and started up splunk per the install instructions.

Troubleshooting

At this point, I hit a minor snag: I couldn't access the Splunk web interface. I could ping the machine, and use SSH, I just couldn't use the web interface.

After some digging, I discovered something I was not aware of: specifically, that CentOS ships with its built-in firewall enabled, and the firewall's default settings only permit incoming SSH and DHCPv6 traffic.

Fortunately, an easy fix, once I found the right ports:

firewall-cmd --new-service=splunk --permanent

firewall-cmd --service=splunk --add-port=8000/tcp --permanent

firewall-cmd --service=splunk --add-port=8089/tcp --permanent

firewall-cmd --service=splunk --add-port=9997/tcp --permanent

firewall-cmd --reload

firewall-cmd --add-service=splunk

Perfect.

Configuration

The big "Add Data" button on the homepage seemed enticing, so I started down that path.

I didn't have any preexisting log files I wanted to import, and I didn't want to set up a forwarder - I just wanted Splunk to listen for incoming syslog data, so I went with Monitor.

The next screen continued on with the trend of being helpful:

At this point, I realized that I was going to have to modify my firewall rules again to accept incoming data:

firewall-cmd --service=splunk --add-port=514/tcp --permanent

firewall-cmd --reload

Naturally, when I did this, I couldn't access Splunk any more. Easy fix: I'd forgotten to add the --permanent option when I added the Splunk service to the current zone.

So, now, Splunk said it was ready to start receiving data. Linux has a utility called "logger" for making syslog entries, so I did exactly that:

# logger -T -n 127.0.0.1 -P 514 "test message"

Lo and behold - searching for "*" in Splunk found my message!

Next Up

Now that I have a syslog server working, it's back to configuring FreeRADIUS. Eventually I'll start migrating most of my CentOS services over to Splunk for logging.

Day 3.5: ActiveDirectory and CentOS

Getting started... again

So World of Warcraft: Battle for Azeroth dropped last week, and that's been taking up a lot of time that I might otherwise have been using to work on this project... but I hit level 120 on my main, so now I'm spending less time on that.

Anyways. Last time, I had decided I needed to do some reading and figure out the underlying mechanics of tying Cisco devices to ActiveDirectory, which as best I could tell, was going to require a long chain of services including FreeRADIUS, Samba, Kerberos, and ActiveDirectory. Along the way, I decided now would be as good a time as any to transition my CentOS server from using local accounts to using ActiveDirectory user accounts.

I thought this was going to require a whole bunch of manual Samba and Kerberos setup, and thought I had it all figured out... and then when I went to research the actual configuration, I discovered it was actually going to be a lot simpler.

CentOS setup

Red Hat has done a pretty decent job of consolidating core system services into easily managed software packages. Originally, my research suggested I was going to have to configure a handful of different Samba processes running on top of Kerberos, and configure the system by hand... but as it turns out, CentOS has made this a lot easier with two particular services, realmd and sssd. realmd essentially handles the process of connecting the server to an ActiveDirectory domain, and sssd handles interfacing between clients and back-end authentication mechanisms (like ActiveDirectory.)

realmd wasn't installed by default, but it was available through yum, so installing it was easy enough.

Following the documentation, I was able to discover my domain, and then tried to join it:

I could've sworn I saw those packages listed as dependencies when I installed realmd, but apparently not. But, again, easy enough to fix...

# yum install oddjob oddjob-mkhomedir sssd adcli

Oddly, during this process, yum determined that oddjob/oddjob-mkhomedir were already installed (I didn't imagine it!) but the other two weren't, so I opted to install them and then deal with the "missing" packages afterwards.

Impressively, the 28-package install took about 5 seconds.

And, as a pleasant surprise - after installing the two missing packages, it didn't complain at all when I went to join the domain again.

Equally pleasantly was going to test the new implementation, as described in the documentation, and finding that realmd had worked exactly as advertised and had taken care of the entire joining process (including configuring sssd for ActiveDirectory) for me.

(At this point, I also went into the ActiveDirectory Users/Computers tool and set my password not to expire.)

At this point, I wanted to make it even more fancy... and make sure that only designated users could use ActiveDirectory credentials to log into the CentOS server.

So I jumped over to Windows and created a new user group: 

And then used the appropriate realmd commands to block access from anyone except that user group:

First I tested it without adding myself to that user group:

Then added myself through Windows and tried again:

Perfection. And amazingly easy, too.

Next up

Next up is to configure FreeRADIUS to authenticate against ActiveDirectory. I was originally going to make that part of this post, but it's looking complicated and I need to read up before I continue. Until next time...

Break time: RADIUS, ActiveDirectory, and everything in between

Status update

The next thing I had planned was to link my virtual Cisco devices to my Windows domain, so I could do a couple things: control login access to the devices themselves, and set up 802.lx authentication for connected VMs.

There's a couple things I need to do for that to happen:

1. Set up a RADIUS server for the Cisco devices to talk to.
2. Set up an SMB server to act as a "go-between" between the RADIUS server, and the Windows domain controller.

At this point, though, I'm solidly in the realm of protocols and software that I have very little understanding of: FreeRADIUS to implement RADIUS, Samba/Kerberos to implement SMB, and configuring Samba to talk to the domain controller via LDAP 

So for now, I've made myself a Kindle reading list on Samba/Kerberos/LDAP so I can get an understanding of all the pieces I'm trying to put together.

So once I've gotten through that, I'll start attacking the actual setup.

More to come...

Day 3.4: DHCP and subnetting

Introduction

In the last entry, I set up a few things:

• Routing between all the virtual routers on the network.
• To do this, I enabled RIP on all the core (Core, Edge, and Access) routers for all the networks in the LAN.
• Configured the Core0 router as the default gateway, and configured RIP to propagate default route information across the network.
• Configured the Win2016 VM with a direct connection to the Internet, since while GNS3 routes traffic internally quickly enough, it's too slow for Internet connectivity. Win2016 still has access to the virtual LAN as well.

Onwards!

Next step is going to be setting up user access and VLANs (which, by necessity, involves configuring DHCP.)

But VLANs first.

Jumping over to my Access1 router, I set up my two user VLANs, which I designated 101 and 102:

Access1(vlan)#vlan 101

VLAN 101 added:

    Name: VLAN0101

Access1(vlan)#vlan 102

VLAN 102 added:

    Name: VLAN0102

Immediate problem: VLANs are apparently stored in Flash memory as opposed to NVRAM... and Access1 is not configured with any Flash memory.

Shut down switch. Go into configuration in GNS3. Add an 8MiB PCMCIA disk. Restart switch.

format flash:

Okay... now I can create my VLANs and update the database.

Next up: configure an IP address for each VLAN interface to use.

Access1(config)#interface Vlan101

Access1(config-if)#ip address 10.100.1.1 255.255.255.0

Access1(config-if)#no shut

Access1(config-if)#exit

Access1(config)#interface Vlan102

Access1(config-if)#ip address 10.100.2.1 255.255.255.0

Access1(config-if)#no shut

Access1(config-if)#exit

Access1(config)#

Since my VLANs aren't crossing multiple switches, I don't need to work about trunking to other switches. All I need to do is configure the appropriate Ethernet ports for the appropriate VLANs. GNS3 tells me in the Topology Summary which VMs are connected to which ports:

Access1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

Access1(config)#int fa3/0

Access1(config-if)#switchport access vlan 101

Access1(config-if)#ex

Access1(config)#

*Mar  1 00:20:00.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan101, changed state to up

Access1(config)#int fa3/1

Access1(config-if)#switchport access vlan 102

Access1(config-if)#^Z

Access1#

And...

Access1#show vlan-switch

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

101  VLAN0101                         active    Fa3/0

102  VLAN0102                         active    Fa3/1

All right, VLANs are set. One more thing first, configure each VLAN interface to use the Windows 2016 DHCP server.

Access1(config)#int Vlan101

Access1(config-if)#ip helper-address 10.1.0.100

Access1(config-if)#ex

Access1(config)#int Vlan102

Access1(config-if)#ip helper-address 10.1.0.100

Access1(config-if)#^Z

Access1#

Now to jump over to Windows and set up the DHCP server.

There's a few different options that needed to be set up:

I created a Superscope specifically to cover user VLANs, and then added a Scope for each VLAN to assign IP addresses within that subnet.

I also set a couple different server-wide options to control what gets assigned to all DHCP clients:

The two Router addresses are for the two interfaces of Core0, the DNS server is the IP address of the Windows 2016 VM.

Time to boot up my Windows 8 VM and see if it gets an IP address successfully.

Probably should've taken care of this first. Oh well.

After the VM came up, I discovered I was getting an address assigned by VMware. As it turns out, you have to start the VMs within GNS3 in order for GNS3 to control them.

But when I tried to do that, I got this message:

After a little digging, I discovered that GNS3 "takes control" of pre-configured VMware virtual networks while it's running. I had only configured it to use a single VMnet, and that was already in use by Win2016. After giving it control of several more VMnets and assigning Windows8 to one of those VMnets, I tried again:

I'll take "error messages I don't understand" for $400, Alex.

Oddly, the VM itself started up with no problem, although it had no network connectivity. I tried one more option: the "Allow GNS3 to override non custom VMware adapter," which I finally discovered had a tooltip informing me that this would allow GNS3 to control the network adapters belonging to the VM.

Still nothing.

After doing some research, I found a forum post suggesting that Windows-based clouds (which I did indeed have) were not as reliable as clouds running inside the GNS3 VM. Following the post's suggestion, I added a network adapter to the GNS3 VM, bridged to my home LAN, and rebooted the GNS3 VM.

GNS3 itself apparently did not like that I was changing its VM while it was running, and complained when I tried to add a new cloud. I opted to just restart GNS3 and try again.

Success... except I was now getting that error message when trying to start up Windows 2016.

At this point I noticed that when I was trying to configure VMnets in GNS3, it was trying to start two services related to Netgroup Packet Filter, that appeared to start and then stop. I figured that all my network interface shifting might have broken something on my local machine, so I decided to reboot.

I started up Win2016, so far so good - then the rest of my virtual routers - then Windows 8. All well and good, except... no IP address.

Oops. Apparently I forgot to save my Access1 configuration before restarting.

After rebuilding the configuration... no DHCP.

Time to enable UDP debugging on Access1 and try a DHCP renew:

Access1#debug ip udp
UDP packet debugging is on
Access1#
*Mar  1 00:07:10.863: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
*Mar  1 00:07:10.867: UDP: sent src=10.100.2.1(67), dst=10.1.0.100(67), length=308

UDP packets are making it out, but not coming back. Checking on the next hop, InternalEdge2... no UDP packets are coming through, and yet, I can tracert to the DHCP server just fine.

Turning on IP error debugging on InternalEdge2 reveals:

InternalEdge2#debug ip error

IP packet errors debugging is on

InternalEdge2#

*Mar  1 00:31:01.927: IP: s=10.1.0.100 (FastEthernet2/0), d=10.100.2.1, len 337, dispose ip.noroute

There's the problem. I never added my user subnets to the RIP network listing on Access1, and so the rest of the network has no idea how to reach those subnets. Easy fix, at least:

Access1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

Access1(config)#router rip

Access1(config-router)#network 10.100.0.0

Access1(config-router)#^Z

Access1#

Checking the route listing on InternalEdge2 now shows a route to the 10.100.0.0 networks. DHCP renewed, and...

Got it!

Next step

Not sure, really. I'll figure something out.

Day 3.3: Setting up routing

Introduction

Yesterday I built a network of virtual routers in GNS3 and connected my VMs to them. Today I'm going to work on configuring them to actually route traffic around the virtual network.

Getting started

As a reminder, here's what the network looks like right now:

To start out, I figured I should configure Core0 to connect to the Internet. Essentially, I started with the instructions here to set my "external" interface on Core0 (Fa0/0) for DHCP:

Core0#

*Mar  1 00:13:24.639: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 172.20.179.154, mask 255.255.0.0, hostname Core0

Core0#

So far so good - Fa0/0 now has an IP address on my home LAN. Equally importantly, it now has a default gateway assigned for routing traffic out to the Internet.

Core0#ping 75.75.75.75

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 75.75.75.75, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Okay, my bad. The default route forwards out to Fa0/0, but there's no default gateway set.

Core0(config)#ip route 0.0.0.0 0.0.0.0 172.20.0.1 permanent

Core0(config)#^Z

Core0#

*Mar  1 00:24:31.687: %SYS-5-CONFIG_I: Configured from console by console

Core0#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.20.0.1 to network 0.0.0.0

C    172.20.0.0/16 is directly connected, FastEthernet0/0

     172.25.0.0/24 is subnetted, 2 subnets

C       172.25.1.0 is directly connected, FastEthernet1/0

C       172.25.2.0 is directly connected, FastEthernet2/0

S*   0.0.0.0/0 [1/0] via 172.20.0.1

               is directly connected, FastEthernet0/0

Core0#ping 75.75.75.75

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 75.75.75.75, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/78/96 ms

Core0#

Much better.

Next step is configuring the rest of the routers to learn routes. At this point, for simplicity, I'm going to use RIP.

Fortunately, GNS3 lets me edit each router's startup-config in a text editor so I don't have to manually enter all the config commands on each router to add:

router rip
version 2
network 172.25.0.0
network 172.26.0.0
network 172.27.0.0
network 172.28.0.0
network 172.29.0.0
no auto-summary

Next up, configure Core0 to propagate its static route via RIP:

Core0(config-router)#default-information originate

A quick check of Core2 confirms that the default route has propagated:

Core2#sh ip rip database

0.0.0.0/0    auto-summary

0.0.0.0/0

    [1] via 172.25.2.1, 00:00:01, FastEthernet0/0

Unfortunately, I can't ping 75.75.75.75 from Core2.

Tracerouting shows that packets are making it to Core1 and no further.

Core2#traceroute 75.75.75.75

Type escape sequence to abort.

Tracing the route to 75.75.75.75

  1 172.25.2.1 64 msec 64 msec 60 msec

  2  *

Oops. Apparently GNS3 Clouds don't work the way I had thought - I need to enable NAT so that Core0 can translate packets between my virtual LAN and my home LAN.

After some quick changes (irrelevant lines omitted):

interface FastEthernet0/0

 ip nat outside

interface FastEthernet1/0

 ip nat inside

interface FastEthernet2/0

 ip nat inside

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 172.25.0.0 0.0.255.255

access-list 1 permit 172.26.0.0 0.0.255.255

access-list 1 permit 172.27.0.0 0.0.255.255

access-list 1 permit 172.28.0.0 0.0.255.255

access-list 1 permit 172.29.0.0 0.0.255.255

I can now ping the outside world from Core2.

Next up: configure default route propagation between all core routers with default-information originate.

Even after doing this, route information is not making it to Access1.

After some digging, I discovered that neither Core1 or Core2 was sending RIP updates to Access1 because I'd somehow forgotten to activate that interface on both Core1 and Core2.

After fixing this, I tried to ping 75.75.75.75 from Access1 - it worked, but only with a 40-60% success rate. Same with most other Internet sites I tried.

Problematically, this doesn't appear to happen if I try it from my physical machine, and I don't have this problem with pings anywhere in my home LAN. It looks like the latency within GNS3 - while not a problem as long as I'm inside my own network - is too slow for traffic to the Internet.

This isn't really a problem, except that my Windows 2016 server needs to be able to access the Windows Update service, and it can't do that if packets are constantly timing out.

Fortunately, this should be a fairly easy fix - I can add a second network adapter to that VM in VMware, connect it directly to my home LAN (bypassing GNS3) and set that as the default route for all traffic not headed for my virtual LAN.

So at this point, my W2016 VM has two network connections: SIMULCRON (connected to my virtual LAN) and EXTERNAL (connected directly to my home LAN.)

(It was also at this point that I switched ExtEdge2 back to a two-port router, and added a generic switch connecting the Windows 2016 VM to it, for simplicity configuring the router.)

Here's what my routing table ended up looking like:

Oddly, at this point, I can access the Internet and ping ExtEdge2, but I can't reach the rest of the virtual LAN.

(Sidenote: I discovered during this process that GNS3 doesn't handle editing of startup-config via the text editor very well if you do it while the VND is running.)

Not too soon after, I realized I'd never configured ExtEdge2 to advertise its path to Win2016 (which is on the 10.1.0.0/16 network, rather than the rest of the virtual network, which is a 172.* network.) After adding 10.1.0.0 to the RIP database on ExtEdge2, everything worked perfectly - and I confirmed I can ping from Core0 to Win2016, and back!

Next up...

Next step will be setting up user VLANs, like I planned in the original network diagram.

As an aside, while network performance is fine, Win2016 is struggling to paint the screen when I'm doing command-line stuff. I may also start using VPCS simulators to test network connectivity.

Day 3.2 - Designing/building a LAN

Introduction

In the last couple posts I went through setting up GNS3 to act a network simulator to route traffic between my virtual machines.

(As an aside, I had to update my Windows 2016 VM last night and it took... a really long time. At some point, the number of VMs I'm running may become an issue - especially with the number of routers I'm putting into the GNS3 VM. But I'll cross that bridge if I get there.)

LAN Design

I'm not a professional, so I didn't make this TOO terribly fancy. (Although it ended up being fancier than I originally anticipated.)

I had a few objectives:

• Multiple VLANs to practice trunking/switching/etc.
• A DMZ outside the main network
• A "core" network with multiple routes, to practice with routing protocols

With that in mind, here's what I came up with.

I made it in a program called CADE, which is a little finicky. I didn't want to start putting things into GNS3 - which makes them "real" - until I had a layout in mind.

As far as end-user devices go, GNS3 has a feature called VPCS - or, Virtual PC Simulator. This allows you to create miniature console-based VMs that do the bare minimum to respond to network traffic - so you can test connectivity from an end-user perspective, without going to the trouble of building a full-fledged OS-based VM.

With that in mind, for my virtual network, I decided I'm probably going to only run a single actual VM for testing Windows domain-based stuff, and use VPCS for the rest.

Starting the build

First thing to do: start GNS3 (which helpfully starts up its own VM.)

Next up: drag all my devices into place, and connect them.

Almost immediately I hit a snag: it turns out you can only have one device connected to a cloud interface. So I ended adding another router to the mix. At the end, it looked like this:

Next step was an IP addressing scheme. It's really complicated and not that exciting, so I'm going to skip it. Now for the fun part: going in and manually configuring all those routers.

Immediately, another problem emerges: the 2691 is a layer 2 switch. All the switching ports I used to set up the mesh can't be assigned IP addresses.

After some digging, I found that I should be using a Cisco 3745 router instead. Rather than using the 16-port switching plug-in, I just added a single extra virtual Ethernet port/card for each connection.

(Several hours later...)

Finally got it done.

With 7 out of 8 virtual routers running, as well as the Win2016 VM, my physical machine's barely using any CPU. (RAM is another story, but to be fair, I also have about 20 other programs open.)

Next step's going to be configuring all the routers to talk to each other... but that's for another day.

Day 3.1 - Customizing GNS3

Introduction

In the last entry, after some VMware headaches, I got GNS3 up and running. Next step: add the customization I need to build my virtual LAN.

VND Templates

If you recall, I said I was going to refer to virtual network devices running in GNS3 as VNDs to avoid confusing them with virtual traditional machines running in VMWare.

When it comes to VNDs, GNS3 operates from "templates," which are a collection of hardware settings and the specification of what IOS ROM image to use for the VND. VNDs are instantiated using this template, and then configured like a standard hardware device.

When I left off, GNS3 had just asked me what kind of template I wanted to create first:

I'm going to start by creating a basic IOS router template, which will work for now.

First question is whether I want to run the VND inside the GNS3 VM, or on my local computer. I went with the GNS3 VM.

Next I was prompted for an IOS image. I selected the image file I had on hand (Very basic Cisco 2691, with Enterprise Base feature set.)

At this point, suddenly, GNS3 found itself unable to talk to the VM again.

I noticed that it was trying to connect to an IP address on my home LAN... which the GNS3 server does not have, since it's operating inside a host-only network.

I went into Preferences and specified for the GNS3 server to bind to my VMware virtual NIC assigned to the host-only network. When I did this, the GNS3 VM rebooted. After it came back up, I noticed the VM was now showing green in GNS3, which it wasn't before. Good sign.

I went back to add the IOS image and this time it worked perfectly.

Next I was prompted to name my template and specify the platform (2691.)

Next, I was prompted for the default RAM. I checked Cisco's website and found the minimum RAM for this image was 128MB so I went with that.

Next was selecting what network adapters should be attached by default to new instantiations of this template. I only planned to use 1 slot, so I used the default.

Next was selecting a default WAN interface card for new instantiations. I don't need one, so I left it alone.

Next I was prompted for an "idle-pc" value, which is apparently necessary to keep IOS from using up 100% of a CPU core. Helpfully, there was a button to find it, which took about 30 seconds.

I now had a ready-to-use Cisco 2691 template, ready to go.

Adding in VMWare VMs

For some reason, GNS3 also refers to VMWare VMs as "templates." I'm not really sure why this is, because there's only ever one instance of a particular VM. Regardless.

Anyways. Essentially, I followed the steps in this document to add my existing Windows 2016 Server VM as a template.

One problem I have with GNS3's documentation is that it's written almost entirely in the form of tutorials, and is pretty light on the explanations of why you're doing what you're doing.

Mainly, when I get to the part telling me what to do on the Network settings tab:

Well, a few things. For one, my screenshot doesn't match theirs - I only have one checkbox, they have two. Second, I don't know what any of those boxes mean (aside from Type) and whether they might be important.

Regardless...

On the "VMware Preferences/Advanced local settings" tab, the document says to have GNS3 manage VMnets 2-8. I'm just going to have it manage VMnet 2, since that's the one I assigned for my lab experiments.

After clicking "Configure" on that screen, GNS3 runs some commands to assert control of VMnet2.

Testing it out

At this point, I don't want to go through the trouble of configuring a Cisco router just yet - I just want to make sure I configured everything correctly.

First things first: create a new project in GNS3, and obtain a blank canvas:

Note that over on the left, I have the "End Devices" section open and you can see my VM (and a few other things that will be useful later) available for placement. If I opened up the "Routers" section, you would see my 2691 router template available for placement.

I'm gonna do a couple things: drag my VM over and drop it on the canvas to add it to my network, and drag a "Cloud" object over to the canvas as well.

When I do the second one, I get this question:

Before I answer this, let me try and explain what I think a Cloud object is. (I'm not 100% sure because of the way GNS3's documentation is written.)

As best I can tell, a Cloud can do a handful of things. The main one - at least, the main one I'm concerned with for now - is the ability to make a network interface on a machine (physical or virtual) act as a "proxy" for an interface attached to a VND/VM.

It'll probably make more sense if I demonstrate. But long story short, I choose Amateria (my local physical machine) because I want traffic to flow through my home LAN, which my GNS3 VM is not directly connected to.

After that, I have to configure the Cloud before I can use it.

Essentially, at this point, I've configured Cloud 1 so that it can "proxy" traffic out through my physical machine's Local Area Connection, onto my home LAN.

Next step is to create a link between my Windows VM and Cloud-1, using the "Add a link" button on the left. When I click the Windows VM, I'm prompted to select an interface on the VM, and the same when I click the Cloud. (Each only has one option right now, but I could add more.)

Once it's done, it looks like this.

On the right, you can see a list of connected GNS servers, and what's running on them. At this point, I don't have anything running on the GNS VM, because both the Windows Server VM and Cloud-1 are hosted on my physical machine. Note that anywhere Windows Server appears, it's with a red square at this point, because the VM is turned off.

Now. What I've done by connecting the network interface on Windows Server, to my physical interface through the Cloud, is created a "link" where Windows uses its virtual network interface, and GNS3 transparently takes that traffic and routes it out through the physical interface. When traffic comes back, it works in reverse - GNS3 takes it from the physical interface, and passes it to the VM, and as far as the VM's concerned that traffic came straight from its virtual interface.

All right. The green "Play" button up top will start up all the virtual nodes on the network...

After hitting Play, GNS3 starts up the Windows 2016 Server VM for me.

Moment of truth...

Well. I wasn't expecting it to come back in IPv6, but if I ping an IPv4 address, I get a response back. My VM's connected to the Internet through GNS3!

Next step

Next step's going to be adding a virtual Cisco router into the mix and confirming that GNS3 is fully working.

But for now, Heroes of the Storm calls...

Day 3 - Integrating GNS3 and the VMWare environment

Introduction

It's been a couple weeks, I've been busy getting ready to separate from the Air Force. But I'm on terminal leave now, and I've got nothing but free time!

What's Next

I've never been great at focusing on one thing at a time. Especially in the last couple months, when I've been at work and not able to access my VM environment, so I was just reading e-books on certifications. Unfortunately, with no access to a test environment, I can only read so much about a single topic with no hands-on practice before I have to switch tracks and read about something else.

With that in mind, I ended up switching tracks for a little bit to read my CCNA study material.

As with other certification projects, CCNA is hard to train for without a lab environment. GNS3 - the network simulator I mentioned earlier on - can provide that environment. But, I didn't want to branch off into a completely separate project. So I found myself wondering... can I integrate my current virtual environment with GNS3?

As it turns out... I can.

Getting Started

GNS3 basics

As a reminder, GNS3 is a simulator capable of running Cisco IOS images as virtual machines - except in this case, the "VMs" are network devices rather than traditional computers. (I'm going to call them VNDs just to avoid confusion.

I already installed GNS3 using pretty much all the default options (minus the numerous pleas to install Solarwinds stuff.)

When you first start GNS3, you have to configure it.

GNS3 offers a few different ways you can run VNDs:

1. The first option entails running a custom GNS3 Linux VM on your local machine, and your VNDs will run inside of that.
2. The second option is to have no GNS3 VM, and run your VNDs directly on your host operating system. According to my research, Windows has problems with emulating certain VNDs, which is why option 2 limits the types of VNDs you can run.
3. The last option is to connect to a remote GNS3 server, which hosts all your VNDs.

I'm already virtualizing everything, and I like functionality, so I went with option 1.

On the next screen, I went with the default options for the GNS3 server.

Next, assuming you went with option 1, GNS3 asks how you want to run the GNS3 VM.

You have two virtualization software options: VMWare, and VirtualBox.

As far as free stuff goes, you have a couple options: VirtualBox is free, as is the slimmed-down version of VMWare called VMWare Player. As you might expect, though, free comes with a couple drawbacks - VirtualBox doesn't support nested virtualization, which means it may run VNDs slowly. VMWare, being a free edition, doesn't let you do some really helpful things (like run multiple VMs at once.) If you're not planning on running any other VMs, though, VMWare Player should work fine for running the GNS3 VM by itself.

Anyways. I have VMWare Workstation, so I went with that one.

The neat thing about VMWare is that it has an interface for external software - like GNS3 - to integrate with it. So once you download the pre-built GNS3 VM from GNS3's website, all you have to do is double-click it, and it'll automatically import itself into VMWare, and GNS3 will be able to see it and interact with it.

I already did this, which is why "GNS3 VM" is already selected. I left the vCPU and RAM size alone, and finished configuration.

Starting GNS3

After you finish setup, GNS3 with automatically start its VM within VMWare.

At this point, I hit a snag, in the form of this dialog box, which kept going up to 100% and then resetting:

Progress bars have percentages for a reason - why do so many software companies defeat the purpose of a progress bar by filling it with false information? But I digress.

Meanwhile, over in my GNS3 VM, I had this worrisome message:

It appeared that GNS3 was trying to connect to its VM, but its VM for some reason was not connected to my home network.

As suggested, I went into the Networking configuration screen in the VM, and was warned that the server would reboot at the end of the process. Okay, sure.

Of course this couldn't just be simple. Oh well, at least I get to use nano instead of vi.

Okay. The file specifies that eth0 is the "host only" interface, and it appears to be set to use DHCP.

"Host only" is a type of VMWare virtual network interface which essentially creates a private LAN between a VM (or several VMs) and its host machine. VMWare should run a DHCP server on this private LAN to assign IPs to any VMs that ask for one.

In this case, however, it appears that this isn't happening.

Next step was to check that the VM itself was configured correctly:

As far as I know, the order that the adapters appear in the VM settings is the same order that they'll appear to the host machine (eth0, eth1, etc.) - so eth0 is in a host-only network as it should be.

As promised, once I closed out of nano, the VM rebooted. Fine.

Once it came back up, I got the same message.

This time, I decided to pull up a shell from the menu and see if I could figure something out from there.

`ifconfig | less`

Okay. Definitely not getting an IP address. Time to dig through log files... GNS3 keeps the ones I'm interested in in /var/log/upstart. In particular, I'm interested in network-interface-eth0.log - which had some helpful information at the end:

For whatever reason, VMWare appeared not to be responding to DHCP requests from the VM.

VMWare runs a service on the host machine called - imaginatively - "VMware DHCP Service." I'd had issues with VMWare services on the host machine before, so I restarted the service to see if that helped, then restarted the VM itself.

It didn't.

I did some more digging, and discovered an annoying quirk of VMWare's virtual network feature:

VMWare has two virtual networks named VMnet0 and VMnet1. They cannot be deleted or renamed.

As it turns out, VMnet0 is the default virtual network for VMs where a "bridged" connection (VM connected directly to the external network) is selected, and VMnet1 is the default virtual network for VMs where a host-only connection is selected. This isn't noted anywhere in the virtual network editor.

What had happened was, I got tired of trying to remember which VMnet was which (remember, they can't be renamed) so I just set them both to host-only, disabled DHCP, and created additional virtual networks that I COULD rename.

Except, now, my GNS3 VM was trying to use VMnet1 by default, which was a "dead" network with DHCP disabled.

So at this point, I deleted my custom network, reset VMnet0 and VMnet1 to their original settings, and rebooted the GNS3 VM.

Finally.

I went back to GNS3, and tried to finish configuration again... shocking, it immediately connected to the VM and asked me what I wanted to do first:

What's Next

Next, I need to create VND "templates" and add my VMs to GNS3. That falls under "customization," so it's going to be the next entry.