Monday, November 16, 2015

Connection between GNS3 VM and another VM running Tacacs+ on VirtualBox

Scenario:

  • Host machine running Ubuntu and VirtualBox
  • VM#1 guest Lubuntu and GNS3 v1.3.7
  • VM#2 guest Ubuntu server and tacacs+
In order to make VM#1 and VM#2 communicate do the following:
  1. Create a new Host-only network by editing VirtualBox preferences
  2. Add a new network adapter on each VM using the Host-only network adapter and select the previously created Host-only network
  3. Change the Promiscuous mode setting to "Allow all" in both VMs
  4. Run GNS3 as an Administrator 
  5. In  GNS3 add a new cloud element and configure it using the ethernet interface pointing to the Host-only adapter
  6. Connect the cloud element to router in GNS3
  7. Configure static IP addresses or use a DHCP server (select respective option in VirtualBox)
  8. "No shut" the respective ports on all devices involved
  9. You should be able to ping from the router toward the tacacs server and the opposite


Notes
  1. Always run GNS3 as Administrator. Otherwise nothing will work.
  2. Don't forget to enable Promiscuous mode. Without it I could receive IPs from the DHCP server, but ping wasn't working.
  3. You can avoid using the Host-only network and use your normal lan interface where your ADSL router is connected. That way your GNS3 VM will be able to connect to the internet.





Friday, November 6, 2015

BGP Notes


  • BGP connection is a TCP connection on port 179
  • Only the TCP server needs to approve the source of the packet it receives. Neighbor update-source is actually required only on one side, as long as correct IP addresses are being used
  • When two routers attempt a BGP connection simultaneously, only one is preserved, the one from the router with the highest BGP router ID
  • You can use the command "debug ip packet detail XXX" where XXX is an ACL matching the src/dst we are interested in
  • iBGP learned routes are not advertised to other iBGP peers
  • iBGP packets have TTL=255 while eBGP packets have TTL=1 by default
  • If you see a message "... Active open failed - no route to peer..." it can be an indication of eBGP multihop missing
  • Cisco eBGP performs the following independently
    1. Neighbor is directly connected on a known subnet
    2. Sends packets with TTL=1
  • In order to form a neighborship between directly connected router using Loopbacks, you can use eBGP multihop, which actually disables #1 from the above. Alternatively you can use "neighbor disable-connected-check" to do the same.
  • eBGP multihop command defaults to TTL=255
  • BGP authentication is implemented through TCP option 19
  • Unique BGP router ID within the BGP domain is required, in order to avoid traffic blackholes. That is due to loop prevention algorithm.