The new server is built, UNL is imported, an issue with the swap location is sorted (VM is on an SSD, which didn’t leave enough room to create the swap file), and started. Let’s start configuring the lab. Today will be the WSA setup. Please note that this is a work in progress, so there will be a number of edits as we go through!
Today I plan to cover part 1 and some of part 2 from my CCIE Security study plan.
First off, let’s spend a couple of minutes thinking about the IP addressing scheme.
We need to manage the WSA. We have to configure the switches (3 and 6), the Windows PC, and the WSA.
By default, the WSA will use the IP address 192.168.42.42, with a /24 subnet. It makes sense, then, that we have a management VLAN of 192.168.42.0/24. We have our first requirement. We also need some trunks, and I’ll use MST across the board. The VLAN VIP will live on Switch 3, at least for the moment, and will use an IP address of 192.168.42.1. The Windows host will use 192.168.42.7.
Now we have a start to the network.
I do have to make quite a major edit to the topology, though. At the moment it has Arista switches. The port count makes it easier to match the INE topology, and the syntax is 90% the same (hence the court case). However, I get this error:
localhost login: localhost login: admin Warning: the following filesystems have less than 10% free space left: tmpfs (on /var/log) 0% (948 1K-blocks Available) Please remove configuration such as tracing and clean up the space. Unable to connect: Connection refused localhost login:
So let’s replace them with some IOS switches instead.
Back in a minute…
OK, back now. I have swapped the Arista switches (SW3 and SW6) for vIOS (L2).
Already I hit a road-block – not enough ports to cover my configuration:
Switch>en Switch#conf t Switch(config)#ho SW3 SW3(config)#vlan 42 SW3(config-vlan)#exi SW3(config)#int vlan 42 SW3(config-if)#ip add 192.168.42.1 255.255.255.0 SW3(config-if)#no shut SW3(config-if)#exi SW3(config)#int gi3/0 SW3(config-if)#swi tru enc dot SW3(config-if)#swi mo tru SW3(config-if)#no sh SW3(config-if)#int gi 5/0 % Invalid input detected at '^' marker. SW3(config-if)#
So, I need to make another edit.
OK, now we can proceed:
SW3(config)#int gi 0/3 SW3(config-if)#swi mo acc SW3(config-if)#swi acc vl 42 SW3(config-if)#no shu SW3(config-if)#desc Link to TestPC-B SW3(config-if)#
Let’s set up SW6:
Switch#conf t Switch(config)#ho SW6 SW6(config)#vlan 42 SW6(config-vlan)#exi SW6(config)#int gi 3/0 SW6(config-if)#swi trun enc do SW6(config-if)#swi mo tru SW6(config-if)#no sh SW6(config-if)#exit SW6(config)#int gi 1/1 SW6(config-if)#swi mo acc SW6(config-if)#swi acc vl 42 SW6(config-if)#int gi 1/0 SW6(config-if)#swi mo acc SW6(config-if)#swi acc vl 42 SW6(config-if)#exi SW6(config)#exi SW6#
Let’s start adding some spanning-tree:
SW3(config)#spanning-tree mode mst SW3(config)#spanning-tree mst configuration SW3(config-mst)#rev 1 SW3(config-mst)#instance 1 vlan 42 SW3(config-mst)#name 802101-Sec SW3(config-mst)#exi SW3(config)#spanning-tree mst 1 root pri SW3(config)# SW6(config)#spanning-tree mo mst SW6(config)#span mst con SW6(config-mst)#rev 1 SW6(config-mst)#name 802101-Sec SW6(config-mst)#instance 1 vl 42 SW6(config-mst)#exi SW6(config)#spanning-tree mst 1 root sec SW6(config)#
Now we should be able to get to the WSA from our test PC.
From the console we need to browse to http://192.168.42.42:8080:
AsyncOS starting services ... .............................................................................................................................................................. AsyncOS ironport.example.com (cuau0) login: admin Password: Last login: Tue Aug 4 12:02:30 on cuau0 AsyncOS 8.6.0 for Web build 025 Welcome to the Cisco S000V Web Security Virtual Appliance Please wait while appliance services start up.................. Please run System Setup Wizard at http://192.168.42.42:8080 ironport.example.com>
Woo hoo! Looks good so far:
I log in with the username admin, and password of ironport and get this:
OK, so I need to get a license. This part is not going too well:
Let’s look on the bright side, I have actually covered the first part of my 17 step CCIE Security study plan, the WSA setup.
I just need to get a working license.
just a note here, I understand your point regarding the topology, but just thinking about the switches I'm using today – neither IOU/L2 nor vIOS/L2 don't support the dot1x/mab – Web Authentication, Guest access and sponsor portals. So I just installed one cat3560 and connected that switch to the shared subnet to the ESXi server, just to complete this part. And be aware there has to be IOS at least 12.2(55) to support the 802.1x redirection
The second thing is TrustSec – it's supported on the 3750-X, so not sure if it can be done virtually. haven't tried that yet.
Hi Tom, thanks for the heads up. Yeah, I kind of expected to find a few bits that arn't supported along the way! Looks like the topology will get edited again, or several times! 🙂
it been raised as a feature request, so maybe soon it will be available on IOSv