Differences
This shows you the differences between two versions of the page.
|
sred:lab8 [2022/12/09 15:37] horia.stoenescu updated ha lab |
sred:lab8 [2022/12/16 19:18] (current) horia.stoenescu [Lab infra] |
||
|---|---|---|---|
| Line 13: | Line 13: | ||
| As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients. | As we have a HA topology, we are required to have the same configuration on both firewalls and as such, a switch is required to link them to clients. | ||
| - | **A1**. Go to this [[http://www.idum.fr/Telechargements/Images%20GNS3%20-%20EVE-NG/IOL/Cisco%20L2/i86bi-linux-l2-adventerprisek9-15.2d/|link]] and download the switch binary '**i86bi-linux-l2-adventerprisek9-15.2d.bin**'. Scp it to your eve-ng machine with ip 10.3.0.* (remember the credentials root:student) on path **/opt/unetlab/addons/iol/bin**. | + | Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required. |
| - | **A2**. Add for current eve-ng user +x (otherwise the binary cannot be started): | + | === B. New firewall node: remote Fortigate machine === |
| - | <code> | + | |
| - | root@SRED:/opt/unetlab/addons/iol/bin# chmod +x i86bi-linux-l2-adventerprisek9-15.2d.bin | + | |
| - | </code> | + | |
| - | **A3**. We need now to generate a serial for switch device. Copy on the same location as above the following python script: | + | The already existing firewall will be called from now **Local-FortiGate** and the new one **Remote-FortiGate**. |
| - | <code> | + | |
| - | #! /usr/bin/python | + | |
| - | print("*********************************************************************") | + | |
| - | print("Cisco IOU License Generator - Kal 2011, python port of 2006 C version") | + | |
| - | print("Modified to work with python3 by c_d 2014") | + | |
| - | import os | + | |
| - | import socket | + | |
| - | import hashlib | + | |
| - | import struct | + | |
| - | # get the host id and host name to calculate the hostkey | + | <note warning> |
| - | hostid=os.popen("hostid").read().strip() | + | For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). See on Moodle the second lic file and upload it to new node. As such, each machine will have a different serial number. |
| - | hostname = socket.gethostname() | + | </note> |
| - | ioukey=int(hostid,16) | + | |
| - | for x in hostname: | + | |
| - | ioukey = ioukey + ord(x) | + | |
| - | print("hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:]) | + | |
| - | # create the license using md5sum | + | <note important> |
| - | iouPad1 = b'\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A' | + | In case you need to find the ip address for FGT, you need to go to global mode: |
| - | iouPad2 = b'\x80' + 39*b'\0' | + | |
| - | md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1 | + | |
| - | iouLicense=hashlib.md5(md5input).hexdigest()[:16] | + | |
| - | + | ||
| - | print("\nAdd the following text to ~/.iourc:") | + | |
| - | print("[license]\n" + hostname + " = " + iouLicense + ";\n") | + | |
| - | print("You can disable the phone home feature with something like:") | + | |
| - | print(" echo '127.0.0.127 xml.cisco.com' >> /etc/hosts\n") | + | |
| - | ###################################################################################### | + | |
| - | </code> | + | |
| - | + | ||
| - | Then, execute it: | + | |
| <code> | <code> | ||
| - | ********************************************************************* | + | FGT_81 # config global |
| - | Cisco IOU License Generator - Kal 2011, python port of 2006 C version | + | |
| - | Modified to work with python3 by c_d 2014 | + | |
| - | hostid=007f0101, hostname=SRED, ioukey=7f022f | + | |
| - | Add the following text to ~/.iourc: | + | FGT_81 (root) # show system interface ? |
| - | [license] | + | |
| - | SRED = eb8d7f0235852d2d; | + | |
| - | + | ||
| - | You can disable the phone home feature with something like: | + | |
| - | echo '127.0.0.127 xml.cisco.com' >> /etc/hosts | + | |
| </code> | </code> | ||
| - | |||
| - | Copy the SRED license with header to /opt/unetlab/addons/iol/bin/iourc file. In the end, you will need to have something like this: | ||
| - | <code> | ||
| - | root@SRED:/opt/unetlab/addons/iol/bin# cat iourc | ||
| - | [license] | ||
| - | SRED = eb8d7f0235852d2d; | ||
| - | </code> | ||
| - | |||
| - | **A4**. Go to eve-ng webui and create a new node, using 'Cisco IOL' template. Keep the default config, then start it. No other configurations are required. | ||
| - | |||
| - | === B. New firewall node: remote Fortigate machine === | ||
| - | |||
| - | The already existing firewall will be called from now **Local-FortiGate** and the new one **Remote-FortiGate**. | ||
| - | |||
| - | <note warning> | ||
| - | For HA, we cannot have the same license value on both devices (as this will mean the feature will understand we have 1 device in cluster). See on Moodle the second lic file and upload it to new node. As such, each machine will have a different serial number. | ||
| </note> | </note> | ||
