Global Config Technology Solutions, Inc.

Technology Insights, Tutorials and Course Development

  • Home
  • My Video Courses
  • About Me
    • Disclaimers
  • Contact Me
  • Subscribe Options
You are here: Home / Tutorials / Installing ISE in VMware with GNS3 Connectivity

Installing ISE in VMware with GNS3 Connectivity

July 17, 2013 by bcarroll 9 Comments

When you are on the road or heavily use a laptop for your studies you learn to make use of virtualization apps that you can take with you. For years now people have used the popular open-source application GNS3 to virtualize a network environment. Now you can virtualize an IPS Sensor, ASA, WSA, and ISE. In this tutorial you’ll see how to run a demo of ISE 1.4 in VMware Fusion on a Mac, and tie it into the Wireless network and GNS3. I poked around for some time getting this to work so It’s my hope that this will save some time for many of you. If you have a better way to do it please share that in the comments. So, without further delay, lets get going.

Installing ISE in VMware Fusion.

The first thing we’ll do here is install ISE in VMware fusion. I’m assuming you already downloaded a legal Demo copy if ISE from Cisco, and have the ISO in a folder on your Mac. I’m also assuming that you have VMware Fusion installed. We begin with creating a new VM.

  • The new VM needs to mount the optical using the ISE iso image, and needs to be Red Hat Linux 5.
  • Set the hard drive to 60GB (this is the minimum for a demo of ISE while the recommended minimum is 200GB).
  • Set the memory to 4GB and use 2 cores.
  • Set the network to bridge to the wireless adapter.

I should note that I am running this on a 13" Retina Macbook Pro with a 3 GHz Intel Core i7 and 8GB 1600 MHz DDR3.

Next, start the virtual maching and run through the install process. This begins with the selection of how to boot. Here I want to boot with option 1, Install ISE with keyboard and mouse.

After hitting enter the install process should begin:

You can watch as the components are installed:

And you end up at a login prompt where you will type setup to begin the setup script. I recommend running through this script so that you not only configure your IP settings, NTP and DNS, but it also installs the ISE application.

During the setup process you provide the IP values including the DNS and NTP values. I have set these all to be the values of my GNS3 router. It has a basic configuration on it making it an NTP server as well as a DNS server. It will eventually connect to the rest of the network, my ASA, switches, and so on.

Setting Up GNS3

The GNS side of things can be tricky, at least as far as I’m concerned it’s overly complex when at this point it shouldnt be. I’m assuming you already have GNS3 installed on your Mac, you already have a legal copy of Cisco IOS, and you can build basic topologies and configure routers to ping each other. Here’s what you need:

  • Install TunnelBlick so you have access to tap interfaces.
  • The Dynamips version needs to be dynamips–0.2.8-RC5-community-OSX.intel64.bin and it should be able to run with root privileges.
  • GSN3 provileges have been eleveated.

The GNS3 topology is very simple as seen below. I’ve added a cloud object and a router as seen below.

Now part of the key to the configuration is configuring the cloud prior to connecting the cloud to the router. The cloud should be configured with a tap0 interface as seen below. To get to this menu, right click on the cloud and select configure. First enter the tap interace, then click add, verify that it’s listed there, and click ok.

After this you can connect the cloud to the router. Next open a terminal in OSx and enter the following commands:

sudo ifconfig bridge0 create
sudo ifconfig bridge0 up addm en0
sudo ifconfig bridge0 up addm tap0

These commands create a bridge0 interface, tie the bridge to the wireless adapter which is en0, and then tie the tap interface to the bridge.

Verify the router and the ISE can talk.

At this point I have a talking ISE and Router. Ive configured the router as follows:

!
hostname R1
!
!
ip domain name domain.local
!
!
interface FastEthernet0/0
 ip address 10.0.199.254 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
 no shutdown
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
ntp master 2
!
end

R1# 

To verify I ping ISE from the router:

R1#ping 10.0.199.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms
R1# 

Getting the Laptop to talk to ISE:

In my scenario I am on a wireless network that I do not control. Because of this, I have an IP address on my wireless that’s assigned by DHCP and I dont want to change that and lose my Internet connectivity. To get my laptop on the ISE subnet I created a second Wireless Network as follows:

Start by adding a new network. Click the “+”:

To keep it simple I just take the default name for the new network. Click “Create”:

For the new network click “Advanced”

Now select TCP/IP, set the type drop-down to manually, and set the IP address for the adapter. (This should be on the same subnet as the ISE).

Finally Click “Apply”

Now we can try to HTTPS to the ISE interface.

Wrap Up

While it’s not the easiest, it does work and being able to lab a few things at 35,000 feet is kinda nice. It also has practical value when you want to lab in a hotel room where wifi rates are less that stellar. You can do a lot with GNS3 and VMware, but in the end, I would recommended sacrificing study time trying to tweak GNS3 to work. Somethings the rack rentals are the way to go.

Filed Under: Tutorials Tagged With: ccie security, GNS3, ISE, Security Lab

Comments

  1. Owais says

    October 9, 2014 at 2:07 pm

    Hi Brandon

    How can we run this on a windows PC.

    Iv tried running it using VMWARe WS 10 and keep getting an error message:

    Red Hat Enerprise Linux Server Rel 5.8
    Kernel 2.3.18-348.1.1.e15 on an x86_64

    NIT: Id “x” respawning too fast: disabled for 5 minutes

    Reply
    • Brandon Carroll says

      November 5, 2014 at 8:36 am

      I’m not sure, but you can probably find someone who’s done it with windows out there. Sorry.

      Reply
  2. Krzych says

    December 9, 2014 at 12:32 am

    Does it work under Yosemite?

    Reply
    • Brandon Carroll says

      December 9, 2014 at 6:32 am

      It does, and with VMware Fusion Pro it works much more smoothly.

      Reply
      • Krzych says

        December 27, 2014 at 3:42 pm

        That’s weird. If I add only vmnet1 and tap0 to bridge1 I get bridge status as inactive:
        bridge1: flags=8963 mtu 1500
        options=3
        ether 7e:d1:c3:e6:d0:01
        Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x2
        member: vmnet1 flags=3
        ifmaxaddr 0 port 16 priority 0 path cost 0
        member: tap0 flags=3
        ifmaxaddr 0 port 15 priority 0 path cost 0
        Address cache:
        0:c:29:eb:2e:f3 Vlan1 vmnet1 1125 flags=0
        aa:bb:cc:0:2:0 Vlan1 tap0 1145 flags=0
        media:
        status: inactive

        And despite seeing MAC addresses on devices:
        IOU1#show arp
        Protocol Address Age (min) Hardware Addr Type Interface
        Internet 172.16.48.2 30 000c.29eb.2ef3 ARPA Ethernet0/0
        Internet 172.16.48.3 – aabb.cc00.0200 ARPA Ethernet0/0
        i can’t get ping through.

        But when I do a bridge in VMWare Fusion with Wi-Fi interface and then I add it instead of vmnet1 to the bridge1 it ping starts to work.

        Reply
  3. usman says

    June 9, 2015 at 7:11 am

    what about switch some commands not supported when confugring MAB
    is there any solution

    Reply
    • Brandon Carroll says

      June 10, 2015 at 9:11 am

      What commands are you talking about?

      Reply
      • Alain says

        June 18, 2015 at 9:30 pm

        “mab” and “authentication port-control auto”

        Reply
        • Brandon Carroll says

          June 19, 2015 at 11:54 am

          You could maybe try to integrate it with VIRL since it supports L2 now, but I have not tried this.

          Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Find Me Online

  • Facebook
  • Twitter
  • YouTube

Archives

Copyright © 2017 · Global Config Technology Solutions, Inc. · Log in