In the previous article I described my first impressions after launching the successor to Cisco VIRL, the Cisco Modeling Labs 2.0. I pointed out that one of the potentially strong points of CML 2.0 will be its API. However, for the proper functioning of the API, it would be appropriate to change the default SSL certificate. I have prepared an instructions on how to do it – this is unfortunately not an easy task, but anyone can install their own SSL certificate in CML 2.0Read More
Finally, after weeks of waiting, I could test the successor of the famous VIRL – the Cisco Modeling Labs 2.0. Earlier, the product was known under the working name VIRL2, but it was finally renamed as CML 2.0. Yes, I know. There are already a lot of reviews on the web, both written or in the form of video. Unfortunately, I am not a Cisco employee to have access to internal versions for a long time, or user of the Enterprise version that was released a month earlier and due to the price probably not available for many companies. Fortunately, CML 2.0 Personal is out, and I had the opportunity to take a look at it. This is my first impression. There are a few things that I think deserve attention (this is not a complete list for sure).
This article has been originally posted on my polish blog Szkoła DevNet (DevNet School)Read More
Those are not my first steps with wireless controllers or wireless networking. I had my first touch of enterprise-class wireless networks like 7-8 years ago when Cisco WLC controllers hit the market and lead the evolving world of wireless networking. Working for Cisco Gold Partner back then gave me the opportunity to configure few both autonomous and centrally managed wireless networks at different scale. I also performed a security audit of one quite big installation. Back then there was no virtual vWLC controller back then.
Why am I getting back to the Cisco wireless solutions now? I got Cisco AIR-CAP3702 access point lately, so it was excellent opportunity to refresh my knowledge and look at the past few years changes. It is a popular enterprise model that can work either as an autonomous access point or managed via a controller. So this model is for tests and PoC labs for me, so I decided to check what has changed in Cisco wireless world.
Ansible is one of the powerful tools providing us an automation of recurring tasks. In the current world, it is impossible to manage infrastructure manually efficiently. Many people still do this but the world has already changed and we need to progress otherwise our business will be cost ineffective. You can provide static inventory – list of the devices where you want to execute the playbook. But in dynamic environments, such as Cisco VIRL simulations you don’t want to edit inventory file manually. That is why I use Python script that will generate Dynamic VIRL inventory for Ansible playbook for me.
Most of the recent firmware on Cisco devices run on top of Linux operating system. Yout IOS XE or NX-OS is just a Linux process! It is nothing new; Juniper does it for years. However, it does not mean you can access the operating system directly; this is reserved just for Cisco TAC and developers in case the base operating system might be the source of the problems. However, you can use the IOx and the guestshell container introduced in IOS XE Everest 16.5.1 release.
Cisco VIRL is powerful network simulation tool. There are weeks when I run simulations 24/7 because of some projects or learning are ongoing. With VIRL you get almost the latest firmware for supported platforms. Almost – sometimes you have to wait for next release for a new firmware to be available. I experienced it a few months ago when with ASA 9.7(1) release Cisco introduced the route-based VPNs (VTIs). At this point VIRL users got the 9.6(2) release bundled into latest simulator release. In other simulation, you may want to use different ASAv firmware versions for various nodes, so your simulation is more similar to your production network.
Cisco VIRL uses real firmware in the simulations. I will show you how you can add different ASAv firmware and use it in parallel with the software available on VIRL repository.
The IGMP Snooping is a nice feature to limit propagation of multicast traffic in Layer 2 Ethernet network. It listens to IGMP (Internet Group Management Protocol) messages traversing the network to learn about source and receivers. Using this information switch builds a map of links where it replicates the multicast frames. What if we do not have this feature enabled? The switch will treat multicast frames as an unknown type and will broadcast over all active ports no matter is there is receiver interested in frames from the particular multicast group or not.
IGMP Snooping on a single switch is useful to limit propagation of multicast frames when source and receivers are in same layer 2 broadcast domain, in the same VLAN. IGMP Snooping is enabled on Cisco switches by default, but it does not mean it will work out-of-box.
Ostinato is a traffic generator. You can use it to craft packets and send flow into your network. You can even send multiple streams if required. It is a tool that network admins and developers should use for testing the system or application against various scenarios. Ostinato is by default available on Cisco VIRL so we can use it as a packet generator in our simulations.
Ostinato consists of two components – the LXC image run in a simulation that generates the traffic and GUI frontend. In this article, I will show you how to use it to generate a multicast stream in VIRL simulation.
Cisco Firepower NGIPS is available on multiple platforms. One of deployment option you have is virtual appliance running on top of ESXi hypervisor. This product is called NGIPSv in Cisco documentation.
Using a single physical machine with ESXi hypervisor in an isolated network is one of the best ways to perform Proof of Concept (PoC) labs for IPS solution. You cannot evaluate the product without testing it in a sandbox where you can try to hack it, infect it or do any other nasty things. This way, you can in single ESXi run NGIPSv, Firepower Management Center (FMCv) and one or more VMs in the back.
Here is a quick step-by-step guide how to deploy NGIPSv in transparent mode on single ESXi host. What we want to accomplish is having NGIPSv in front of other virtual machines. In this scenario, there is no firewall, just NGIPSv sensor. It is of course not the safest, the best practice and the most flexible way to deploy sensor. You should not use it just like that in your production network. I use this setup only for quick demo purposes when I want to show how Cisco Firepower NGIPS solution is working, get network discovery working, some IPS policy and get the end host infected by malware.
Hardware failures happens. If you have active service contract you’ll get new device from Cisco with same hardware parameters. One thing you don’t know is which version of software will be installed. In almost all cases it’s not the one you are using. Installing new firewall firmware on ASA is not a problem but what if you’re running SourceFire Management Center version 6.2 but your device came with 5.x or 6.0 firmware on SFR module? Well, prepare for process that will take few hours – you need to perform recovery procedure which is one of the ways of upgrading SourceFire.
Most common cases when we have to use recovery procedure for SFR are:
- Problems with booting the SFP module after upgrade performed from Firesight Management Center
- First software installation on SFR (in example when we just put SSD drives in our ASA to get benefits from Sourcefire NGIPS)
- Need to upgrade firmware but our module cannot be registered in Firesight Management Center due to firmware mismatch
Last case is the one usually happening when we get new device during RMA process. Each Firesight Management Center have list of compatible firmwares that are supported on modules and unfortunatelly backward compatibility is not full. If you run one of the most common version 6.1 or 6.2 you need to have your modules in at least 6.1 version. Recovery process require that whole memory is erased and new firmware installed.