I was just testing around and finding a simple way to have a look at TACACS+ without getting a friend to obtain Cisco ACS for me. I have an Ubunutu VM that I was testing on so I thought I'd find a TACACS+ package or somewhat, many are available but I found one which is based off the original cisco TACACS+ code (doesn't provide LDAP integration but they have examples how to 'almost' fully integrate it haha)...
So this is more or less a quick post so I can look back when I need to review all the studies and such. Assuming currently we have the VM installed and updated (currently using Ubunutu Server 17.04.
sudo apt-get install tacacs+
We need to do a tiny bit of configuration for the shared secret, user/groups and then finally the device configuration to get the basics up and running. Once the package is installed, we will mainly be working in: /etc/tacacs+/tac_plus.conf.
I normally copy this file and rename it .old so I can refer back to it if needed, and clear the config file since there is many comments and I like a tidy file... The main changes we will make is:
key = mynewsecretkey123
and then creating users/groups. We can do quite a bit (some examples in the .old conf file I mentioned to copy) but to get the bare basic configuration all up and running I'll create a user and a group (which will allow by default to permit all commands, we can define specific commands to permit/deny which is the advantage of TACACS+ compared to RADIUS.. RADIUS we can define the privilege level but I believe we can't limit specific commands...)
key = oioi123
user = netdbackup {
member = backup_operators
}
group = backup_operators {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
}
A lot of people recommend to use the authentication in linux (create the user also in linux) since we can use either clear text passwords in our configuration file, or DES encryption which isn't the best...
Once we have made a change to the configuration file we'll issue: sudo /etc/init.d/tacacs_plus restart
If any errors might occur, configuration file may have a typo in.
That is practically the basic setup, we just need to create a quick user in linux. I've created the user 'netdbackup' with a password of oioi456...
Now the configuration is extremely easy on our devices, I've come across a ton of post that just tell you what to put and doesn't explain it. My VM is assigned 10.0.100.10 and the topology looks like this:
Firstly, we'll start with our basics of a local user to roll back on in the event of the tacacs+ server going offline:
R1(config)#username cisco priv 15 password cisco
R1(config)#enable secret cisco
Lets begin with the configuration for TACACS+ and AAA.
R1(config)#tacacs-server host 10.0.100.10 !Defines our host, even when we create our AAA group, we still need to define this
R1(config)#tacacs-server key oioi123 !Our key in the configuration file on the TACACS+ server
R1(config)#tacacs-server directed-request !This allows users to choose which TACACS+ server to authenticate with if we have multiple
R1(config)#aaa new-model !Enable AAA and give us more commands
R1(config)#aaa group server tacacs+ TAC_SERVERS !We are creating a TACACS+ group and called it TAC_SERVERS
R1(config-sg-tacacs+)#server 10.0.100.10 !Adding our TACACS+ server to our group to authenticate with
R1(config)#aaa authentication login default group TAC_SERVERS local !Use our TACACS+ group, then fall back to local authentication
R1(config)#aaa authorization exec default group TAC_SERVERS local if-authenticated !Practically allows us to authenticate with our user so we shouldn't need to enable secret/password to get into priv mode. Although beware since a few bugs exsisted in IOS 12.4 where an error message would prompt 'Authentication failed'. This command practically uses TACACS+ first, then local and finally falls back onto if we are already authenticated with the device
!!!output omitted
User Access Verification
Username: netdbackup
Password:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
I've always wanted to do a post but felt like this is more appropriate for a blog post instead of on the networking forum. I've had a few people ask me on instagram + other social sites about building a lab and decided to create this so I can point them to it. Let us begin!
So, you're studying for a Cisco exam or want to get some 'real' hands on experience with Cisco equipment because either:
1) People are telling you real hardware experience is better than emulation/simulation
2) You are generally interested in learning on real hardware
Let us clear up one thing before we start talking about building a lab. There are many alternatives that can provide almost all the functionality for the R&S path (if not, everything for CCNA/CCNP) which are either free or cost a tiny investment, a bit like the money you will invest into this lab of yours!
Why would I want to build a lab?
The first thing I want to talk about is electric. Running this hardware cost money and can vary depending on the type of models of routers/switches etc you use. My personal experience is that I use my lab when I know I am going to be spending a long time on a concept, otherwise I'll just use GNS3 or a mix of GNS3 and real hardware. My equipment is off when I'm not using it and it doesn't affect my electric bill to the point that I'm considering if I should not use hardware.
Noise... Buying the most up to date models for a lab doesn't seem a good investment if you're just building a lab. While you can get routers/switches for £15 each, they can produce a LOT of noise when you populate your lab with many devices. You're probably going to go for 2nd hand equipment which could have faulty fans (still working, but they might rattle or make high pitched noises)
"I want to get real hardware because I want to plug things in..."... If you are planning on getting a lab purely for the practical feeling of actually using physical cables, you will feel different about that half-way during your studies.
Sure, it doesn't take a long time to plug things in but a few factors come into play:
Have you got a sufficient amount of cables for your different topologies?
Are you going to make a network diagram inc. labelling the interfaces incase you want to recreate your topology with config files you already have?
Can you keep up with using 40+ cables in your lab and knowing what connects to what logically? (Maybe you're not doing direct connections between devices...)
A fine addition to crafting your ultimate lab from my point of view is, can you obtain IOS images for the devices you buy?
During my first few days of obtaining real hardware, I would normally check out the IOS version, figure out if I need any module cards, maybe do password recoveries (urghhh!).. My first experience before even configuring my first ever interface on a router is that I had to obtain an IOS image because someone had deleted it from the flash! (I was threatened because I didn't have a clue what I was dealing with)
Ok, I still want to build a lab but don't have a clue what to buy and how many?
You can buy sufficient equipment for your beginning CCENT/CCNA studies then invest more when you start to branch out into other areas to carry on to your CCNP. You can also be smart and buy equipment to still be used in your CCNP studies. For now, lets look at a few options
CCENT/CCNA studies (2 routers, 2 switches)
2 routers can provide:
Basic routing protocol concepts
You could always use other technologies to logically further split the routers so it looks like you have more
Integrate with GNS3 for more routers
Provide more functionality with static/dynamic routing
2 switches can provide:
Basic switching concepts
802.1Q labs spanning multiple switches
Personally, I think you can take a better look at slicing up unicast vs multicast vs broadcast with more flexibility...
You can always substitute hardware routers with GNS3 (which will allow you to emulate IOS but also provide connectivity between emulation and hardware devices). Another option is that you can also chuck in another router since you can really find some good deals on ebay for job lots etc..
Enough with the boring stuff, lets look into models for routers and switches. Wait.... I NEED DEVICES that can run IOS 15!!! Some of the older models don't run IOS 15 (like computers and operating systems), sometimes the models are too old to either store the IOS version or don't have the hardware requirements. Now lets look...
Routers
Cisco 1841:
I started with these during my CCNA studies, they are very quite, have a little bit of room for expansion since they have 2 modules. Most of these on ebay come with a single WIC-1T with allows you bang out serial into your labs. This router does support IOS 15 (15.1) and depending on the IOS image you can experiment with a few other features. I use these quite a lot when I need routers for customer sites in my lab.
1760
Quite an old one so you should be able to get this for cheap on ebay! They take quite awhile to boot up, although they provide 2x WIC cards and the other 2 support VIC voice modules. Not 100% certain but I know this runs 12.3 and not 15.
2610/2612/2621/XM
Depending on your preference, the XM series replaces the 10mbps with 100mbps fast ethernet (only a single port)... I mentioned this because you can get them on ebay for about £10-15 if you look carefully and hunt down through the listings. The XM series supports a few more features and you can upgrade it (dram etc..). Using a single ethernet port, you can use subinterfaces trunked to a switch to logically have more connections. The 2610 supports up to IOS 12.3 I believe which is still ok for almost all the concepts at the CCENT/CCNA level.
2801
If you're lucky, you can find these between £25 - £40 a piece. They support more WIC modules than your 1841/2610 etc.. and allow 4x modules, although SLOT 0 only accepts VICS, 2 slots support HWIC modules and others, and SLOT 2 only accepts WICS (not HWICS)... I like that everything is at the front of the chassis so when I rack mount these, it is easy to get to inc. the console port etc.. These also support IOS 15.1
2811
Almost looks like the 2801 with modules around the back, not going into detail with this router because you can sometimes find them cheap... I mention this model because they normally are sold with a few modules preinstalled.
Switches
2950
These are extremely dirt cheap, come in many different variants (eg. just 24 x 100mbps port, 2 x gigbit uplinks, 2 x FX or SX uplinks, 12 x 100mbps port... just loads!) People literally throw these away on ebay for cheap but they can get loud! A few people recommended normally to swap these out for 2960's because they can run IOS 15 and obviously support other features. I've found 2950's on ebay with 2x gigabit links for around £12 each... or a job lot of 4x 2950's for £40-50!
2960
Lets take this opportunity to have a look at PoE. We can buy devices which support PoE that can provide power to a range of devices (most common would be IP phones). Again like the 2950, we have different variants which include 2 x gigabit ports for uplinks between switches etc.. A lot of people normally list these on ebay for around £20
3550
Now we are getting into devices known as 'Layer 3' or 'Multi-layer' switches. Unlike our 2950/2960, multilayer switches provide functionality between layer 2 and layer 3. A multilayer switch can act as a standard boring ol' switch but we can enable IP routing to practically act similar to a router. I use many multilayer switches in routing topologies to populate labs when I practiced routing protocols etc.. One key protocol that isn't support by this and another multilayer switch I'll mention is the ability to perform NAT (oh! also IPv6 & a few QoS features ) . I believe these don't support IOS 15 but can be found on ebay between £15 - 20 a piece
3560
Practically looks like the 3550 and supports more features + higher speeds (around £15-35 a piece)
3750
The 3750 is a bit more expensive, more or less a 3560 with a few more features including stackwise. Stackwise isn't really something practical you need to learn for the exam but may be good for the real world. Again, depending on the IOS image you are limited to protocols etc.. eg. the IPBASE image doesn't support BGP..) I managed to buy 4 of these (2x PoE) for around £50 which was an absolute bargin and have taken me through CCNP studies. They are capable of even bringing you to the CCIE R&S.
There are plenty more other choices and combinations (eg. fully GNS3 and a few 3550/3560/3750's) but this is the gear that I've managed to use out in my own lab without breaking the bank. Another option is to also by a dedicated server to run GNS3 to allow more devices to run which is a valid option (or even looking at Cisco's virl... OR just using packet tracer for your CCENT/CCNA studies which many people have succeeded with)
This post will be edited some time in the future and reviewed
BSpendlove got a reaction from Clyne for a blog entry, GNS3 and Ubunutu VM for TACACS+
BSpendlove got a reaction from thebeanogamer for a blog entry, A guide to a Cisco R&S lab: Equipment
