Dan's Network: November 2014

Friday, November 14, 2014

GNS3 - ASAv and XRv and IOU and XEv

I am able to run ASAv and XRv and IOU and XEv on my la;ptop, forming OSPF neighbor relationship between them.

I then pinged each loopback from the ASA and also pinged each loopback from IOU. This test shows:

One way broadcast and one way unicast are working - ARP
Unicast is working - ICMP
Multicast is working - OSPF

All thanks for GNS3 v1.1. Isn't it great?

Here is the topology:

And here is some show commands from the ASA:

GNS3 integration with Virtual box is very useful. Whatever you can run inside Virtualbox, you can connect to each other with endless possibilities.

My system76 laptop is running Ubuntu 14.04, 16GB, i7 and SSDs.

I was using the following resources:

Install these items from https://github.com/GNS3/

gns3-gui
gns3-server
iouyap
dynamips (this is needed even if not using dynamips for IOS)
vboxwrapper
vpcs (optional, but very handy to test connectivity)

Virtualbox integration with GNS3 won't work without virtualbox SDK: http://forum.gns3.net/topic6145.html
Set permissions for dynamips and iouap:
cd /usr/local/bin
sudo setcap cap_dac_override,cap_net_admin,cap_net_raw+eip dynamips
sudo setcap cap_net_raw,cap_net_admin+eip iouap
CSR1K install: http://herdingpackets.net/2014/02/06/using-the-cisco-csr1000v-in-gns3-with-virtualbox/
XRv install: http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/
Notice the NIC type. It should be MT server.
Notice to set the NIC type in GNS3. GNS3 will override vbox configuration.
XR tutorial for IOS users: http://networkgeekstuff.com/networking/cisco-ios-xr-complete-getting-started-examples-guide/
How to install ASAv on VMWare workstation: http://brezular.com/2014/07/04/cisco-asav-virtual-appliance-on-vmware-workstation/
I encounter the following issues:

IOU console connection get lost: https://community.gns3.com/message/4635?sr=search&searchId=4578100e-e5c1-4653-8be8-83f6c7dcc7b9&searchIndex=1#4635
Should be fixed next version
GNS telnet server and XRv not working. Don't enable "remote console": http://forum.gns3.net/post38696.html#p38696
Should be fixed next version
Sometime I need to disconnect and reconnect the XRv from the switch: http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/
Search for "know issue" in that link.

Thursday, November 6, 2014

Alteon - each server is different

Lab goal

Create VIP 10.136.6.16 with the following servers/reals:

"r8080" - 10.136.85.1 port 8080
"r8081" - 10.136.85.2 port 8081
"r8082" - 10.136.85.3 port 8082

The group name should be "gMulti".

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

First lets add the reals.

/c/slb/real r8080
       ena
       ipver v4
       rip 10.136.85.1
       addport 8080
/c/slb/real r8081
       ena
       ipver v4
       rip 10.136.85.2
       addport 8081
/c/slb/real r8082
       ena
       ipver v4
       rip 10.136.85.3
       addport 8082
/c/slb/group gMulti
       ipver v4
       add r8080
       add r8081
       add r8082
/c/slb/virt 6_16
       ena
       ipver v4
       vip 10.136.6.16                   
/c/slb/virt 6_16/service 80 http
       group gMulti
       rport 0

Lines 1-15 : Configure the real servers

Notice the addport command, which sets the port being used by the server.

Lines 16-20: Create a new group and adds the previously defined servers
Lines 21-27: Create the VIP

Notice line 27, which states that the Alteon should use the rport configured on a real server's configuration.

Test

Notice the SRV_PORT and SRV_ADDR, which shows that the 808X port is being used.

But a better way to see that is to see the sessions in the session table:

>> LB1 - Session Table Information# /i/slb/sess/cip 10.136.3.1 

 Printing Sessions for SP 1
1,01: 10.136.3.1 50040, 10.136.6.16 http -> 2094 10.136.85.3 8082 tcp age 10 v:1  E
1,01: 10.136.3.1 50041, 10.136.6.16 http -> 2095 10.136.85.2 8081 tcp age 10 v:1  E
1,01: 10.136.3.1 50042, 10.136.6.16 http -> 2096 10.136.85.1 8080 tcp age 10 v:1  E
1,01: 10.136.3.1 50043, 10.136.6.16 http -> 2097 10.136.85.3 8082 tcp age 10 v:1  E
1,01: 10.136.3.1 50044, 10.136.6.16 http -> 2098 10.136.85.2 8081 tcp age 10 v:1  E
1,01: 10.136.3.1 50046, 10.136.6.16 http -> 2100 10.136.85.3 8082 tcp age 10 v:1  E

Summary

As usual, the configurations are simple and straight forward.

Tuesday, November 4, 2014

Alteon SSL key import wows

I was trying to import a new certificate with an SSL key, but it was without success.

But as usual, before trying that on production, I tried that on my lab setup. It was done without any problems.

But when trying with the production Alteon, running the same 29.5.1 version, I got this message:

> -----END RSA PRIVATE KEY-----
Enter key passphrase:
Error: The private key is not a valid RSA key

Error: Failed to extract key XXXXX

After trying it several times, comparing some random strings inside the key I noticed a lag when I pasted the key to the production Alteon. The reason for the lag was SecureCRT that was configured to insert delays between keys. This feature is extremely useful with pasting large text into NX-OS.

My lab setup is with the default Line Send delay of 5ms and Character send delay of 0ms.

So I tried to use the lap SecureCRT delay setup on my production Alteon, and to my surprise it worked!

So to sum up: when pasting to Alteon 29.5.1, you better use the default SecureCRT delay settings.

One more thing and this will save you precious time digging through the command reference:

"key" and "srvrcert" names must be identical