Blog

Featured

Junos On ESXi

Hello All,

I recently started learning Jun OS. The best way to learn is by practice, practise and practise.

In this post I will show how to set up JunOS on ESXI for labbing. In my other post I will provide with the different labs am doing on this topology.

Once you have ESXi 5.5 up and running download the junos-vsrx-12.1X46-D20.5-domestic.ova or firefly-perimeter-junos-vsrx-12.1X47-D10.4-domestic.ova.

Note that you will need to use your login to download. Juniper allows a user to create a new account and then you can download the firefly perimeter software.

In my setup I am deploying junos-vsrx-12.1X46-D20.5-domestic.ova.

Once the download is complete you need to open your vSphere Client and connect to your ESXi server. Once connected select the Deploy OVF Template option from the file menu.

Featured image

Select the source of the OVA file you downloaded from your local machine.

Featured image

The next screen should be similar to the one below after the source has been selected.

Featured image

Featured image

Read and accept the end user license

Featured image

The next screen will display the name for the virtual machine. You can change this if you would like

Featured image

I am providing the name as Jun-OS-1 as I will be deploying 8 of these and 2 Cisco CSR 1000v for labbing.

Now you need to select the datastore

Featured image

Next you will be offered the select the disk format. The default option of Thick Provision Lazy Zeroed is fine but for better performance you can select Thick Provision Eager Zeroed. To read more on the options go here.

Featured image

The next screen will ask you for the mappings for the Gigabit Ethernet interfaces that are defined in the OVF file. Just select the default here for now and we’ll come back to them after our machine is installed as we need to make a couple other changes anyways that can’t be done here.

Featured image

The next screen will be a summary screen so just click finish and then VMWare will start importing the OVA file.

Featured image

Featured image

Featured image

Featured image

Featured image

It may take a few minutes to import depending on the connection speed between your vSphere client and the ESXi server.

Once your machine uploaded you can then edit the settings.

Two things we want to do here. First is that we want to alter the Network Adapter settings if needed and add a serial port so that we can use the virtual serial on the JunOS. This functionality (network based serial port) requires the Enterprise version of ESXi 5.1. I would recommend that you use the demo version which gives you 59 days unless you have to reinstall the demo

Featured image

Add the serial port

Featured image

Select “Connect via Network”

Featured image

Now here is where you want to select “Server” and then enter the IP address of the ESXi server along with the TCP port you want to assign to this machine. Also check “Connect at power on”.

Featured image

Featured image

You will need to alter the default security settings for the ESXi server to allow TCP port 9011 or whatever port you selected to allow you to telnet to the JunOS serial port. To alter the security settings go to the ESXi’s configuration and then select “Security Profile”

Featured image

Featured image

Here you will need to allow TCP port 9011 or if you are in a lab environment just select “VM serial port connected over network” which will open up all TCP high ports. Now telnet to the IP address of the ESXi machine and port number you entered for the serial port and you should see the router booting.

Featured image

I will be deploying 8 devices so I will clone them.

To clone the machine go to the server configuration tab and then select the datastore where you installed the JunOS onto and then right click on it. From there select “Browse Datastore…”

Featured image

From here go under the directory for the JunOS-1 and copy the contents of the directory. From there click on the root of the datastore and then select the folder icon to add a new directory

Featured image

Enter the directory name and then paste the contents into the new directory. After it has been pasted in, right click on the “Jun-OS-1.vmx” file and select “Add to Inventory”. Change the default name if you would like and select the “Resource Pool” and finally finish.

Featured image

You should now see the second JunOS in your ESXi server’s inventory. From there we’ll edit the settings to change the TCP port number for the virtual serial port.

Featured image

In my next post I will show you the Logical topology I am building and then I will show you how to configure it for both ipv4 and ipv6 from scratch.

Stay Tuned!!!!!!!!

Authenticate and Authorize access to Cisco Devices via Microsoft NPS !

Most of the organization would love to implement a secure solution that does not cost

Almost every organization uses Microsoft Active directory and today I am going to demonstrate a solution for Cisco Device which will authenticate the users via AD username and password based on their roles {via NPS (Network Policy Server)}

Objective:

Organization would like to allow access to Network devices using their AD username and password with privilege level assigned to each user so that they get respective access to the device based on their supporting roles.

Let’s Get Started!!!!!!!

Today we will deploy Microsoft NPS on Windows 2008 R2 and we will integrate with Cisco Devices

It will allow us to authenticate and authorize access to Cisco devices Command Line Interface (CLI) with Active Directory credentials.

In addition to that, privilege level will be determined and enforced based on Active Directory group membership.


We will create the below appropriate groups in Active Directory

  • Aftab_RO_Access – for users which will have privilege 1 access to Cisco devices
  • Aftab_RW_ACCESS – for users which will have privilege 7 access to Cisco devices
  • Aftab_FullAccess_Network – for users which will have privilege 15 access to Cisco devices

We will also:

  • Configuring Microsoft NPS Role on Windows Server 2008 R2
  • Configuring Network Policies on NPS/RADIUS
  • Adding Cisco router/Switches to NPS/RADIUS as client
  • Configuring Cisco Devices for Radius Authentication

Below table display the User and its group configured on AD and the policy name created on NPS.

Users

Groups

Policy Name

Aftab

Aftab_FullAccess_Network

FullAccess_Network

Support

Aftab_RW_ACCESS

RW_ACCESS

View

Aftab_RO_Access

RO_Access

First we will create 3 Users in Active Directory Users & Computers:

This Creates the User Aftab. Repeat the same procedure for other Users i.e. User – Support and User View

Now we will create Groups in Active Directory Users & Computers.

Adding Users to the Respective Groups

The below figure should be self-explanatory 🙂

Similarly add the other users to their respective groups as shown below.

Users

Groups

Policy Name

Aftab

Aftab_FullAccess_Network

FullAccess_Network

Support

Aftab_RW_ACCESS

RW_ACCESS

View

Aftab_RO_Access

RO_Access

Microsoft NPS Server Role Installation

On Server Manager perform a right-clik on Roles and choose Add Roles from context menu

Under Roles, list locate Network Policy and Access Services, make sure that checkbox on the left side of that role is checked and click Next to proceed to next installation screen.


Once all components for new role are installed in the system you will see Installation Results screen where you can find indication if whole process went well or some errors occurred.

Once done click close.

Now you can go to Start / Administrative Tools and find Network Policy Server icon which has been added to system as the effect of new role installation. Click that to start NPS management console.


Once you will start NPS management console you can see that one of the components of NPS is RADIUS.

This service is what we are looking for. We will need to provide authentication and authorization to Cisco devices based on Active Directory credentials and group membership.

Register NPS on Active Directory

First we will need to register Network Policy Server in Active Directory to allow authentication based on user accounts which we have created in our domain.

To authorize NPS in AD:

Logon to server with NPS using account with domain admin credentials.

Go to Start / Administrative Tools and then click Network Policy Server.

Right-click on NPS (Local) and from context menu click Register server in Active Directory.

Confirm that you want to authorize this computer (server with NPS) to access users’ dial-in properties by clicking OK in Network Policy Server dialog window. Make sure that authorization will happen in correct domain as per indication in message from system.

Add Cisco router as RADIUS client

To add router as RADIUS client:

• Logon to server with NPS using account with admin credentials.

• Go to Start / Administrative Tools and then click Network Policy Server.

• Expand RADIUS Client and Servers.

• Right-click on RADIUS Clients and click new from context menu.

  • In New RADIUS Client window Settings tab enter:

    • Friendly name of the router – It’s a name to recognize the device, usually same as hostname.
    • Address (IP and DNS) – IP address of the router or hostname – if hostname used proper hostname needs to be registered in DNS prior to RADIUS configuration.
    • Shared secret – passphrase which was configured on router which will allow to identify router when requesting AAA from RADIUS. ( as per our Lab its Cisco@123)

  • Once confirmed with OK we will see that router has been added to RADIUS configuration as client.

Adding NPS Policy :

Finally it’s the time to create Network Policies, which will allow users to access certain devices and enforce particular privilege level on Cisco device.

To add Network Policy:

Logon to server with NPS using account with admin credentials.

  • Go to Start / Administrative Tools and then click Network Policy Server.

Expand Policies.

  • Right-click on network Policies and click New from context menu.

0

Client Friendly Name – specify name of device(s) from which operator will have access (in that example router has hostname Aftab-R1,

You can also use a Wild card for example Aftab-R? Which means all devices which have name starting with Aftab-R question mark in client name means any string of characters)

Following the above procedure please create another policy for

RW_ACCESS

RO_Access

Configuration on Cisco IOS

Now we will configure the Cisco Router or Switch such that when users attempts to access device via telnet or ssh, it should be authenticated and authorized in local database and if username or password doesn’t match then go to RADIUS.

Configuration !!

Enable

Configure terminal

aaa new-model

aaa group server radius IAS

server 100.1.1.100 auth-port 1812 acct-port 1813

aaa authentication login userAuthentication local group IAS

aaa authorization exec userAuthorization local group IAS if-authenticated

aaa authorization network userAuthorization local group IAS

aaa accounting exec default start-stop group IAS

aaa accounting system default start-stop group IAS

aaa session-id common

radius-server host 100.1.1.100 auth-port 1645 acct-port 1646 key Cisco@123

radius-server host 100.1.1.100 auth-port 1812 acct-port 1813 key Cisco@123

It’s now time for Testing!!!!!!!!!!!!!!!

As User Aftab is part of group Aftab_FullAccess_Network , he is able to successfully get into priv mode as it is configured for priv level 15.

For Read Only Access !!

As User View is part of group Aftab_RO_Access, he is able to successfully get into user mode as it is configured for priv level 1.

Now I am unable to authenticate the User Support? I am able to log in with my other User’s but User Support has issues.

On troubleshooting I realized that it failed as I forgot to add this user to the group i.e Aftab_RW_ACCESS

I have added the user to the group. Please see below.

I can now successfully authenticate the User.


There are 16 privilege levels. User mode is level one. The highest is 15, sometimes referred to as privileged mode. There’s also a level 0, which has even fewer options that usermode.

To get into level 15, where you can view configurations and modify them, type enable in usermode. Provided that you have the password, your prompt will change from > to #. You can then enter commands such as show running-config, show startup-config, debug, and configure terminal.

The other levels (2-14) are used for custom access. For instance, if I have a junior admin that I want to be able to have access to the command show run, but not config t, I can configure these specific rules to be associated with a particular level. Whatever level you are, you get access to everything in your level, plus all of the commands found with the lower levels.

SWITCHING TOPOLOGY USING CISCO VIOS – Using Vmware WorkStation

In my previous post, I described how to connect 4 switches using ESXi.

As you are aware that Vios-L2 image only takes 384 Mb of Ram ( I have assigned 512 MB) we can build the same topology using Vmware Workstation.

However using Vmware Workstation there can be maximum of 19 Adapters only.

Featured image

In Order to meet the above requirement, we need 13 cables.

We need to go to Vmware Workstation — Edit — Virtual Network Editor.

The very important step here is that we need to add the network making sure we UNSELECT ( Connect a host virtual adapter to this network) and also UNSELECT ( Use Local DHCP Service) and hit apply.

You need to repeat the procedure for number of cables you need in your topology. I did this for 13 times.Featured image

Featured image

Below are the screen shots of my network adapter settings from the 4 switches :

Featured image

Featured image

Featured image

Once you do the above settings and start the switches

Featured image

Featured image

Featured image

Featured image

Below is the network Diagram for the same.

Featured image

Hope this helps!!!!!

Cable Connection’s on ESXI – Switching Topology using Cisco Vios

Today, I will show you how to make cable connection between the switches using ESXi.

I could not find a proper document and hence I thought I will write this article so that this might help the other engineers  using ESXi to build the virtual topologies more effectively.

I am using Vios-L2 image for this demo. Please do not ask me for this image and I am not going to SHARE this.

I am currenlty labbing from the Narbik Workbook.  Please visit http://www.micronicstraining.com/ for their Workbook material.

Featured image

I am going to show you how you can make the above topology virtually. The CCIE R n S version 5 is Vitual and hence I thought of implementing the same.

Looking at the above diagram, we see that we would need 4 x Virtual-Switches and 13 cables to interconnect them.

Let’s get Started

First we will create cable connection so that we can connect between the switches.

In order to do that, select ESXi host and then go to Configuration tab and then click Add Networking as shown below.

Featured image

Featured image

Once you click Add Networking, follow the below procedure as shown below.

Featured image

Select Virtual Machine and click NEXT

Featured image

Make sure you un-select the VMNIC-0 as we just need a cable type connection so that we can connect two switches.

Featured image

Once you un-select, hit Next.

Featured image

Give a meaning Full Name to the Network Label and Select Vlan-ID (4095) and hit Next.Featured image

Now Click FINISH.

If you look under the configuration tab, you will see that the network connection is created and there is no adapters connected to it.

Featured image

Using the above procedure, I have created 13 such connections.

I have connected 4 switches as per the below diagram.

Featured image

If we examine the Network adapter settings for Sw-1, you should set it like below.

Featured image

SW-2 Network Adapter settings :

Featured image

SW-3 Network Adapter settings :

Featured image

SW-4 Network Adapter settings :

Featured image

Please note that the network adapters on these switches starts from G0/0 onwards.

Network Adapter 1 indicates its G0/0,

Network Adapter 2 indicates its G0/1,

Network Adapter 3 indicates its G0/2,

Network Adapter 4 indicates its G0/3,

Network Adapter 5 indicates its G1/0,

Network Adapter 6 indicates its G1/1,

Network Adapter 7 indicates its G1/2,

Network Adapter 8 indicates its G1/3,

Network Adapter 9 indicates its G2/0,

Network Adapter 10 indicates its G2/1.

As per my Understanding Cisco Vios images supports upto 10 Network Adapters. I might be wrong.

Let me start the switches and see what show CDP neighbor tells us 🙂

On SW-1 :

Featured image

On SW-2

Featured image

On SW-3

Featured image

On SW-4

Featured image

I will write another post in future with all the labs I do successfully on Vios-L2.

If you are using Vmware WorkStation then you can only make 19 connections and that is the maximum it supports.

I believe ESXi supports 120 connections which is more than enough for us to do the labs.