Setting up an ntp/ftp/snmp/syslog/radius/dns proxy VM to test various router features

I just bought inetzero’s JNCIE-SP book and in their lab they have a server running providing a bunch of services. As I have my own lab I’m going to create my own server. A VM running all the above services can be very handy when testing and studying for your CCIE and JNCIE as certain things cannot be tested just on the router alone.

I’ll be creating this server through ESXi, but you can just as easily create it on any VM software. I’ll be installing Ubuntu server 12.04.2 LTS.

Initial Ubuntu install

This is going to be a pretty standard VM. I’ve installed 2 NICs. One will be connected to the internet, while the other will be connected to the test network:

Go through most of your install and at the end ensure SSH is installed.

eth0 on my server will be the internet port. I’ll be configuring eth1 to be the test lab port with an IP address of

sudo vi /etc/network/interfaces

Add the following:

# Lab Interface
auto eth1
iface eth1 inet static

NTP Server

sudo apt-get install ntp

This will install the daemon. That’s all there is to it.

FTP Server

sudo apt-get install proftpd

Once installed, configure the server to only listen on Add this to /etc/proftpd/proftpd.conf

SocketBindTight                 on


sudo apt-get install snmp

The above will give you snmpwalk which will be handy when pulling snmp off your kit

Syslog server

Rsyslog comes installed by default on Ubuntu 12.04, however it doesn’t listen for external connections. Edit /etc/rsyslog.conf and uncomment the the following two lines:

$ModLoad imudp
$UDPServerRun 514

Radius Server

sudo apt-get install freeradius

Once installed, edit /etc/freeradius/radiusd.conf – You’ll want to ensure the correct values are as follows:

listen {
        type = auth
        ipaddr =
        port = 1645


listen {
        ipaddr =
        port = 1646
        type = acct

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes

Edit clients.conf – I’ve simply deleted everything out of that file and added the following:

client {
        secret          = radiuspassword
        shortname       = LAB
	require_message_authenticator = no
        nastype         = cisco

DNS Proxy

sudo apt-get install dnsproxy

Edit /etc/dnsproxy.conf – I’ve deleted everthing out of there and simply configured the following:

# Authoritative server
authoritative-port      53              # It's port. Defaults to 53.
authoritative-timeout   10              # Seconds to wait for answers.

# Recursive resolver
recursive-port          53              # It's port. Defaults to 53.
recursive-timeout       90              # Seconds to wait for answers.

# Local address and port of dnsproxy
port 53

# Security features
chroot /var/spool/dnsproxy
user dnsproxy

# Internal networks (allowed to do recursive queries)
internal   # Our internal network


Nothing works until you verify. I’ll be using a 7200 as an IOS router to test all the features configured above.


R1#sh run | sec ntp
ntp peer
R1#sh ntp status
Clock is synchronized, stratum 3, reference is
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D55310A3.3153F82E (12:05:55.192 UTC Fri May 31 2013)
clock offset is -2.2801 msec, root delay is 115.22 msec
root dispersion is 44.40 msec, peer dispersion is 5.75 msec


R1#sh run | sec ftp
ip ftp username darreno
ip ftp password 7 BLAHBLAHBLAH
R1#copy run ftp
Address or name of remote host []?
Destination filename [r1-confg]?
Writing r1-confg !
1052 bytes copied in 1.496 secs (703 bytes/sec)

Back on server:

[email protected]:~$ ls


R1#sh run | sec snmp
snmp-server community snmpt3st1ng RO
snmp-server location "LAB"
snmp-server chassis-id test.7200
snmp-server host snmpt3st1ng

On server:

[email protected]:~$ snmpwalk -v 1 -c snmpt3st1ng
iso. = STRING: "Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), 
Version 12.2(33)SRE7, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 13-Sep-12 08:13 by prod_rel_team"
iso. = OID: iso.
iso. = Timeticks: (51815) 0:08:38.15
iso. = ""
iso. = STRING: "R1"
iso. = STRING: "\"LAB\""
iso. = INTEGER: 78



log config
 logging enable
 notify syslog
logging trap debugging
logging facility local1

This will send a message to syslog whenever a command is configured on the router. Let’s create a loopback and check the server:

[email protected]:~$ tail -f /var/log/syslog
May 31 13:15:13 27: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:interface lo100
May 31 13:15:13 28: %SYS-5-CONFIG_I: Configured from console by console
May 31 13:15:13 29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to up



aaa new-model
aaa authentication login default group radius local none
radius-server host auth-port 1645 acct-port 1646 key 7 111B18011E07181C05393833272131

On the server I need to create a user. Edit /etc/freeradius/users:

testuser     Password = "password"

Let’s go back to the router and login:

User Access Verification

Username: testuser


Back on the server:

[email protected]:~$ sudo tail -f /var/log/freeradius/radius.log
Fri May 31 13:21:20 2013 : Auth: Login OK: [testuser/password] (from client LAB port 0)

DNS Proxy


ip name-server

Translating ""...domain server ( [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Resolves just fine.

So there you have it. I might be adding more features to this VM, but for now it’ll suit me quite nicely.

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright