-
Notifications
You must be signed in to change notification settings - Fork 278
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Dmitry Teslya
committed
Dec 12, 2023
1 parent
40084e3
commit 747e40f
Showing
9 changed files
with
247 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
| | | | ||
| ----------------------------- | ---------------------------------------------------------------------- | | ||
| **Description** | A Cisco FTDv connected to two Alpine Linux Hosts | | ||
| **Components** | [Cisco FTDV][ftdv], [Multitool Alpine Linux][client] | | ||
| **Resource requirements**[^1] | :fontawesome-solid-microchip: 4 <br/>:fontawesome-solid-memory: 8 GB | | ||
| **Topology file** | [ftdv01.yml][topofile] | | ||
| **Name** | ftdv01 | | ||
| **Version information**[^2] | `Cisco_Secure_Firewall_Threat_Defense_Virtual-7.2.5-208.qcow2`, `docker:24.0.6` | | ||
|
||
## Description | ||
|
||
This lab consists of one Cisco FTDv firewall connected to two Alpine Linux nodes. | ||
|
||
``` | ||
client1<---->FTDv<---->client2 | ||
``` | ||
|
||
## Configuration | ||
|
||
The FTDv node takes about 1-2 minutes to complete its start up. Check using "docker container ls" until the FTDv container shows up as "healthy". | ||
|
||
``` | ||
# docker container ls | ||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES | ||
5682d73984d1 vrnetlab/vr-ftdv:7.2.5 "/launch.py --userna…" 34 minutes ago Up 34 minutes (healthy) 22/tcp, 80/tcp, 443/tcp, 5000/tcp, 8305/tcp, 10000-10099/tcp clab-ftdv01-ftdv1 | ||
1ebe3dae6846 wbitt/network-multitool:alpine-extra "/bin/sh /docker-ent…" 34 minutes ago Up 34 minutes 80/tcp, 443/tcp, 1180/tcp, 11443/tcp clab-ftdv01-client1 | ||
9726c9bb9e21 wbitt/network-multitool:alpine-extra "/bin/sh /docker-ent…" 34 minutes ago Up 34 minutes 80/tcp, 443/tcp, 1180/tcp, 11443/tcp clab-ftdv01-client2 | ||
``` | ||
|
||
### ftdv1 | ||
|
||
Log into the FTDv node using the Web UI and add the following configuration. Password is `Admin@123`. | ||
|
||
1. Click "Skip device setup" on the initial screen. | ||
2. In the dialog window "Are you sure you want to skip device setup?" check the "Start 90-day evaluation" box, select the "FTDv5 - Tiered" performance tier, and click "Confirm". | ||
3. In the "Interfaces" menu configure GigabitEthernet0/0 with the `192.168.1.1/30` IP, and GigabitEthernet0/1 with the `192.168.2.1/30` IP. | ||
4. Go to the "Policies" menu and add a test "allow all" policy (all fields should be left empty, and the action should be "allow"). | ||
5. Deploy pending changes. | ||
|
||
### client1 | ||
|
||
The two clients should be configured with the correct IP addresses and a route to the other client via the FTDv node. | ||
First attach to the container process `docker exec -it clab-ftdv01-client1 ash` | ||
|
||
``` | ||
docker exec -it clab-ftdv01-client1 ash | ||
# ip -br a show dev eth1 | ||
eth1@if3749 UP 192.168.1.2/30 fe80::a8c1:abff:feee:be5c/64 | ||
# ip r | ||
default via 172.20.20.1 dev eth0 | ||
172.20.20.0/24 dev eth0 proto kernel scope link src 172.20.20.4 | ||
192.168.1.0/30 dev eth1 proto kernel scope link src 192.168.1.2 | ||
192.168.2.0/30 via 192.168.1.1 dev eth1 | ||
``` | ||
|
||
## Verification | ||
|
||
Traceroute from client1 to client2 to verify the data-plane via the FTDv node. | ||
|
||
### client1 | ||
|
||
``` | ||
# traceroute 192.168.2.2 | ||
traceroute to 192.168.2.2 (192.168.2.2), 30 hops max, 46 byte packets | ||
1 192.168.2.2 (192.168.2.2) 1.372 ms 0.909 ms 0.403 ms | ||
``` | ||
|
||
[ftdv]: https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html | ||
[client]: https://github.com/wbitt/Network-MultiTool | ||
[topofile]: https://github.com/srl-labs/containerlab/tree/main/lab-examples/ftdv01/ftdv01.yml | ||
|
||
[^1]: Resource requirements are provisional. Consult with the installation guides for additional information. | ||
[^2]: The lab has been validated using these versions of the required tools/components. Using versions other than stated might lead to a non-operational setup process. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
search: | ||
boost: 4 | ||
--- | ||
# Cisco FTDv | ||
|
||
[Cisco FTDv](https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html) is identified with `vr-ftdv` kind in the [topology file](../topo-def-file.md). It is built using [vrnetlab](../vrnetlab.md) project and essentially is a Qemu VM packaged in a docker container format. | ||
|
||
## Managing FTDv nodes | ||
|
||
!!!note | ||
Containers with Cisco FTDv inside will take ~1-2 min to fully boot. | ||
You can monitor the progress with `docker logs -f <container-name>`. | ||
|
||
Cisco FTDv node launched with containerlab can be managed via the following interfaces: | ||
|
||
=== "bash" | ||
to connect to a `bash` shell of a running FTDv container: | ||
```bash | ||
docker exec -it <container-name/id> bash | ||
``` | ||
=== "CLI via SSH" | ||
to connect to the FTDv shell (password `Admin@123`) | ||
```bash | ||
ssh admin@<container-name> | ||
``` | ||
=== "Telnet" | ||
serial port (console) is exposed over TCP port 5000: | ||
```bash | ||
# from container host | ||
telnet <container-name> 5000 | ||
``` | ||
You can also connect to the container and use `telnet localhost 5000` if telnet is not available on your container host. | ||
=== "HTTPS" | ||
HTTPS server is running over port 443 -- connect with any browser normally. | ||
|
||
!!!info | ||
Default user credentials: `admin:Admin@123` | ||
|
||
## Interfaces mapping | ||
|
||
* `eth0` - management interface (Management0/0) connected to the containerlab management network | ||
* `eth1+` - first and subsequent data interfaces (GigabitEthernet0/0, GigabitEthernet0/1, etc.) | ||
|
||
When containerlab launches FTDv node, it will assign IPv4/6 address to the `eth0` interface. These addresses are used to reach the management plane of the router. | ||
|
||
Data interfaces `eth1+` need to be configured with IP addressing manually using Web UI. | ||
|
||
## Features and options | ||
|
||
### Node configuration | ||
|
||
Cisco FTDv nodes come up with a basic configuration where only the management interface and a default user are provisioned. | ||
|
||
Nodes are configured for local management with Firepower Device Management (FDM) On-Box management service. FDM is available via HTTPS and takes a few minutes to come up after node boot up. | ||
|
||
## Lab examples | ||
|
||
The following simple lab consists of two Linux hosts connected via one FTDv node: | ||
|
||
* [Cisco FTDv](../../lab-examples/ftdv01.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: ftdv01 | ||
topology: | ||
nodes: | ||
ftdv1: | ||
kind: vr-ftdv | ||
image: vrnetlab/vr-ftdv:7.2.5 | ||
client1: | ||
kind: "linux" | ||
image: wbitt/network-multitool:alpine-extra | ||
exec: | ||
- ip addr add 192.168.1.2/30 dev eth1 | ||
- ip route add 192.168.2.0/30 via 192.168.1.1 | ||
client2: | ||
kind: "linux" | ||
image: wbitt/network-multitool:alpine-extra | ||
exec: | ||
- ip addr add 192.168.2.2/30 dev eth1 | ||
- ip route add 192.168.1.0/30 via 192.168.2.1 | ||
links: | ||
- endpoints: ["ftdv1:eth1", "client1:eth1"] | ||
- endpoints: ["ftdv1:eth2", "client2:eth1"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
// Copyright 2020 Nokia | ||
// Licensed under the BSD 3-Clause License. | ||
// SPDX-License-Identifier: BSD-3-Clause | ||
|
||
package vr_ftdv | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
|
||
"github.com/srl-labs/containerlab/nodes" | ||
"github.com/srl-labs/containerlab/types" | ||
"github.com/srl-labs/containerlab/utils" | ||
) | ||
|
||
var ( | ||
kindnames = []string{"cisco_ftdv", "vr-ftdv", "vr-cisco_ftdv"} | ||
defaultCredentials = nodes.NewCredentials("admin", "Admin@123") | ||
) | ||
|
||
// Register registers the node in the NodeRegistry. | ||
func Register(r *nodes.NodeRegistry) { | ||
r.Register(kindnames, func() nodes.Node { | ||
return new(vrFtdv) | ||
}, defaultCredentials) | ||
} | ||
|
||
type vrFtdv struct { | ||
nodes.DefaultNode | ||
} | ||
|
||
func (n *vrFtdv) Init(cfg *types.NodeConfig, opts ...nodes.NodeOption) error { | ||
// Init DefaultNode | ||
n.DefaultNode = *nodes.NewDefaultNode(n) | ||
// set virtualization requirement | ||
n.HostRequirements.VirtRequired = true | ||
|
||
n.Cfg = cfg | ||
for _, o := range opts { | ||
o(n) | ||
} | ||
// env vars are used to set launch.py arguments in vrnetlab container | ||
defEnv := map[string]string{ | ||
"CONNECTION_MODE": nodes.VrDefConnMode, | ||
"USERNAME": defaultCredentials.GetUsername(), | ||
"PASSWORD": defaultCredentials.GetPassword(), | ||
"DOCKER_NET_V4_ADDR": n.Mgmt.IPv4Subnet, | ||
"DOCKER_NET_V6_ADDR": n.Mgmt.IPv6Subnet, | ||
} | ||
n.Cfg.Env = utils.MergeStringMaps(defEnv, n.Cfg.Env) | ||
|
||
if n.Cfg.Env["CONNECTION_MODE"] == "macvtap" { | ||
// mount dev dir to enable macvtap | ||
n.Cfg.Binds = append(n.Cfg.Binds, "/dev:/dev") | ||
} | ||
|
||
n.Cfg.Cmd = fmt.Sprintf("--username %s --password %s --hostname %s --connection-mode %s --trace", | ||
n.Cfg.Env["USERNAME"], n.Cfg.Env["PASSWORD"], n.Cfg.ShortName, n.Cfg.Env["CONNECTION_MODE"]) | ||
|
||
return nil | ||
} | ||
|
||
func (n *vrFtdv) PreDeploy(_ context.Context, params *nodes.PreDeployParams) error { | ||
utils.CreateDirectory(n.Cfg.LabDir, 0777) | ||
_, err := n.LoadOrGenerateCertificate(params.Cert, params.TopologyName) | ||
if err != nil { | ||
return nil | ||
} | ||
return nil | ||
} | ||
|
||
// CheckInterfaceName checks if a name of the interface referenced in the topology file correct. | ||
func (n *vrFtdv) CheckInterfaceName() error { | ||
return nodes.GenericVMInterfaceCheck(n.Cfg.ShortName, n.Endpoints) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters