Monday, December 14, 2020

Cisco Nexus ITD and Windows Server

Cisco Nexus switch offers ITD (Intelligent Traffic Director) services, which is like a load balancer. Here is a deployment guide: https://alln-extcloud-storage.cisco.com/ciscoblogs/ITD_DSR_Deployment_Guide_v5.pdf

Per Cisco, ITD won't support FEX. All the servers need to be directly connected to the Nexus switch directly.


In this example, I have a pair of Nexus 9K in VPC mode and two servers and a client. Here is a simple topology:















To make this work, there are two side of the configurations - Nexus side and Server side. 


On Nexus side:

Cisco has plenty of documents to outline the configuration tasks on Nexus side. See the deployment guide for details. Below is a sample of relevant configuration:

Nexus9396-Lab# sh running-config

......

feature pbr

feature interface-vlan

feature sla sender

feature sla responder

feature itd

......

vlan 201
  name Server_VLAN
vlan 202
  name iis
vlan 203
  name Workstation_VLAN
......

interface Vlan201
  description Server_VLAN_192.168.201.0/24
  no shutdown
  no ip redirects
  ip address 192.168.201.1/24

interface Vlan203
  description Workstation_VLAN_192.168.203.0/24
  no shutdown
  no ip redirects
  ip address 192.168.203.1/24

itd device-group servers
  probe icmp frequency 5
  node ip 192.168.201.10
  node ip 192.168.201.11


itd arr-lb
  device-group servers
  virtual ip 100.100.100.1 255.255.255.255 advertise enable device-group servers
  ingress interface Vlan201
  ingress interface Vlan203
  failaction node reassign
  load-balance buckets 2
  no shut



##########################################


On server side, 

1. Install a loopback interface on each server and assign the same virtual IP (e.g. 100.100.100.1/32) to this loopback interface o

2. Enable LAN routing on the server. Without this step, traffic will be lost after redirected from Nexus to the server via its primary IP.


Install loopback adapter on windows server 2019

1. Click on Start, and run hdwwiz,













2. click on Next









3. Select "Install the hardware that I manually select from a list (Advanced)

s4. Select "Network adapters" and go Next









5. select Microsoft in the left, and Microsoft KM-TEST Loopack Adapter in the right, and go Next, Next, and Finish






Assign loopback interface the same virtual IP on both servers:



Enable Routing on both Servers:

1. From Server Manager, select Add Roles and Features




















2. Select Remote Access and go Next, Next, Next















3. Select Routing and click Add Features. This will select DirectAccess ad VPN (RAS). Ignore it now and go Next and Install














4. After the installation, ope Routing and Remote Access console from Server Manager












5. Right click the server in the right pane and select "Configure and Enable Remoting and Remote Access"














6. Click Next in the Routing and Remote Access Server Setup Wizard















7. Select "Custom configuration" and go Next














8. Select "LAN routing" and go next and Finish
















9. Click on "Start service"












Now you can ping the virtual IP you have defined in ITD service from the client machine. 















Other validation tasks you can do on Nexus switch is to run "show itd servers statistics" and disable one server, wait for 5 seconds, and run the show command one more time. You will see the traffic will be routed to the second server.
Posted by at No comments:

Monday, November 9, 2020

How to set up CheckPoint R80.40 Lab on EVE-NG from the Ground Up

 

I was a fan of GNS3. Lately, I found EVE-NG is more capable for large and dynamic labs. I will share how to set up EVE-NG on a ESXi server and how to set up a Check Point lab on EVE-NG. Nothing is new, just hope this could save you some time. 



Hardware, Software, and Topology


Hardware:

• Server: IBM x3690 X5 with 12-core Xeon E7 CPU, 144GB RAM, 2TB HDD

• Laptop: Dell Latitude

• Router: Asus Wireless router with 4 Gigabit ports


Software:

• ESXi 6.7

• EVE-NG Community edition 2.0.3-110 (https://www.EVE-ng.net/index.php/download/)

• EVE-NG Windows  Integration Pack ( - includes: Wireshark, UltraVNC, Putty, Plink, etc.)

• SuperPutty

• Cisco IOU i86bi-linux-l2-adventerprisek9-15.2d.bin (http://gns3.xyz/files/Downloads/Cisco-IOU-L2-L3-Collection-v4/bin/)

• Checkpoint R80.40 ISO

• Windows 2016 ISO

• CentOS ISO


Topology:
 







Start your configuration

First, set up your laptop:

1. Install EVE-NG Client Pack on your laptop

After installation, go to C:/Program Files/EVE-NG, rename “putty.exe” to “putty123.exe” 


2. Install SuperPutty (64-bit) on your laptop


After installation, copy the content of C:/Program Files(x86) /SuperPuTTY to C:/Program Files/EVE-NG, and rename “SuperPutty.exe” to “putty.exe”. This will make Superputty your default SSH client so that you can open multiple tabs in one SSH window.  


3. Install WinSCP on our laptop



Second, set up ESXi on your VM Host


This is straightforward and I used all the default settings. If you have any questions, please check out this video: https://youtu.be/WZQ6lVSkq4w

After the ESXi is installed, assign static IP for the host. In my case, I used 192.168.1.249, mask 255.255.255.0, gateway 192.168.1.1, DNS 192.168.1.1




Third, install EVE-NG on VM host


• Deploy a virtual machine (EVE-NG-Demo) using ovf. Detailed procedures can be found in this video: https://youtu.be/UYGoFyVqpYU

• I used following settings:

 

  • IP 192.168.1.200, mask 255.255.255.0, gateway 192.198.1.1; domain name: example.com; DNS: 192.168.1.1, 8.8.8.8; NTP:192.168.1.1; Proxy Server Configuration: direct connection;
  • The default hard drive for the virtual machine is 50 GB. You will need to add additional drive space (e.g. 200G) by shutting down the virtual machine and add another virtual hard drive.




Fourth, add nodes to the EVE-NG VM

Eve-NG is very sensitive to upper/lower case in file or folder name. If the How-to's uses all lower case or has a hyphen in file or folder name, please follow it exactly. 

Install Cisco IOL Image

o https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-iol-ios-on-linux/

and here is another reference link: https://youtu.be/OiPY3N1Tehk

o There might be a bug in the image and you will need to add “no ip cef” in the layer 3 switch configuration later.

Install Windows Image 

https://www.eve-ng.net/index.php/documentation/howtos/howto-create-own-windows-server-on-the-eve/

          EVE-NG is very sensitive to syntax and you need to have a hyphen in the folder name. 

Install Linux Image

o https://www.eve-ng.net/index.php/documentation/howtos/howto-create-own-linux-host-image/

o I had bad luck with the ready to use Linux image and used a fresh CentOS iso.

Install CheckPoint Image:

• Here are two links on how to set up CheckPoint image. Same procedure for R80.40 as previous version.

o https://www.eve-ng.net/index.php/documentation/howtos/howto-add-checkpoint/

o https://community.checkpoint.com/t5/General-Topics/Deploying-Check-Point-Solution-R80-40/td-p/94267



We are almost ready to set up the lab. Let’s double check the ESXi host’s virtual switch setting:
  





Just a reminder, 192.168.1.249 is the ESXi Host IP. EVE-NG virtual machine’s IP is 192.168.1.200.



Finally, setting up the lab

• On your laptop, from either Chrome or Firefox, go to https://192.168.1.200. The default username and password: admin & eve


 
• Add a new lab:
 


• Right click on the lab screen to bring up “Add a new object” menu and select Node:
 


• Checkpoint Security Gateway VE, Cisco IOL, Linux Host, and Windows host should be highlighted. Those are the images you have added in the previous setup. Select Checkpoint Security Gateway VE


 
• Create 4 Checkpoint nodes with 6 interfaces. One will be a management server, two will be the main site firewall gateway cluster, and the last one will be the branch office gateway.


 
• Repeat the same process to create two Windows servers with 2 interfaces and one Linux server with two interfaces:


  
• Add 4 Cisco IOL switches with 3 port groups:
 


• Finally, add a network object. This will be the access to the internet for all your lab nodes.

 

• You can right click on the node and modify the node name, Console access method, etc. See example below:
 



Here is a final topology for the lab.


 
What I have not included in the above topology is that from all the nodes, you can have a link to the INTER_Net node. This dual-homed connection is to allow all the nodes to directly connect to your WIFI router/Internet temporarily to download patches or applications. For example, the Linux web server will need the httpd package. Here is a KB (https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-centos-7) on how to set up a website on the Linux server. 

By default, Check Point has 15-days evaluation license. To extend that, you will need to get eval licenses from Check Point for each node you are running: 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102029

After you generated license file for each note, you can download them to your local machine. Then copy them to Win_MGMT server in your lab.

To apply the lab, you will need to copy the license files to each CP node. I used WinSCP on the Win_MGMT machine. I ran into an issue when I tried WinSCP and got a message saying the packet size is too large. To resolve that, please follow this link and change default shall for "admin" account:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42178

After you WinSCP to the MGMT and GWs, transfer the "CPLicenseFile.lic" you got from Check Point to the default location and run following command on MGMT or GWs:

cplic put -l CPLicenseFile.lic


Posted by at 1 comment:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)