Sunday, June 7, 2009

Check Point Firewall Virtual Setup

Introduction

After using Cisco System’s PIX firewall for some time, I decided to give Check Point firewalls a go. Probably most of you might be aware of how efficient and user-friendly it is to configure Check Point ZoneAlarm firewall for endpoint security. This is exactly what you get even with their Enterprise-level products! Configuring Check Point VPN-1 NGX65 is such a breeze and its GUI never comes in the way. On the contrary, SmartDashboard, the GUI for manipulating Check Point firewalls, gives you access to advanced features with relative ease. For instance, the use of Database Revision Control allows you to revert to a previous firewall policy as easily as it is to install new ones!

In this blog, I will describe about my experience working with this firewall deployed as a VMware virtual machine and tested using a couple of Cisco routers on Dynamips, all using just two Windows XP laptops (say Laptop A & B). This is consistent with all my other postings here. This setup may provide you with the necessary hands-on experience, if you are interested in pursuing any Check Point certification (such as CCSA). This is however NOT a tutorial on how to install and configure Check Point. Instead, I aim to show how you can setup a Check Point firewall in a lab setting and see it in action filtering traffic between two networks.


Scenario

The objective of this lab is to enable Check Point VPN-1 firewall in a mostly virtual environment, but still observe the firewall in live action. Using VMware ESX 2.0, I created a virtual machine with 512 MB RAM, 15 GB disk, and mostly importantly two bridged network adapters for inside and outside access, respectively. I ensured that the bridged interface (by default vmnet0) is bridged to Laptop A’s physical NIC port.

To represent the inside network, a Cisco 3640 router is used. This router will provide Telnet as well as Http services to the outside network. To allow the interaction between the Dynamips hypervisor and the Check Point virtual machine (CPVM), I linked my NIC’s NIO device to Dynamips’s Ethernet switch S1, since CPVM is already bridged to the NIC. Also, as I will run SmartDashboard from Laptop A, I need to connect a loopback adapter to S1 as well. Some of you might have noticed that this actually places both CPVM’s inside and outside interfaces on the same broadcast domain! (Good, at least you are alert..) Here, comes the magic of VLANs! I will place the inside interface in the native VLAN 1, and assign the outside interface to VLAN 100. This completes the setup in Laptop A (consists of cpfirewall, WEB1 and S1 objects from Fig. 1).

Laptop B is physically connected to Laptop A using a crossover UTP cable (shown as a red line in Fig. 1). It is mainly used to represent the outside network to CPFW. In order to assign suitable addresses both laptop’s NICs, there are many ways to approach this. I decided to use another Cisco 3640 router as the DHCP server to run on Laptop B to dynamically assign addresses in VLAN 100 to both NICs. As before, to link router D1 to the physical NIC, I connected the appropriate NIO device to Ethernet switch S2, which is further linked to Fastethernet0/0 of the router. That is the full scenario! Phew.. It might appear a bit convoluted, but try to use the following figure to assist understanding and to visualise.


Fig.1: Network diagram for this setup (link pattern shows VLAN membership). cpfirewall runs on a VMware virtual machine.


Check Point Virtual Machine

It does not matter which virtualisation software you use to create this virtual machine. You can use anything at your disposal. I had VMware ESX 2.0 installed on my machine, so just used its VI Web Access management console to create the virtual machine, as shown in Fig. 2. For the Check Point installation, I chose the Standalone deployment, which means the firewall as well as the management application (i.e. SmartCenter Server) will be installed on the same VM.


Fig. 2: The VMware ESX management console after CPFW is created.

Before you install the firewall program, you need to have an OS installed first. You can use the standard server OSes or use Check Point’s own OS called SecurePlatform, which is a modified version of Redhat Enterprise Linux 3.0. I went with the latter option. To get access to Check Point’s software, you can download the ISO images from their website or get the evaluation CD from their office. The installation of both OS and firewall product is rather straightforward. Just follow their Getting Started Guide. It took me around an hour to complete this step. During the installation, you need to specify firewall’s host name, domain name, interface information and routing. The followings are what I used:

host name: cpfirewall
domain name: km.net
eth0 IP: 192.168.100.1/24
eth1 IP: 192.168.124.7/24

Once you have installed and bring up the firewall VM, you can now install the SmartConsole applications (GUIs for firewall configuration and tracking) on the host machine itself, NOT in the VM. Just follow the setup wizard through a series of questions to complete the installation. Before you can access the firewall configuration through SmartConsole, you need to add your host’s IP to the allowed client list on the firewall (use cpconfig and choose option 3). In Fig. 3, I have included an address range 192.168.100.1 – 30 as trusted GUI client hosts.


Fig. 3: Add a trusted client host for remote access.

When you start SmartDashboard, you will be prompted to provide login details that you have already configured during the firewall installation, as follows.


Fig. 4: SmartDashboard login window.

Dynagen .net files

To enable the inside network of the CPFW, I have used the following Dynagen setup on Laptop A.

autostart = false
ghostios = true
sparsesmem = true
mmap = true
model = 3640

[localhost:7200]
[[3640]]
image = \Program Files\Dynamips\images\C3640-JK.image
ram = 96
idlepc = 0x603bc51c
[[ROUTER WEB1]]
f0/0 = S1 1

[[ETHSW S1]]
1 = access 1
2 = dot1q 100 NIO_gen_eth:\Device\NPF_{DCF3D8E4-D5BB-4E84-A712-97D6393034B8} #NIC
3 = access 1 NIO_gen_eth:\Device\NPF_{192F6952-5AEA-4B4A-8AC0-B07086BA6FAC} #lo0

Router WEB1 will be used as the Telnet and Web server for the inside network, and linked to S1. S1 is also connected to Laptop A’s NIC port and a loopback adapter, loopback0. S1’s port 1 and 3 are on VLAN 1, whereas port 2 is a trunk port with native VLAN 100. This port is used to link to Laptop B.

As for Laptop B, a simple environment to provide DHCP service to the physical NIC of both laptops is needed. I have used a similar setup as above.

autostart = false
ghostios = true
sparsesmem = true
mmap = true
model = 3640

[localhost:7200]
[[3640]]
image = \Program Files\Dynamips\images\C3640-JK.image
ram = 96
idlepc = 0x603bc51c
[[ROUTER D1]]
f0/0 = S1 1
[[ETHSW S2]]
1 = access 100
2 = dot1q 100 NIO_gen_eth:\Device\NPF_{A91A2A20-659A-4291-8C10-E727878AEFF7} #NIC

The most important thing to note here is S2’s port 1 is in VLAN 100 and port 2 is a trunk port with native VLAN 100.


Router WEB1 Configuration in Laptop A

1. Configure IP address and bring up fa 0/0.

interface FastEthernet0/0
ip address 192.168.100.2 255.255.255.0

2. Configure a default route to CPFW, which acts the gateway for the inside network.

ip route 0.0.0.0 0.0.0.0 192.168.100.1

3. Enable DHCP service for the laptop’s loopback0 interface. I also ensured that only 1 address is available for lease. This interface will serve as the inside interface for Laptop A’s GUI access to CPFW.

ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp excluded-address 192.168.100.12 192.168.100.254
!
ip dhcp pool forloopback
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1

4. Verify that the HTTP service is enabled, and then enable Telnet access.

ip http server
!
line vty 0 4
password mypass
login


Router D1 Configuration in Laptop B

1. Configure IP address and bring up fa 0/0.

interface FastEthernet0/0
ip address 192.168.124.5 255.255.255.0

2. Configure a default route to CPFW’s outside interface.

ip route 0.0.0.0 0.0.0.0 192.168.124.7

3. Enable DHCP service for both laptop’s physical NICs on VLAN 100. I ensured just two addresses are available for lease.

ip dhcp excluded-address 192.168.124.1 192.168.124.99
ip dhcp excluded-address 192.168.124.102 192.168.124.255
!
ip dhcp pool extlan
network 192.168.124.0 255.255.255.0
default-router 192.168.124.7


Check Point Firewall Configuration

To write about VPN-1 configuration is at least a book in it itself! Here, I can only discuss about the basics of object definition and their subsequent usage in the security policy creation and deployment for firewall filtering. Figure 5 depicts the SmartDashboard interface that can be used to enable remote configuration and tracking of Check Point firewalls. The screen layout shows a rather standard Windows application layout. Below the toolbars, you can see the Network Objects tree on the left and the security rules on the right. Since we are interested in the firewall features of VPN-1, these are the relevant content panes for our discussion.


Fig. 5: A screen-shot of SmartDashboard for Check Point firewall configuration.

In our scenario, we want to allow all outgoing traffic from inside network to outside, and selectively allow outside traffic inside. A rule has at least five elements, namely source, destination, service, action and track. SmartDashboard makes it very easy to create network objects, which can then be referred in the rules. In Fig. 5, you can see that there is a Check Point object for the firewall, two Nodes objects (one for Laptop B and one for router WEB1) and two Networks objects (one each for the inside and outside network addresses). To allow all outbound traffic, rule 2 is created. As you can see, the Internal object is referred in rule 2 as the source. If the internal network number is changed for whatever reason, you just need to update the Internal network object on the Network Object tree. Any reference to it in the security policy will be automatically updated! To selectively allow inbound traffic, rules 3 and 4 are created. Rule 3 allows Laptop B to access WEB1 for telnet service only, and this will be logged. Rule 4 allows all traffic from Partner_Net to WEB1 for telnet and TFTP only, which is also logged.


Configuration Verification

The setup is now complete! If you have followed all the above steps carefully, it should work. Let’s try a couple of verification steps to ensure all works as expected.

1. Verify that both NICs have received addresses from D1. On D1, execute:

WAN#sh ip dhcp bindings
Bindings from all pools not associated with VRF:
IP address Client-ID Lease expiration Type
192.168.124.100 0108.0046.bfc0.3d Mar 02 2002 12:05 AM Automatic
192.168.124.101 0100.a0d1.31f0.f5 Mar 02 2002 12:05 AM Automatic

2. From inside the CPFW virtual machine, ping both inside and outside endpoints to ensure connectivity. You can’t ping the firewall from any of the endpoints because it drops any ICMP packets sent to itself (Rule 1).

3. On Laptop B, open the browser and access WEB1 with its IP address. If firewall rules are set as above, you should see the following.


Fig. 6: Basic Web server of WEB1 as seen from Laptop B.

To verify that web access is logged as per the rule definition, open SmartView Tracker, which is a log tracking application of the SmartConsole suite. In Fig. 7, the last three lines of logs in green represent the allowed access to www.km.net web traffic from 192.168.124.100.


Fig. 7: Logs from the firewall accessed using SmartView Tracker.

4. Now, try to access a service that is not allowed from the outside network. I tried to traceroute from Laptop B to WEB1, and this is what happened:

C:\tmp>tracert 192.168.100.2

Tracing route to 192.168.100.2 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 ^C

The firewall has dropped the traffic as expected. Check the logs and verify that Cleanup Rule has kicked in!

That’s it! I hope this assists you in your journey. I would love to hear your experience as well..

Thursday, June 4, 2009

IP over ATM Configuration on Dynamips

Introduction

After searching everywhere with limited success for a tutorial on ATM configuration on Dynamips, I decided to write one here bringing together the whole process to make it easier for others. In this virtual lab, I will setup a lab for IP over ATM configuration on a single laptop running Windows XP, dual-core 1.8 GHz CPU with 1.5 GB RAM.


Scenario

In this lab, I will show how to configure IP over ATM using two Cisco 7200 routers and one ATM switch provided by Dynamips. Since the ATM function is only simulated at a simplistic level, we will not be able to get full ATM switch functionalities. However, this is still useful for someone to have some hands-on ATM experience. I will setup one PVC for data access. I will also connect one router to an Ethernet switch, which is linked to my laptop's loopback adapter. This permits testing from the command prompt, as well as to use the TFTP client on my XP to download the configs from the routers. Finally, once the IP connection is established, OSPF routing protocol is enabled to allow end-to-end access.



Dynagen .net file

To map the above network design for emulation, you need to understand the syntax of dynagen’s .net. I have realized the setup using the following:

autostart = false
ghostios = true
sparsesmem = true
mmap = true
model = 7200

[localhost]
[[7200]]
image = \Program Files\Dynamips\images\C7200-AD.image
ram = 256
idlepc = 0x62b0b568
[[ROUTER R1]]
f0/0 = S1 1
a4/0 = A1 1

[[ETHSW S1]]
1 = access 1
2 = dot1q 1 NIO_gen_eth:\Device\NPF_{192F6952-5AEA-4B4A-8AC0-B07086BA6FAC} #loopback0
[[ATMSW A1]]
1:0:5 = 2:0:5 # qsaal (pvc 0/5)
1:0:16 = 2:0:16 # ilmi (pvc 0/16)
1:1:10 = 2:1:20 # user (pvc 1/10 at R1 and pvc 1/20 at R2)

[[ROUTER R2]]
a4/0 = A1 2

The most important part of this setup is the VPI:VCI details of the ATM switch. There are three lines of VCs here, which represent a PVC for ATM signalling, a PVC for ILMI messages and a PVC for user data connection, respectively. These numbers must then match accordingly with the device configuration.


Detail Device Configuration

Since this is a rather simple and straightforward process, I will go direct to the specific configurations.

1. Configure the IP address of ATM interfaces of R1 and R2. Then bring up those interfaces. Here is R1’s interface configuration:

interface ATM4/0

ip address 10.1.1.1 255.255.255.0
atm ilmi-keepalive 10

2. Configure the QSAAL and ILMI PVCs on both routers. QSAAL is not necessary for PVCs but included here for completeness. On R1:

pvc 0/5 qsaal
!
pvc 0/16 ilmi
!

3. Configure the PVC for data access. The PVC must match the values you have specified in the .net file. Specify IP protocol and remote peer's IP address. Then, specify the encapsulation. On R1, it will look like this:

pvc Data 1/10
protocol ip 10.1.1.2 broadcast
encapsulation aal5snap

4. Verify the configurations.

R1#sh atm vc
VCD / Peak Avg/Min Burst
Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts
4/0 1 0 5 PVC SAAL UBR 155000 UP
4/0 2 0 16 PVC ILMI UBR 155000 UP
4/0 Data 1 10 PVC SNAP UBR 155000 UP

The following output shows that ILMI state is UpAndNormal and the peer address. In this case, the peer is actually R2. In a real setting, this should be the ATM switch providing the UNI interface.

R1#sh atm ilmi-status
Interface : ATM4/0 Interface Type : Private UNI (User-side)
ILMI VCC : (0, 16) ILMI Keepalive : Enabled/Up (10 Sec 4 Retries)
ILMI State: UpAndNormal
Peer IP Addr: 10.1.1.2 Peer IF Name: ATM4/0
Peer MaxVPIbits: 8 Peer MaxVCIbits: 10

5. If all appears as above, ATM configuration is complete! Ping the remote ATM interface for verification.

R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/32/88 ms

6. You now have an IP link across the ATM cloud. So you can run anything else above it. Let’s try a routing protocol, like OSPF, which will then allow R2 to be reachable from XP’s loopback. On R1, you will have:

interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
router ospf 1
network 10.1.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 1

To enable XP’s loopback to get a dynamic address, I enabled DHCP server on R1 (configuration is not shown here). Also, as OSPF supports different types of network, we need to designate a suitable type for the ATM interface, which is a non-broadcast multi-access (NBMA) medium. In this network, we only have two routers, so a point-to-point type is sufficient.

interface ATM4/0
ip address 10.1.1.1 255.255.255.0
ip ospf network point-to-point

7. Verify that OSPF is working.

R2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.10.1 0 FULL/ - 00:00:38 10.1.1.1 ATM4/0

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
...text snipped...

Gateway of last resort is not set

O IA 192.168.10.0/24 [110/2] via 10.1.1.1, 00:06:01, ATM4/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, ATM4/0

8. Ping the XP’s loopback interface from R2 to verify end-to-end connectivity.

R2#ping 192.168.10.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/35/84 ms

That’s it! Hope you find this useful.

Thursday, May 28, 2009

Lab Setup for MPLS and BGP on Dynamips

Introduction

In this lab setup, I will enable a complete virtual lab for CCIP study on a single laptop running Windows XP, dual-core 1.8 GHz CPU with 1.5 GB RAM. Thanks to the Dynamips/Dynagen creators, this is now possible.


Scenario


I have adopted the simple design given in Sybex’s CCIP MPLS Study Guide, by James Reagan. It is rather dated but his approach and clarity of presentation makes it still relevant to the design of MPLS core networks today. In this setup, a customer wants to connect his two remote sides through a service provider’s core network. I will use Cisco 3640 router for both the customer and SP use. At each site, the customer’s network is connected to a provider edge router (PE1 and PE2, respectively). The SP’s core has a single router linked PE1 and PE2, named P1.



Dynagen .net file

To map the above design for emulation, you need to understand how the syntax of dynagen’s .net. I have realized the setup using the following:

autostart = false
model = 3640
ghostios = true
sparsesmem = true
mmap = true

[localhost:7200]
[[3640]]
image = \Program Files\Dynamips\images\C3640-JK.image
ram = 96
idlepc = 0x603bc51c # change this accordingly
[[ROUTER C1]]
s1/0 = PE1 s1/0
f0/0 = S1 1
[[ROUTER PE1]]
s1/1 = P1 s1/0
[[ROUTER P1]]
s1/1 = PE2 s1/0
[[ROUTER PE2]]
s1/1 = C2 s1/0
[[ROUTER C2]]
f0/0 = S2 1

[[ETHSW S1]]
1 = access 1
2 = dot1q 1 NIO_gen_eth:\Device\NPF_{192F6952-5AEA-4B4A-8AC0-B07086BA6FAC} #loopback0
[[ETHSW S2]]
1 = access 1

This should be rather straight-forward to understand. I just want to note about the link to NIO_gen_eth… device. This device represents a Microsoft Loopback Adapter (loopback0) on my machine. I linked it to the virtual network to allow testing from the command prompt, and to use the TFTP client on XP to download the configs from the virtual lab routers, which then allows me to display them here. ;)


Overview of Overall Configurations

You need to devise a plan to structure your configuration efforts. This is very important to deal with any reasonable sized networks. At every significant stage, you need to test to ensure that what you have configured so far works. If you do not follow a particular strategy and waited for all configurations to be done first before testing, it will take too much time to troubleshoot if something goes wrong. Using a structured way, you can resolve issues as they arise and discount their effect in subsequent settings. This is how I did it:

1. Start with IP addressing and enabling interfaces from left to right. I have indicated the network address for each segment on the diagram. I always started the numbering from left, and from the first valid number. Use the above diagram as your guide. Once done, check with “show ip interface brief” command.
2. Complete the configuration at C1 and C2. Since there is only a single link to the SP’s network, install a static default route to the outside networks. Once done, C1 and C2 configurations are over.
3. It is good practice to use loopback interfaces for routing for better reliability whenever there are multiple paths to others. So, configure a loopback interface for each SP router.
4. Enable RIP 2 routing protocol on all SP routers to work on the 172.22.1.0 network. Check expected routes are populated. Do some pings tests.
5. Enable MPLS switching in the core and use LDP as the label distribution protocol. Check for MPLS peering and LFIB is corrected populated.
6. Install a static route to the client network at PE1 and PE2. Test.
7. Finally, configure BGP on PE1 and PE2. BGP will carry customer routes across the core. Since PE routers are not exchanging routes with customer routers, use static and connected redistribution.

Detail Configuration

Configure IP addresses and static routes at C1 and C2. The static route for C1 is shown below:

ip route 0.0.0.0 0.0.0.0 192.168.1.2

Verify this configuration:
C1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
text snipped...
Gateway of last resort is 192.168.1.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
S* 0.0.0.0/0 [1/0] via 192.168.1.2

Configure the loopback interfaces for SP routers. To configure lo0 for PE1:
interface Loopback0
ip address 172.22.1.1 255.255.255.255

Enable RIP 2 on the SP routers:
router rip
version 2
network 172.22.0.0
no auto-summary

Check the routes are correctly populated. Here is the routing table of P1:
P1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
text snipped...

Gateway of last resort is not set

172.22.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 172.22.1.8/30 is directly connected, Serial1/1
R 172.22.1.3/32 [120/1] via 172.22.1.10, 00:00:05, Serial1/1
C 172.22.1.2/32 is directly connected, Loopback0
R 172.22.1.1/32 [120/1] via 172.22.1.5, 00:00:18, Serial1/0
C 172.22.1.4/30 is directly connected, Serial1/0

Enable MPLS switching and select LDP globally. Then, enable MPLS on the relevant serial interfaces. Below is the configuration for PE1:
ip cef
mpls label protocol ldp
interface Serial1/1
mpls ip

When MPLS peering is enabled, IOS displays a debug statement. The following is shown on P1:
P1(config)#
*Mar 1 00:11:56.547: %LDP-5-NBRCHG: LDP Neighbor 172.22.1.1:0 is UP
*Mar 1 00:12:16.451: %LDP-5-NBRCHG: LDP Neighbor 172.22.1.3:0 is UP

You can also check the MPLS forwarding table:
PE2#sh mpls f
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 172.22.1.2/32 0 Se1/0 point2point
17 Pop tag 172.22.1.4/30 0 Se1/0 point2point
18 Untagged 10.2.2.0/24 0 Se1/1 point2point
19 17 172.22.1.1/32 0 Se1/0 point2point

Install a static route for the client network at PEs (PE1 to C1 and PE2 to C2). At PE1:
ip route 10.1.1.0 255.255.255.0 192.168.1.1

At PE2:
ip route 10.2.2.0 255.255.255.0 192.168.2.2

You are now ready to configure BGP at PEs. Since this is a single SP’s network, it is iBGP and all routes will be advertised with their configured loopback address. Thus, at PE1, you need to configure this:
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 172.22.1.1 mask 255.255.255.255
redistribute connected
redistribute static
neighbor 172.22.1.3 remote-as 65000
neighbor 172.22.1.3 update-source Loopback0
no auto-summary

When iBGP peering succeeds, IOS displays a debug message. You can also check your BGP peer using:
PE2#sh ip bgp neighbor
BGP neighbor is 172.22.1.1, remote AS 65000, internal link
BGP version 4, remote router ID 172.22.1.1
BGP state = Established, up for 00:26:49
Last read 00:00:49, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Address family VPNv4 Unicast: advertised and received
text snipped...

That’s it! If all configured correctly, you will see BGP routes on the routing table:
PE1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
text snipped...

Gateway of last resort is not set

172.22.0.0/16 is variably subnetted, 5 subnets, 2 masks
R 172.22.1.8/30 [120/1] via 172.22.1.6, 00:00:24, Serial1/1
R 172.22.1.3/32 [120/2] via 172.22.1.6, 00:00:24, Serial1/1
R 172.22.1.2/32 [120/1] via 172.22.1.6, 00:00:24, Serial1/1
C 172.22.1.1/32 is directly connected, Loopback0
C 172.22.1.4/30 is directly connected, Serial1/1
10.0.0.0/24 is subnetted, 2 subnets
B 10.2.2.0 [200/0] via 192.168.2.2, 00:04:47
S 10.1.1.0 [1/0] via 192.168.1.1
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
192.168.2.0/30 is subnetted, 1 subnets
B 192.168.2.0 [200/0] via 172.22.1.3, 00:05:47

Ping from clients connected to C1 to C2 for final comfirmation.

Good luck with your setup!

Wednesday, April 22, 2009

A Cisco CCNA-Voice Lab

Voip Configuration for a CCNA-Voice Lab

Prerequisite

You need to know how to work with dynamips/dynagen for general network emulation. If you are not that familiar or new to this, there are some excellent tutorials out there. Some basic voip concepts especially from CCNA-Voice would be very useful. That’s it!

Scenario

In this lab, I will show how to setup a voip connection using two laptops running Windows XP and dynamips/dynagen emulating offices connected over a WAN link. IP Blue softphones will be used here, so you need install them on both laptops if you have not done so. Physically the two laptops are connected with a crossover UTP cable. You can also use a layer-2 switch if you want. The topology of the overall network is shown in Figure 1. This setup does not require a high-end laptop. One of my laptops just has a single-core Intel Pentium M 1.5 GHz with 512 MB RAM!

Figure 1: Logical layout and

Laptop1 will emulate Office1 network with a Cisco 2691 router as the gateway and CME, an LAN Ethernet switch and an IP Blue softphone instance. You are free to use any other router with the CME feature, if you don’t have the 2691 IOS image. Laptop2 will emulate Office2 with a similar network layout. To emulate the WAN connection, the egress connection of both routers will connect to another Ethernet switch (wan1 and wan2), which are then bridged across each laptop’s physical RJ-45 port. I just used this simple WAN point-to-point connection to keep the focus on the subject matter.

Dynagen’s .net file

Here is the .net file setup for the laptop1’s setup (very similar to laptop’s 2):

autostart = false

ghostios = true

sparsesmem = true

mmap = true

[localhost:7200]


[[2691]]


image = \Program Files\Dynamips\images\C2691-AD.image

ram = 128

idlepc = 0x60a49150 # change accordingly


[[ROUTER C1]]


model = 2691

f0/0 = L1 1

f0/1 = W1 1


[[ETHSW L1]]


1 = access 1

# change the following line, according to your laptop’s loopback address (use dynagen’s “Network device list.cmd”)

2 = access 1 NIO_gen_eth:\Device\NPF_{924ADD11-A35B-420B-BC79-ED058973BB53}


[[ETHSW W1]]

1 = access 1

# change next line to your laptop’s Ethernet port

2 = dot1q 1 NIO_gen_eth:\Device\NPF_{A91A2A20-659A-4291-8C10-E727878AEFF7}


CME Configuration

In order to be sure that your understand each step of the router’s configuration, I have given the logic behind each step.

1. Start with the ip address configurations of the involved interfaces.
interface FastEthernet0/0
description ***LAN connection***
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/1
description ***WAN connection***
ip address 192.168.100.1 255.255.255.0

2. Setup the DHCP server on the CME.
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool voice
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
option 150 ip 172.16.1.1

3. Since the best practice is to use a loopback address for CME access, lets configure a loopback interface.
interface Loopback0
ip address 172.16.1.1 255.255.255.255

4. Now, comes the configurations related to the CME function itself. You need to specify the max number of directory numbers and ephones required. The source address to be used by cme1 (i.e. lo0) and a system message that appears cool on the phone display.. ;)
telephony-service
max-ephones 2
max-dn 4
ip source-address 172.16.1.1 port 2000
system message KSD Voip System

5. Now configure the specific directory numbers you need. These are the numbers to dialed to reach certain phones. In my case, I created two dns, one for its normal line and another for the emergency line (000). The longer number stated as secondary will be used by external caller for DID.
ephone-dn 1 dual-line
number 1000 secondary 11111000
!
ephone-dn 4
number 000

6. These directory numbers are now ready to be assigned to specific ephones. You can imagine an ephone like a phone descriptor.
ephone 1
mac-address 0200.4C4F.4F50
button 1:1 3:4

The above MAC address is a loopback interface address created in Windows XP, not the same as lo0 in the CME. If you don’t have one (can be checked on XP’s “Network Connections”), you can easily create it. This address will then be used by IP Blue phone for network access. The router is now ready to serve as call processing agent!

7. You can now start IP Blue phone on laptop1, and if you have not used it before, a setup wizard will start to walk you through its basic setup. Just make sure that you use the loopback address specified in step 6 for its interface. If all goes well, the phone will register with cme1, and the following message should appear:

*Mar 1 00:02:47.303: %IPPHONE-6-REGISTER: ephone-1:SEP02004C4F4F50 IP:10.10.10.11 Socket:3 DeviceType:Phone has registered.

Here is the screenshot of ip blue after it has successfully registered. See the cool text above Redial button… Also, note button 1 shows “1000” and the third button “000”.

Figure 2: IP Blue screenshot after successfully registering to CME.

8. Now, repeat steps 1-7 on laptop2. Just remember to change the IP addresses accordingly as well as the directory numbers. I used the following for the directory number.
ephone-dn 1 dual-line
number 2000 secondary 22222000

Verify that phone2’s registration succeeds as above in Office2. At this stage, all basic local configurations are complete. To enable voip calls across our WAN connection, we now face the most important concept in voip, i.e. the dial plan.

9. The dial plan is like a routing table for a router. When CME receives a call, it needs to know how to forward it correctly. For the real world use, we need SIP proxies from voice service providers to enable an end to end voip connection. However, in our example, we just need to indicate to the CME which numbers will invoke SIP messages to the other CME. For example, to enable phone1 to call phone2, we need the following dial plan in cme1.
dial-peer voice 2000 voip
destination-pattern 2222....
session protocol sipv2
session target ipv4:172.17.1.1
dtmf-relay sip-notify
no vad

Since cme1 does not know how to reach cme2’s lo0, instead of using a routing protocol, I just installed a static default route.
ip route 0.0.0.0 0.0.0.0 192.168.100.2

10. Repeat step 9 for cme2, and you are done! You are ready to call away… This is just the basic configuration to get you going. You can now try all the other cool features like intercom, paging and much much more. I did not have access to Cisco Unity Express, so I was not able to include voice mail configurations here, but it should be quite easy too.