When you are on the road or heavily use a laptop for your studies you learn to make use of virtualization apps that you can take with you. For years now people have used the popular open-source application GNS3 to virtualize a network environment. Now you can virtualize an IPS Sensor, ASA, WSA, and ISE. In this tutorial you’ll see how to run a demo of ISE 1.4 in VMware Fusion on a Mac, and tie it into the Wireless network and GNS3. I poked around for some time getting this to work so It’s my hope that this will save some time for many of you. If you have a better way to do it please share that in the comments. So, without further delay, lets get going.
Installing ISE in VMware Fusion.
The first thing we’ll do here is install ISE in VMware fusion. I’m assuming you already downloaded a legal Demo copy if ISE from Cisco, and have the ISO in a folder on your Mac. I’m also assuming that you have VMware Fusion installed. We begin with creating a new VM.
- The new VM needs to mount the optical using the ISE iso image, and needs to be Red Hat Linux 5.
- Set the hard drive to 60GB (this is the minimum for a demo of ISE while the recommended minimum is 200GB).
- Set the memory to 4GB and use 2 cores.
- Set the network to bridge to the wireless adapter.
I should note that I am running this on a 13" Retina Macbook Pro with a 3 GHz Intel Core i7 and 8GB 1600 MHz DDR3.
Next, start the virtual maching and run through the install process. This begins with the selection of how to boot. Here I want to boot with option 1, Install ISE with keyboard and mouse.
After hitting enter the install process should begin:
You can watch as the components are installed:
And you end up at a login prompt where you will type setup to begin the setup script. I recommend running through this script so that you not only configure your IP settings, NTP and DNS, but it also installs the ISE application.
During the setup process you provide the IP values including the DNS and NTP values. I have set these all to be the values of my GNS3 router. It has a basic configuration on it making it an NTP server as well as a DNS server. It will eventually connect to the rest of the network, my ASA, switches, and so on.
Setting Up GNS3
The GNS side of things can be tricky, at least as far as I’m concerned it’s overly complex when at this point it shouldnt be. I’m assuming you already have GNS3 installed on your Mac, you already have a legal copy of Cisco IOS, and you can build basic topologies and configure routers to ping each other. Here’s what you need:
- Install TunnelBlick so you have access to tap interfaces.
- The Dynamips version needs to be dynamips–0.2.8-RC5-community-OSX.intel64.bin and it should be able to run with root privileges.
- GSN3 provileges have been eleveated.
The GNS3 topology is very simple as seen below. I’ve added a cloud object and a router as seen below.
Now part of the key to the configuration is configuring the cloud prior to connecting the cloud to the router. The cloud should be configured with a tap0 interface as seen below. To get to this menu, right click on the cloud and select configure. First enter the tap interace, then click add, verify that it’s listed there, and click ok.
After this you can connect the cloud to the router. Next open a terminal in OSx and enter the following commands:
sudo ifconfig bridge0 create
sudo ifconfig bridge0 up addm en0
sudo ifconfig bridge0 up addm tap0
These commands create a bridge0 interface, tie the bridge to the wireless adapter which is en0, and then tie the tap interface to the bridge.
Verify the router and the ISE can talk.
At this point I have a talking ISE and Router. Ive configured the router as follows:
!
hostname R1
!
!
ip domain name domain.local
!
!
interface FastEthernet0/0
ip address 10.0.199.254 255.255.255.0
duplex auto
speed auto
no cdp enable
no shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ntp master 2
!
end
R1#
To verify I ping ISE from the router:
R1#ping 10.0.199.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms
R1#
Getting the Laptop to talk to ISE:
In my scenario I am on a wireless network that I do not control. Because of this, I have an IP address on my wireless that’s assigned by DHCP and I dont want to change that and lose my Internet connectivity. To get my laptop on the ISE subnet I created a second Wireless Network as follows:
Start by adding a new network. Click the “+”:
To keep it simple I just take the default name for the new network. Click “Create”:
For the new network click “Advanced”
Now select TCP/IP, set the type drop-down to manually, and set the IP address for the adapter. (This should be on the same subnet as the ISE).
Finally Click “Apply”
Now we can try to HTTPS to the ISE interface.
Wrap Up
While it’s not the easiest, it does work and being able to lab a few things at 35,000 feet is kinda nice. It also has practical value when you want to lab in a hotel room where wifi rates are less that stellar. You can do a lot with GNS3 and VMware, but in the end, I would recommended sacrificing study time trying to tweak GNS3 to work. Somethings the rack rentals are the way to go.
Hi Brandon
How can we run this on a windows PC.
Iv tried running it using VMWARe WS 10 and keep getting an error message:
Red Hat Enerprise Linux Server Rel 5.8
Kernel 2.3.18-348.1.1.e15 on an x86_64
NIT: Id “x” respawning too fast: disabled for 5 minutes
I’m not sure, but you can probably find someone who’s done it with windows out there. Sorry.
Does it work under Yosemite?
It does, and with VMware Fusion Pro it works much more smoothly.
That’s weird. If I add only vmnet1 and tap0 to bridge1 I get bridge status as inactive:
bridge1: flags=8963 mtu 1500
options=3
ether 7e:d1:c3:e6:d0:01
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: vmnet1 flags=3
ifmaxaddr 0 port 16 priority 0 path cost 0
member: tap0 flags=3
ifmaxaddr 0 port 15 priority 0 path cost 0
Address cache:
0:c:29:eb:2e:f3 Vlan1 vmnet1 1125 flags=0
aa:bb:cc:0:2:0 Vlan1 tap0 1145 flags=0
media:
status: inactive
And despite seeing MAC addresses on devices:
IOU1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.48.2 30 000c.29eb.2ef3 ARPA Ethernet0/0
Internet 172.16.48.3 – aabb.cc00.0200 ARPA Ethernet0/0
i can’t get ping through.
But when I do a bridge in VMWare Fusion with Wi-Fi interface and then I add it instead of vmnet1 to the bridge1 it ping starts to work.
what about switch some commands not supported when confugring MAB
is there any solution
What commands are you talking about?
“mab” and “authentication port-control auto”
You could maybe try to integrate it with VIRL since it supports L2 now, but I have not tried this.