Installing ISE in VMware with GNS3 Connectivity

When you are on the road or heavily use a laptop for your studies you learn to make use of virtualization apps that you can take with you. For years now people have used the popular open-source application GNS3 to virtualize a network environment. Now you can virtualize an IPS Sensor, ASA, WSA, and ISE. In this tutorial you’ll see how to run a demo of ISE 1.4 in VMware Fusion on a Mac, and tie it into the Wireless network and GNS3. I poked around for some time getting this to work so It’s my hope that this will save some time for many of you. If you have a better way to do it please share that in the comments. So, without further delay, lets get going.

Installing ISE in VMware Fusion.

The first thing we’ll do here is install ISE in VMware fusion. I’m assuming you already downloaded a legal Demo copy if ISE from Cisco, and have the ISO in a folder on your Mac. I’m also assuming that you have VMware Fusion installed. We begin with creating a new VM.

• The new VM needs to mount the optical using the ISE iso image, and needs to be Red Hat Linux 5.
• Set the hard drive to 60GB (this is the minimum for a demo of ISE while the recommended minimum is 200GB).
• Set the memory to 4GB and use 2 cores.
• Set the network to bridge to the wireless adapter.

I should note that I am running this on a 13" Retina Macbook Pro with a 3 GHz Intel Core i7 and 8GB 1600 MHz DDR3.

Next, start the virtual maching and run through the install process. This begins with the selection of how to boot. Here I want to boot with option 1, Install ISE with keyboard and mouse.

After hitting enter the install process should begin:

You can watch as the components are installed:

And you end up at a login prompt where you will type setup to begin the setup script. I recommend running through this script so that you not only configure your IP settings, NTP and DNS, but it also installs the ISE application.

During the setup process you provide the IP values including the DNS and NTP values. I have set these all to be the values of my GNS3 router. It has a basic configuration on it making it an NTP server as well as a DNS server. It will eventually connect to the rest of the network, my ASA, switches, and so on.

Setting Up GNS3

The GNS side of things can be tricky, at least as far as I’m concerned it’s overly complex when at this point it shouldnt be. I’m assuming you already have GNS3 installed on your Mac, you already have a legal copy of Cisco IOS, and you can build basic topologies and configure routers to ping each other. Here’s what you need:

• Install TunnelBlick so you have access to tap interfaces.
• The Dynamips version needs to be dynamips–0.2.8-RC5-community-OSX.intel64.bin and it should be able to run with root privileges.
• GSN3 provileges have been eleveated.

The GNS3 topology is very simple as seen below. I’ve added a cloud object and a router as seen below.

Now part of the key to the configuration is configuring the cloud prior to connecting the cloud to the router. The cloud should be configured with a tap0 interface as seen below. To get to this menu, right click on the cloud and select configure. First enter the tap interace, then click add, verify that it’s listed there, and click ok.

After this you can connect the cloud to the router. Next open a terminal in OSx and enter the following commands:

sudo ifconfig bridge0 create
sudo ifconfig bridge0 up addm en0
sudo ifconfig bridge0 up addm tap0

These commands create a bridge0 interface, tie the bridge to the wireless adapter which is en0, and then tie the tap interface to the bridge.

Verify the router and the ISE can talk.

At this point I have a talking ISE and Router. Ive configured the router as follows:

!
hostname R1
!
!
ip domain name domain.local
!
!
interface FastEthernet0/0
 ip address 10.0.199.254 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
 no shutdown
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
ntp master 2
!
end

R1# 

To verify I ping ISE from the router:

R1#ping 10.0.199.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms
R1# 

Getting the Laptop to talk to ISE:

In my scenario I am on a wireless network that I do not control. Because of this, I have an IP address on my wireless that’s assigned by DHCP and I dont want to change that and lose my Internet connectivity. To get my laptop on the ISE subnet I created a second Wireless Network as follows:

Start by adding a new network. Click the “+”:

To keep it simple I just take the default name for the new network. Click “Create”:

For the new network click “Advanced”

Now select TCP/IP, set the type drop-down to manually, and set the IP address for the adapter. (This should be on the same subnet as the ISE).

Finally Click “Apply”

Now we can try to HTTPS to the ISE interface.

Wrap Up

While it’s not the easiest, it does work and being able to lab a few things at 35,000 feet is kinda nice. It also has practical value when you want to lab in a hotel room where wifi rates are less that stellar. You can do a lot with GNS3 and VMware, but in the end, I would recommended sacrificing study time trying to tweak GNS3 to work. Somethings the rack rentals are the way to go.