Setting up an ntp/ftp/snmp/syslog/radius/dns proxy VM to test various router features

I just bought inetzero’s JNCIE-SP book and in their lab they have a server running providing a bunch of services. As I have my own lab I’m going to create my own server. A VM running all the above services can be very handy when testing and studying for your CCIE and JNCIE as certain things cannot be tested just on the router alone.

I’ll be creating this server through ESXi, but you can just as easily create it on any VM software. I’ll be installing Ubuntu server 12.04.2 LTS.

Initial Ubuntu install

This is going to be a pretty standard VM. I’ve installed 2 NICs. One will be connected to the internet, while the other will be connected to the test network:

Go through most of your install and at the end ensure SSH is installed.

eth0 on my server will be the internet port. I’ll be configuring eth1 to be the test lab port with an IP address of 10.10.1.100/24

sudo vi /etc/network/interfaces

Add the following:

# Lab Interface
auto eth1
iface eth1 inet static
        address 10.10.1.100
        netmask 255.255.255.0

NTP Server

sudo apt-get install ntp

This will install the daemon. That’s all there is to it.

FTP Server

sudo apt-get install proftpd

Once installed, configure the server to only listen on 10.10.1.100. Add this to /etc/proftpd/proftpd.conf

DefaultAddress                  10.10.1.100
SocketBindTight                 on

SNMP

sudo apt-get install snmp

The above will give you snmpwalk which will be handy when pulling snmp off your kit

Syslog server

Rsyslog comes installed by default on Ubuntu 12.04, however it doesn’t listen for external connections. Edit /etc/rsyslog.conf and uncomment the the following two lines:

$ModLoad imudp
$UDPServerRun 514

Radius Server

sudo apt-get install freeradius

Once installed, edit /etc/freeradius/radiusd.conf – You’ll want to ensure the correct values are as follows:

listen {
        type = auth
        ipaddr = 10.10.1.100
        port = 1645

}

listen {
        ipaddr = 10.10.1.100
        port = 1646
        type = acct
}

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
}

Edit clients.conf – I’ve simply deleted everything out of that file and added the following:

client 10.10.1.0/24 {
        secret          = radiuspassword
        shortname       = LAB
	require_message_authenticator = no
        nastype         = cisco
}

DNS Proxy

sudo apt-get install dnsproxy

Edit /etc/dnsproxy.conf – I’ve deleted everthing out of there and simply configured the following:

# Authoritative server
authoritative           8.8.8.8
authoritative-port      53              # It's port. Defaults to 53.
authoritative-timeout   10              # Seconds to wait for answers.

# Recursive resolver
recursive               8.8.8.8
recursive-port          53              # It's port. Defaults to 53.
recursive-timeout       90              # Seconds to wait for answers.

# Local address and port of dnsproxy
listen 10.10.1.100
port 53

# Security features
chroot /var/spool/dnsproxy
user dnsproxy

# Internal networks (allowed to do recursive queries)
internal 10.10.1.0/24   # Our internal network
internal 127.0.0.1

Verification

Nothing works until you verify. I’ll be using a 7200 as an IOS router to test all the features configured above.

NTP

R1#sh run | sec ntp
ntp peer 10.10.1.100
R1#sh ntp status
Clock is synchronized, stratum 3, reference is 10.10.1.100
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D55310A3.3153F82E (12:05:55.192 UTC Fri May 31 2013)
clock offset is -2.2801 msec, root delay is 115.22 msec
root dispersion is 44.40 msec, peer dispersion is 5.75 msec

FTP

R1#sh run | sec ftp
ip ftp username darreno
ip ftp password 7 BLAHBLAHBLAH
R1#copy run ftp
Address or name of remote host []? 10.10.1.100
Destination filename [r1-confg]?
Writing r1-confg !
1052 bytes copied in 1.496 secs (703 bytes/sec)

Back on server:

[email protected]:~$ ls
r1-confg

SNMP

R1#sh run | sec snmp
snmp-server community snmpt3st1ng RO
snmp-server location "LAB"
snmp-server chassis-id test.7200
snmp-server host 10.10.1.100 snmpt3st1ng

On server:

[email protected]:~$ snmpwalk -v 1 -c snmpt3st1ng 10.10.1.1
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), 
Version 12.2(33)SRE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 13-Sep-12 08:13 by prod_rel_team"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.222
iso.3.6.1.2.1.1.3.0 = Timeticks: (51815) 0:08:38.15
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "R1"
iso.3.6.1.2.1.1.6.0 = STRING: "\"LAB\""
iso.3.6.1.2.1.1.7.0 = INTEGER: 78
etc
etc
etc

Syslog

Router:

archive
log config
 logging enable
 notify syslog
 hidekeys
logging trap debugging
logging facility local1
logging 10.10.1.100

This will send a message to syslog whenever a command is configured on the router. Let’s create a loopback and check the server:

[email protected]:~$ tail -f /var/log/syslog
May 31 13:15:13 10.10.1.1 27: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:interface lo100
May 31 13:15:13 10.10.1.1 28: %SYS-5-CONFIG_I: Configured from console by console
May 31 13:15:13 10.10.1.1 29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to up

Radius

Router:

aaa new-model
!
aaa authentication login default group radius local none
!
radius-server host 10.10.1.100 auth-port 1645 acct-port 1646 key 7 111B18011E07181C05393833272131

On the server I need to create a user. Edit /etc/freeradius/users:

testuser     Password = "password"

Let’s go back to the router and login:

User Access Verification

Username: testuser
Password:

R1>

Back on the server:

[email protected]:~$ sudo tail -f /var/log/freeradius/radius.log
Fri May 31 13:21:20 2013 : Auth: Login OK: [testuser/password] (from client LAB port 0)

DNS Proxy

Router:

ip name-server 10.10.1.100
R1#ping www.cisco.com

Translating "www.cisco.com"...domain server (10.10.1.100) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 95.100.128.170, timeout is 2 seconds:

Resolves just fine.

So there you have it. I might be adding more features to this VM, but for now it’ll suit me quite nicely.

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright