ccie.security lab - INE topology (SECv4)

the INE physical topology consists of four modules and it's publicly accessible as today of Apr/2016. So I tried to replace the HW routers and switches with UNL devices (mostly IOL) and definitelty was able to emulate ASA and IPS/IDS also within the UNL. but I have found at later time that UNL/IOL switches don't support the 802.1x completely so the MAB and redirection ALCs didn't work (Apr 2016).

own topology



routers

no science here as routing and VPN/Sec features are covered by UNL images very well without any issue. I was testing AAA, FW features (IOS ACLs, CBAC, IOS FW, ZBFW, NAT and PBR) and VPN Services (PKI Server, site-to-site VPN - GRE over IPSec, VRF aware VPN, VPN HA, DMVPN, Flex VPN, EzVPN, SSL VPN).

  • the UNL IOL image is i86bi_linux-adventerprisek9-ms.154-1.T_A.bin
  • RAM 256MB
  • 1x Eth module (4 Ethernet interfaces)

switches

switches are needed not only for switching here but also for the security purpose. I have found that there is no cisco-based switch in UNL that supports SPAN (LSPAN/RSPAN) except the dynamips Cisco 3725 + NM-16ESW ... so I deployed dynamips node as a SW3 and connect IPS to that switch. But during practising I have discovered that there is an issue with connecting to IPS and sending the traffic to the IPS - vlan pair wasn't working and alo the standard interface pair wasn't working. It started to work after I replaced that SW3 with the IOL node. The conclusion is simple - to run IDS you can use dynamips switch. to run IPS you have to run IOL switch.

there is another topic for Layer 2 security and it's 802.1x and it's features - MAB, Web Auth, Guest Portal etc. any of UNL nodes doesn't support these features so It's needed to run at least one physical switch to have a chance to practise these things.

  • IOL image - i86bi_linux_l2-adventerprisek9-ms.nov3_2015_high_iron.bin, 4 Ethernet modules (16xETH), 256M RAM
  • Dynamips - Cisco 3725 + NM-16ESW, IOS c3725-adventerprisek9-mz.124-15.T14.bin, 2xFE (L3), 16xFE (L2), 256M RAM
  • HW switch - WS-C3560-24TS + c3560-ipservicesk9-mz.122-55.SE10.bin, 128M RAM

ASA FWs

all four ASA firewalls are running within the UNL, natively with the image 8.4(2). INE FW module is designed with the possibility to run the ASA1 and ASA2 with two different vesions (8.2 or 8.4) so I have deployed four ASA devices with 8.4(2) and have prepared two "standby" firewalls with the system image 8.0(2) to be ready to run manually in case older image is needed. You can check my ASA guide here.

all appliances are configured with four ethernet interfaces and 512M of RAM. this is enough to practise all the FW tasks in the INE Security workbook. I have tested all the VPN solutions, act-stb and act-act mode, transparent FW, single and multi context, AAA aand haven't found any kind of issue.

for study purpose using the ASDM 6.4.7 with Java JRE 6u30 to be able to run the GUI for configuring the ASA and IPS on one box

both architectures don't have the global inspection policy-map configured so every ASA must contain:

class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service-policy global_policy global


and it's mandatory to have modified license to achive the failover different than Disabled. I'm runnig this license:

Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 5000 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 5000 perpetual Total VPN Peers : 0 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual This platform has an ASA 5520 VPN Plus license.


IPS


I started with the Cisco IPS 6.0.6 at the very begining and was using the older IDM but have realized there is a way to use the newr code so now using the IPS 7.0 with the newer IDM. I need to use the same version of Java as in the case of ASDM (ASA), so my current version is Java JRE 6u30.

for INE lab, using IPS7 with 2G that is strictly required and using five GigEth interfaces (the guide how to deploy and run this device is here). The first GigEth interface is Ma0/0 and is for the management purpose only.

starting Unetlab v1.0.4, the IPS is time to time freezing but only form the management point of view. All the traffic passing other Gig interfaces is ok, signatures are working fine and IPS is doing its job. Using Wireshark, have found that the traffic destined to the management IP is leaving the switchport connected to the IPS Ma0/0 but the packets are not ariving on the IPS. so I was solving this restarting the whole device to make it working - and it can take some time and it's not so comfortable because loss of traffic is happening every 20 minutes approx.

I was thinking how to automate the reload procedure and have found the flap of the Ma0/0 interface is sufficient to make it working again. You can use the following expect script (it's needed to install expect on the unl via the apt-get --> apt-get install expect):


#!/usr/bin/expect set timeout -1 spawn telnet 10.0.0.200 expect "login:" send "service\r" expect "Password:" send "ciscoips123\r" expect "continue" send "\r" expect "b$ " send "su -\r" expect "Password:" send "ciscoips123\r" expect "#" send "ifconfig ma0_0 down && ifconfig ma0_0 up\r" expect "#" send "exit\r" expect "b$ " send "exit\r"


this simple script is just using the direct access via the management interface to IPS and using the service account is flapping the ma0_0 (that is linux alias for Ma0/0) interface. then you can add the task to the crontab (crontab -e, just add the following line to the end of the configuration file:

*/15 * * * * ~/lab.INE.IPS.keepalive.sh


it will ensure the script will connect to the IPS every 15 minutes and flap the management interface, it's running fine and my IPS is operational for 3 days now without any issue.

appliances

of course all the appliances are running within the ESXi and are connected to the same network as pnet0, additionally one of the SW2 interface (e1/3) is connected also to the pnet0 to ensure the rest of the UNL network is able to communicate with all the appliances. every VM is using the static IP address from my home subnet (10.0.0.0/24) and I have to adjust the configuration of INE topology in case there is some dedicated subnet between some network device and some appliance. e.g. if there is R3 connecte to the ISE with the subnet 136.1.200.0/24 I'm connecting that R3 interface to the VLAN99 (my home network VLAN across the whole lab) and configuring this interface with 10.0.0.0/24 IP address to able to use the ISE.

exceptions

there is a few of features that cannot be configured within any kind of IOS in UNL or directly in ESXi environment so that's the reason I'm using one real L3 switch. there are some commands (mostly L2 security) they are accepted by parser but not in effect in the real traffic processing. one example of many eisting is DAI (deep ARP inspection) - the L2 IOL switch knows the commands, they can be applied on the interface level configuration mode but it's doing nothing. another example is SPAN - L2 IOL is not supporting RSPAN, only LSPAN can be configured but after I hit enter when defining sorce or destination the switch crashes and reboot is needed. and as stated earlier in this article - 802.1X is only partially supported.

so doing all the tasks from the INE workbook or full-labs is a little bit tricky as you can do it via two possible ways - the first is just skip that task as it's not supported or commands are not accepted or, and that's better imho - configure that task on the physical switch with different IPs/MACs just to be familiar with the syntax, debugs, show commands etc. therefore I'm suggesting you to create additional VMWare network and use it between your Windows client VM (assigned to different physical server eth port) and dedicated switchport on the physical switch.


so all the appliances are connected through the VMNet to the shared segment (10.0.0.0/24) linked with the server eth0 (vmnic0) and using the connection to the network through my Fa0/0 switchport on the HW switch, win7 is connected additionally to VMnet3, that is linked to the server eth1 interface and then eth1 is connected to Fa0/9 to my HW switch. It allows me to use 802.1X (MAB, webAuth, all the guest/sponsor portals etc.) separately without affecting any other VM. i

download resources

the only download for this is UNL lab file that can be placed to the /opt/unetlab/labs folder and after the IOS/OS images are updated (the names you're using within your UNL), just open the lab in the web gui, run the nodes and use it ...

UNL Lab file of CCIE Security v4 INE (modified)


That's it! how easy ... enjoy and good luck!



add your own note here:

Name: human verification: 5 + 2 =    

your opinions/notes:

Hassan 2017-07-04
thanks for sharing information. But when i open link it just shows codes like we see in html language. How can we run the topology.
amin 2017-01-18
Thanks a lot.. i was keep trying to bring the IPS in UNL for last several days. After following the steps u mentioned it came up and working fine now..
Mike K 2016-10-10
Hi, may I know which folder should I put the keepalive.sh in unetlab?
asif 2016-08-14
Hello,
I am not able to import this file into UNL because the download is in XML and to import in UNL, file must be in .zip. I tried to zip this xml and tried but still didnot work. Need you help. thanks
Zed 2016-05-04
Really appreciate your willingness to share your knowledge and experience with silent followers like myself. Thanks

Copyright © TR2016