CCIE Security lab: Connecting the virtual and physical worlds together

With my new 3750X switch looking like it should be doing as intended, it’s time to connect the virtual to the physical and get it talking to the UNetLab topology.

I must admit, I haven’t tried to do this before, so it should be interesting. I did connect pnet0 to a Windows host to grab something before, but this needs to be completely isolated from the rest of the home network, otherwise the Wife will get upset that she can only browse to www.good.com, and not buy shoes.

The basic configuration in UNL is to connect a Pnet interface to a device (like SW3). I am using PNet1 as this is linked to Eth1:

unetlab-physical-1

Creating this “3750x” network is just a case of creating a new network, but setting it to be a pnet, instead of a bridge.

As you can see, UNetLab can see two NICs:

root@unl01:~# ifconfig -a | grep ^eth
eth0      Link encap:Ethernet  HWaddr 00:50:56:80:2a:6e
eth1      Link encap:Ethernet  HWaddr 00:50:56:80:a2:db
root@unl01:~#

ESXi Settings

Inside ESXi things look like this:

We have a vSwitch created, and this includes one of the NICs from the Quad-port NIC card in the ESXi server:

unetlab-physical-2

We must accept promiscuous mode, otherwise, things won’t work properly:

unetlab-physical-3

UNL has this network connected.

unetlab-physical-4

Unsurprisingly things did not just magically work straight away.

So a quick reboot later, and once SW3 is fired up, we can start to see some errors, and these are the kind of errors you want, as it shows everything is working, and that the virtual switch is talking to the physical switch:

%SYS-5-RESTART: System restarted --
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20150414)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to  DSGS_PI5_POSTCOLLAPSE_TEAM_TRACK_CLONE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 15-Apr-15 00:42 by mmen
%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/0 (not full duplex), with 3750X GigabitEthernet3/0/1 (full duplex).
SW3>en
SW3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int g0/0
SW3(config-if)#duplex full
Autoneg enabled. Duplex cannot be set

%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/0 (not full duplex), with 3750X GigabitEthernet3/0/1 (full duplex).
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/0 (not full duplex), with 3750X GigabitEthernet3/0/1 (full duplex).

SW3(config-if)#no neg auto 
SW3(config-if)#duplex full
SW3(config-if)#do sh cdp neigh | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SW4              Gig 0/3           170             R S I            Gig 0/3
SW1              Gig 0/1           151             R S I            Gig 0/3
SW2              Gig 0/2           147             R S I            Gig 0/3
3750X            Gig 0/0           130              S I   WS-C3750X Gig 3/0/1

Total cdp entries displayed : 4
SW3(config-if)#

Nice! So, let’s add in some VTP, so that the 3750X gets all the VLAN goodness, and then plug in the IP Phone!

SW1(config)#vtp dom 802101
Changing VTP domain name from NULL to 802101
SW1(config)#vtp mo serv
%SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to 802101.
Device mode already VTP Server for VLANS.
SW1(config)#vtp ver 2
SW1(config)#vtp pass 802101
Setting device VTP password to 802101
SW1(config)#

The other devices are set up in client mode, using the same settings as above for the domain and password. However, we need to push some data across to the switch, and as I don’t want to keep having to find the laptop that I use for console access to the switch, it would make sense to create a VLAN for switch management:

SW1(config)#vlan 11
SW1(config-vlan)#name Switch-MGMT
SW1(config-vlan)#exi
SW1(config)#

This gets to the other switches:

SW2(config)#do sh vlan br

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi1/0
4    Management                       active    Gi1/1, Gi1/2, Gi1/3
7    DMZ                              active    
9    Phones                           active    
11   Switch-MGMT                      active    
20   Users-1                          active    
21   Users-2                          active    
55   Failover                         active    
99   Data-Phone                       active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW2(config)#

But so far, not to the 3750X. It just has the VLANs I manually created for something else.

VTP/DTP is working, and I can see the messages in Wireshark:

unetlab-physical-5

I even switched to VTP version 3, and made SW3 the primary server. But the physical 3750X switch did not get the VLANs from the virtual switch environment.

So, where is the issue? Let’s expand it out a little, and either rule it down to or rule out an issue with my VTP configuration, by adding a phone into the mix.

Connecting a physical IP Phone to UNetLab

It’s a simple config:

int gi 3/0/3
switchport voice vlan 9
switchport mode access
switchport access vlan 21

I switched the 3750X to transparent mode for a moment, so that I could add the VLANs needed. But still, there was no joy.

I used the command “sdm prefer vlan”, and did a reboot. Once everything came back up again, I could see the VLANs had been added through VTP, however, communicating with devices was a little unwilling.

So I messed around for a bit trying a bit of this and a bit of that, then I decided to ping Andrea a message and ask for help. He was busy, but I got a couple of minutes with him before he had to dash off to another meeting. He told me to try looking for “vmware switch trunk portgroup”, which lead me to this document: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074.

Seems like I was pretty close with my first attempt, but needed to add the following settings:

unetlab-physical-6

 

unetlab-physical-7

I even rebooted the switch again… and when it came back up, OSPF formed an adjacency, and the phone has a DHCP address:

SW3(config)#router ospf 1
SW3(config-router)#router-id 33.33.33.33
SW3(config-router)#network 0.0.0.0 0.0.0.0 a 0
SW3(config-router)#
%OSPF-5-ADJCHG: Process 1, Nbr 50.50.50.50 on Vlan4 from LOADING to FULL, Loading Done
%OSPF-5-ADJCHG: Process 1, Nbr 50.50.50.50 on Vlan11 from LOADING to FULL, Loading Done
SW3(config-router)#

Rather than posting a blurry photo of the phone’s screen, I’ll show you the successful DHCP lease for the phone:

unetlab-physical-8

So, I do not have a £899 paperweight, I have a working physical switch connected to my IOSv layer-2 switch. It is isolated from my home network, and once the Cisco AP gets delivered I should be able to play around with that.

Just one more bit of proof that it is working, here is the DHCP reservation for my MacBook, which was connected to the phone’s PC port:

unetlab-physical-9

And here is the screenshot from the Mac itself:

unetlab-physical-10

Even though it wasn’t exactly smooth sailing, I am where I need to be. The UNetLab hosts can talk to the physical hosts, and the floor is opening up for me to have some real fun!

3 Comments

  1. Zach August 18, 2017
  2. Nawir February 3, 2018