build a test labo for cisco certificate
I like cli environment, so I prefer to use dynagen with dynamips.
The last version of debian which offer dynagen deb package is debian10 buster, so I select it.
Install related packages.
version=0.2.22
sed -i.bak 's/ main$/ main contrib non-free/' /etc/apt/sources.list \
&& apt update && apt upgrade -y \
&& DEBIAN_FRONTEND noninteractive apt install -y \
vpcs \
openvswitch-switch \
snmp snmptrapd \
freeradius \
postfix mailutils \
tcpdump \
tftpd-hpa tftp-hpa \
telnet \
tmux \
&& curl -fsSL https://toolbelt.treasuredata.com/sh/install-debian-buster-td-agent4.sh | sudo sh \
&& wget https://github.com/GNS3/dynamips/archive/refs/tags/v${version}.tar.gz \
&& tar zxf v${version}.tar.gz \
&& rm v${version}.tar.gz \
&& cd dynamips-${version} \
&& apt install -y gcc cmake libelf-dev libpcap-dev make musl-dev linux-headers-amd64 \
&& mkdir -p dynamips-${version}/build \
&& cd dynamips-${version}/build \
&& cmake .. \
&& make \
&& make install \
&& rm -rf dynamips-${version} \
&& apt remove -y gcc cmake make musl-dev linux-headers \
&& apt autoremove -y \
&& apt install -y dynagen
openvswitch
create openvswitch virtual bridge and tap device.
sudo ovs-vsctl show
sudo ovs-vsctl add-br br0
sudo ip link set br0 up
ip link show br0
sudo ip address add 10.2.0.1/24 brd + dev br0
ip address show br0
sudo ip tuntap add dev tap0 mode tap
sudo ovs-vsctl add-port br0 tap0
sudo ip link set tap0 up
sudo ip route add 10.2.0.0/16 dev br0
ip link show tap0
everytime you restart the computer, you have to add tap device to the bridge
sudo ovs-vsctl show
sudo ip address add 10.2.0.1/24 brd + dev br0
sudo ip tuntap add dev tap0 mode tap
sudo ip link set tap0 up
sudo ip link set br0 up
sudo ip route add 10.2.0.0/16 dev br0
ip link show tap0
you have to start dynamips by root user to connect to tap device.
sudo dynamips -H 127.0.0.1:7200
you can start dynagen by your own user.
dynagen labo.net
you can connect tap device to dynamips labo with dynagen using NIO_tap:tap0 like below:
NIO_tap:tap0
vpcs
you can connect vpcs to dynagen using NIO_udp device like below:
NIO_udp:30000:127.0.0.1:20000
rsyslog
change rsyslog config to receive syslog message.
$ sudo cp -pi /etc/rsyslog.conf{,.000}
$ sudo vi /etc/rsyslog.conf
$ diff -u /etc/rsyslog.conf{,.000}
@@ -13,8 +13,8 @@
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
-module(load="imudp")
-input(type="imudp" port="514")
+#module(load="imudp")
+#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
@@ -90,7 +90,3 @@
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
-
-
-
-local0.* -/var/log/local0.log
$ sudo touch /var/log/local0.log
$ sudo systemctl restart rsyslog
$ tail -f /var/log/local0.log
chronyd
change chronyd config to serve ntp clock to labo network.
In this example, 10.2.0.0/16 is labo network address range
$ sudo cp -pi /etc/chrony/chrony.conf{,.000}
$ sudo vi /etc/chrony/chrony.conf
$ diff -u /etc/chrony/chrony.conf{,.000}
@@ -29,5 +29,3 @@
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
-
-allow 10.2.0.0/16
$ sudo systemctl restart chrony
$ chronyc sources
snmp
on cisco device
# snmp-server community cisco ro
$ snmpwalk -v 1 10.2.0.254 -c cisco 1.3.6.1.2.1.2.2.1.10
$ snmpwalk -v 1 10.2.0.254 -c cisco 1.3.6.1.2.1.2.2.1.16
snmptrap
$ sudo cp -pi /etc/snmp/snmptrapd.conf{,.000}
$ sudo vi /etc/snmp/snmptrapd.conf
$ diff -u /etc/snmp/snmptrapd.conf{,.000}
@@ -16,7 +16,6 @@
#
#authCommunity log,execute,net private
#authCommunity log,execute,net public
-authCommunity log cisco
#
## send mail when get any events
#traphandle default /usr/bin/traptoemail -s smtp.example.org foobar@example.org
$ sudo systemctl start snmptrapd.service
$ tail -f /var/log/messages
on cisco device
# snmp-server host address traps version 1 cisco
# snmp-server enable traps
# int fa0/0
# no shut
freeradius
$ sudo cp -pi /etc/freeradius/3.0/clients.conf{,.000}
$ sudo vi /etc/freeradius/3.0/clients.conf
$ sudo diff -u /etc/freeradius/3.0/clients.conf{,.000}
@@ -266,8 +266,3 @@
# secret = testing123
# }
#}
-client ciscolabo {
- ipaddr = 10.2.0.0/16
- secret = radiussecret
-}
-
$ sudo ls -l /etc/freeradius/3.0/mods-config/files/authorize{,.000}
$ sudo vi /etc/freeradius/3.0/mods-config/files/authorize
$ sudo diff -u /etc/freeradius/3.0/mods-config/files/authorize{,.000}
--- /etc/freeradius/3.0/mods-config/files/authorize 2022-11-19 20:50:54.008631636 +0900
+++ /etc/freeradius/3.0/mods-config/files/authorize.000 2022-08-28 04:29:38.000000000 +0900
@@ -1,4 +1,3 @@
-cisco1 Cleartext-Password := "cisco1pass"
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
restart freeradius and test
$ sudo systemctl restart freeradius
$ sudo apt install -y freeradius-utils
$ radtest cisco1 cisco1pass 127.0.0.1 1812 testing123
$ radtest cisco1 cisco1pass 10.2.0.1 1812 radiussecret
on cisco device
conf t
aaa new-model
radius-server host 10.2.0.1 auth-port 1812 key radiussecret
aaa group server radius freeradius
server 10.2.0.1 auth-port 1812
exit
exit
test
test aaa group freeradius cisco1 cisco1pass port 1812 new-code
config vty settings
conf t
aaa authentication login freeradius group radius
line vty 0 15
login authentication freeradius
telnet from server
telnet 10.2.1.254
td-agent
install fluent-plugin-netflow and change configuration
sudo td-agent-gem install fluent-plugin-netflow
sudo cp -pi /etc/td-agent/td-agent.conf{,.000}
sudo vi /etc/td-agent/td-agent.conf
diff -u /etc/td-agent/td-agent.conf{,.000}
@@ -126,15 +126,3 @@
# path /var/log/td-agent/td-%Y-%m-%d/%H.log
# </store>
#</match>
-
-<match netflow.*>
- @type stdout
-</match>
-
-<source>
- @type netflow
- tag netflow.event
- port 5141
- versions [5, 9]
-</source>
-
test configuration and restart td-agent service
sudo td-agent --dry-run
sudo systemctl restart td-agent.service
on cisco device
conf t
int fa0/0
ip flow ingress
ip flow egress
exit
ip flow-export version 5
ip flow-export destination 10.2.0.1 5141 udp
ip flow-export source fa0/0
end
show ip cache flow
after a while confirm td-agent log file
sudo tail -f /var/log/td-agent/td-agent.log
postfix
$ sudo cp -pi /etc/postfix/main.cf{,.000}
$ sudo vi /etc/postfix/main.cf
$ diff -u /etc/postfix/main.cf{,.000}
@@ -37,11 +37,12 @@
myhostname = ip-10-0-0-73.ap-northeast-1.compute.internal
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
-myorigin = /etc/mailname
-mydestination = $myhostname, ip-10-0-0-73.ap-northeast-1.compute.internal, localhost.ap-northeast-1.compute.internal, , localhost
+mydestination = localdomain, $myhostname, ip-10-0-0-73.ap-northeast-1.compute.internal, localhost.ap-northeast-1.compute.internal, localhost
relayhost =
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.2.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
-inet_interfaces = all
+inet_interfaces = 127.0.0.1, [::1], 10.2.0.1
+default_transport = error
+relay_transport = error
inet_protocols = all
$ sudo systemctl restart postfix
test
$ cat << END | mail -s 'test subject' admin
> test body
> .
> END
test from cisco device
track 1 interface FastEthernet1/0 line-protocol
event manager applet eemtest
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "show int fa1/0"
action 3.0 mail server "10.2.0.1" to "admin" from "labo@example.com" subject "interface down" body "$_cli_result"
tcpdump
Of courese, Dynagen has capture function, if you prefer it, try local SPAN on cisco device
conf t
int fa1/0
no shut
int fa1/15
no shut
exit
monitor session 1 source interface FastEthernet 1/0
monitor session 1 destination interface FastEthernet 1/15
capture stream and save it to file.
sudo tcpdump -i br0 -w capture.dump
sudo tcpdump -r capture.dump -n -e -v -x | less
tftp
get test
$ echo helloworld | sudo tee -a /srv/tftp/helloworld
$ tftp 10.2.0.1 -c get helloworld
put test
$ mv helloworld helloworld.1
$ sudo touch /srv/tftp/helloworld.1
$ sudo chmod 766 /srv/tftp/helloworld.1
$ cat << END | tftp 10.2.0.1
> put helloworld.1
> END
before test on cisco device
$ sudo touch /srv/tftp/running-config
$ sudo chmod 766 /srv/tftp/running-config
test
# copy start tftp://10.2.0.1/running-config
confirm
$ ls -l /srv/tftp/running-config{,.bak}
$ sudo cp -pi /srv/tftp/running-config{,.bak}