Installing and Configuring – Expert Network Consultant https://www.expertnetworkconsultant.com Networking | Cloud | DevOps | IaC Mon, 18 Sep 2023 11:46:35 +0000 en-GB hourly 1 https://wordpress.org/?v=6.3.5 Unleashing the Future of Networking: Software-Defined Networking (SDN) and Network Function Virtualization (NFV) https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/unleashing-the-future-of-networking-software-defined-networking-sdn-and-network-function-virtualization-nfv/ Wed, 20 Sep 2023 07:49:47 +0000 http://www.expertnetworkconsultant.com/?p=6312 Continue readingUnleashing the Future of Networking: Software-Defined Networking (SDN) and Network Function Virtualization (NFV)]]> In the ever-evolving landscape of information technology, adaptability and agility have become paramount. Traditional networking models, while robust and reliable, can sometimes fall short in meeting the dynamic demands of today’s digital world. Enter Software-Defined Networking (SDN) and Network Function Virtualization (NFV), two transformative paradigms reshaping the way we design, manage, and scale network infrastructures.

Demystifying SDN and NFV

Software-Defined Networking (SDN) At its core, SDN is a networking architecture that decouples the control plane from the data plane, enabling centralized control, programmability, and automation of network resources. In simpler terms, it allows network administrators to manage network services through abstraction of lower-level functionality.

Network Function Virtualization (NFV) NFV, on the other hand, focuses on virtualizing network services traditionally carried out by dedicated hardware appliances. It involves replacing specialized hardware with software-based virtual network functions (VNFs) running on standard servers and switches. This agility and flexibility are fundamental to NFV’s appeal.

The Power of SDN

1. Centralized Control SDN shifts control from individual network devices to a central controller, allowing for dynamic, policy-driven management. This centralized approach simplifies network configuration and troubleshooting.

2. Flexibility and Programmability With SDN, network policies can be programmed and adjusted on the fly, enabling rapid responses to changing network conditions. This flexibility is especially valuable in cloud computing environments.

3. Traffic Engineering SDN enables intelligent traffic engineering and optimization, ensuring that network resources are efficiently utilized, and critical applications receive the necessary bandwidth.

4. Security SDN enhances security by facilitating fine-grained control over network traffic. Security policies can be implemented and enforced at the network level, reducing vulnerabilities.

The Advantages of NFV

1. Cost-Efficiency NFV reduces the need for expensive, proprietary hardware, resulting in significant cost savings for organizations. It also allows for better resource utilization, as virtualized network functions can run on the same hardware.

2. Scalability NFV makes it easier to scale network functions up or down based on demand. This agility is vital for handling fluctuating workloads.

3. Rapid Deployment VNFs can be provisioned and deployed rapidly, reducing the time it takes to introduce new network services or make changes to existing ones.

4. Improved Service Innovation NFV promotes service innovation by simplifying the introduction of new network services and features without requiring hardware changes.

The Journey Toward Network Transformation

Embracing SDN and NFV isn’t just a technological shift; it’s a paradigm shift in how we think about network infrastructure. It’s a journey toward greater flexibility, efficiency, and innovation.

Challenges and Considerations

1. Integration Integrating SDN and NFV into existing network infrastructures can be complex. Organizations need a clear migration strategy.

2. Security As with any technology, security remains a top concern. Properly securing the SDN and NFV environment is crucial.

3. Skillset Organizations may need to invest in training and development to ensure their IT teams are well-versed in SDN and NFV technologies.

Conclusion: Pioneering a New Era in Networking

Software-Defined Networking (SDN) and Network Function Virtualization (NFV) represent a seismic shift in the networking landscape. They empower organizations to create more agile, efficient, and responsive networks that can adapt to the demands of today’s digital world.

As businesses continue to embrace digital transformation, SDN and NFV are not just technologies but strategic enablers that can propel organizations into the future. With the right strategy and a commitment to innovation, businesses can harness the full potential of SDN and NFV to drive their success in the digital age.

Follow link to learn more on SDNs.

]]>
Understanding the Collapsed Core Network: Streamlining Network Architecture for Smaller Enterprises https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/6307/ Tue, 19 Sep 2023 09:46:37 +0000 http://www.expertnetworkconsultant.com/?p=6307 Continue readingUnderstanding the Collapsed Core Network: Streamlining Network Architecture for Smaller Enterprises]]> In the ever-evolving realm of enterprise networking, the quest for an efficient and cost-effective network architecture is constant. Two prominent models frequently employed in enterprise campus network design are the three-tier and two-tier layered models. In this article, we delve into the concept of a “Collapsed Core Network” – a term that often sparks curiosity among network administrators and architects.

What Exactly Is a Collapsed Core Architecture?

In a conventional three-tier network model, the campus network is structured into three distinct layers, each serving a specific function. The core layer plays a pivotal role in inter-site transport and routing, handling critical server and internet connections. The distribution layer manages the connectivity between the core and access layers, while the access layer grants network access to end users, including devices such as PCs and tablets.

While this three-tier model is indispensable for intricate campuses with diverse needs, it’s worth exploring more streamlined options, especially for smaller or medium-sized campus networks. This is where the “Collapsed Core Architecture” comes into play. In this model, the core and distribution layers are merged into a single entity, simplifying the network design and management process.

Benefits of Collapsed Core Networks

The Collapsed Core Network operates in a manner similar to its three-tier counterpart, but it offers unique advantages tailored to the needs of smaller campuses:

1. Lower CostsBy amalgamating the core and distribution layers, a collapsed core network significantly reduces the hardware requirements, resulting in cost savings. This model provides an opportunity to harness the benefits of the three-tiered architecture without breaking the budget.

2. Simplified Network ProtocolsWith only two layers involved in communication, the network’s protocol complexity is reduced, minimizing potential protocol-related issues.

3. Designed for Small CampusesThe collapsed core model is purpose-built for small and medium-sized campuses, ensuring that they can enjoy the advantages of a three-tiered model without the burden of unnecessary equipment or complexity.

Limitations of Collapsed Core Networks

While collapsed core networks offer compelling benefits, they do come with certain limitations, which are essential to consider:

1. ScalabilityCollapsed core networks have limited scalability, making it challenging to accommodate rapid growth in terms of additional sites, devices, and users. Cisco suggests that a small network supports up to 200 devices, while a medium network caters to up to 1000. Beyond this scope, transitioning to a three-tier model may become necessary.

2. ResiliencyThe streamlined design of collapsed core networks means there is less redundancy to mitigate individual component failures. While the network remains reliable, the reduced redundancy does entail some trade-offs in terms of resiliency.

3. ManageabilityThe lower redundancy can complicate the management process, especially when dealing with faulty components or distribution policy adjustments. Careful consideration and planning are required to minimize network downtime during such scenarios.

Is a Collapsed Core Design Right for You?

For small and medium-sized campuses seeking the robustness of a three-tiered network architecture without the associated budget constraints and technical complexities, a collapsed core network can be an ideal solution. However, campuses with rapid growth expectations should be prepared to transition to the full three-tiered design when necessary, as scalability, resiliency, and manageability are considerations that can’t be ignored.

In conclusion, the choice of network architecture ultimately depends on your specific needs, resources, and growth expectations. A collapsed core network offers an efficient compromise between complexity and cost-effectiveness, making it a viable option for many smaller enterprises in their pursuit of a resilient and scalable network infrastructure.

Some useful links to Cisco’s resources on the subject of network architecture and design, specifically focusing on the Collapsed Core Network and related concepts:

1. Cisco Campus Network Design Guide: Cisco’s comprehensive guide on campus network design, which covers various architectural models, including the Collapsed Core Network.

2. Cisco Enterprise Network Architecture: Explore Cisco’s solutions and insights into enterprise network architecture, including resources on designing scalable and resilient networks.

3. Cisco Networking Academy: Access Cisco’s Networking Academy, a resource-rich platform offering courses and materials on network design, configuration, and troubleshooting.

4. Cisco Design Zone: Cisco’s Design Zone provides practical design and deployment guides for various network scenarios, including those relevant to the Collapsed Core Network.

These links will provide readers with valuable information and insights from Cisco, a leading authority in the field of network architecture and design.

]]>
Building a Secure Corporate WiFi Network with Aruba Wireless: Creating SSIDs and VLANs https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/building-a-secure-corporate-wifi-network-with-aruba-wireless-creating-ssids-and-vlans/ Sat, 25 Mar 2023 12:50:36 +0000 http://www.expertnetworkconsultant.com/?p=5974 Continue readingBuilding a Secure Corporate WiFi Network with Aruba Wireless: Creating SSIDs and VLANs]]> Aruba Wireless is a robust and flexible solution for building a secure and reliable corporate WiFi network. One of the critical steps in setting up an Aruba Wireless network is the creation of SSIDs and VLANs. This article will cover the essential steps involved in creating SSIDs and VLANs to build a corporate WiFi network using Aruba Wireless.

Plan Your Network Topology
Before creating SSIDs and VLANs, it is essential to plan your network topology. This involves determining the number of access points (APs) needed, the coverage area, and the location of the APs. You also need to determine the number of SSIDs and VLANs needed and the security requirements for each network. For example, you may need separate networks for guest access and employee access, each with different security policies.

Create VLANs
VLANs are virtual LANs that enable you to separate network traffic into different logical networks, each with its own security policies. VLANs are crucial in building a secure corporate WiFi network. Here are the steps to create VLANs in Aruba Wireless:

  • Log in to the Aruba Wireless web interface.
  • Navigate to Configuration > Advanced Services > VLANs.
  • Click Add to create a new VLAN.
  • Enter a name for the VLAN.
  • Enter a VLAN ID, which is a unique number between 1 and 4094.
  • Set the VLAN type to “Normal.”
  • Set the VLAN state to “Enabled.”
  • Click Apply to save the VLAN configuration.

Repeat these steps for each VLAN you need to create.

Create SSIDs
An SSID is a unique identifier that enables clients to connect to a specific wireless network. You can create multiple SSIDs for different types of users, such as employees and guests. Here are the steps to create SSIDs in Aruba Wireless:

  • Log in to the Aruba Wireless web interface.
  • Navigate to Configuration > Wireless > AP Configuration > SSIDs.
  • Click Add to create a new SSID.
  • Enter a name for the SSID.
  • Select the VLAN for the SSID from the drop-down menu.
  • Set the security type for the SSID. Aruba Wireless supports several security types, including WPA2-Enterprise, WPA2-PSK, and Captive Portal.
  • Enter the authentication and encryption settings for the SSID.
  • Click Apply to save the SSID configuration.
  • Repeat these steps for each SSID you need to create.

    Configure APs
    Once you have created VLANs and SSIDs, you need to configure the APs to broadcast the SSIDs and connect clients to the appropriate VLANs. Here are the steps to configure APs in Aruba Wireless:

    • Log in to the Aruba Wireless web interface.
    • Navigate to Configuration > Wireless > AP Configuration.
    • Select the AP you want to configure from the list.
    • Click the SSIDs tab.
    • Select the SSIDs you want to broadcast from the list.
    • Click the VLAN tab.
    • Select the VLANs you want to associate with the SSIDs.
    • Click Apply to save the AP configuration.

    Repeat these steps for each AP you need to configure.

    Conclusion
    Building a secure and reliable corporate WiFi network using Aruba Wireless involves creating VLANs and SSIDs and configuring APs to connect clients to the appropriate VLANs. Planning your network topology, determining the number of SSIDs and VLANs needed, and setting the appropriate security policies are crucial to building a robust and secure network. Aruba Wireless provides a flexible and feature-rich solution for building a corporate WiFi network that can meet the needs of any organization.

    Create Guest Wireless – https://www.expertnetworkconsultant.com/configuring/configuring-guest-wireless-with-vlans/

    ]]>
    Process Real-Time IoT Data Streams with Azure Stream Analytics https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/process-real-time-iot-data-streams-with-azure-stream-analytics/ Thu, 22 Dec 2022 00:00:17 +0000 http://www.expertnetworkconsultant.com/?p=5805 Continue readingProcess Real-Time IoT Data Streams with Azure Stream Analytics]]> In my previous article, I explained how to connect an IoT Device to Azure IoT Hub

    In this article of Ingesting and Processing Streaming and IoT Data for Real-Time Analytics, we are going to explore how to get your IoT events captured in a data stream into a database of your choosing. Processing real-time IoT data streams with Azure Stream Analytics is a thing of beauty.

    Scenario
    Softclap Technologies, which is a company in the vehicle tracking and automation space, has completely automated its vehicle tracking processes. Their vehicles are equipped with sensors that are capable of emitting streams of data in real time. In this scenario, a Data Analyst Engineer wants to have real-time insights from the sensor data to look for patterns and take actions on them. You can use Stream Analytics Query Language (SAQL) over the sensor data to find interesting patterns from the incoming stream of data.

    Let us look at the pre-requisites;

  • Azure IoT Hub
  • Enrolled IoT Device
  • You can find that setup in a recent post connect an IoT Device to Azure IoT Hub.

    With the above requirements in place, go ahead to follow the remainder steps to get Azure Stream Analytics to stream your IoT events to your choice Database.

    What we are building today;

  • Azure Stream Analytics
  • Azure SQL Database Server with a Database
  • Step 1: Create Stream Analytics
    create azure stream analytics

    Step 2: Create SQL Database Server
    create sql database server

    Step 3: Configure Networking to Allow Azure services and resources to access this SQL Database Server
    Allow Azure services and resources to access this server

    Step 4: Create a SQL database
    create a sql database

    Step 5: Create Firewall Rules – this helps you access the Database

    add firewall rules

    set server firewall for sql database

    Step 6: Create Azure Stream Analytics to allow you to perform near real-time analytics on streaming data. Create a job right from your database.
    create stream analytics job

    Step 7: Select IoT Hub as Input
    Stream Analytics jobs enable you Ingest streaming data into your SQL table. Set your input and output, then author your query to transform your data.

    create stream analytics input from iot hub

    create stream analytics input from iot hub device

    You can create a new consumer group but in this setup, I have had to use the existing consumer group $Default.

    IoT Hubs limit the number of readers within one consumer group (to 5). We recommend using a separate group for each job. Leaving this field empty will use the ‘$Default’ consumer group.

    select the existing default consumer group for the stream analytics output

    Step 8: Select Output
    Since you are streaming the telemetry data to your database, select the credentials used for the output table where you can query your data from later on.

    create stream analytics output to database table

    The new table will automatically be created in your database after you initially start your Stream Analytics job

    Now you have completed the configuration for Input and Output from the IoT Hub Telemetry to the Database Table.

    complete stream analytics job with input and output

    Step 9: Telemetry Stream Shows Sample Events from the IoT Device
    sample events from mxchip-device-iot-hub

    Step 10: Click Test Query

    test query for iot events in stream analytics

    Since the objective is really to record the events in our database table, there is a need to create a table matching the schema of your test query results.

    PS: Using the click to create table has not worked well for me in the past. The fields were completely out of sync. I will therefore select view create table SQL script and then connect to the database locally or from Azure Query Editor to create the tables. Let’s dive in.

    create table to capture the events streamed into azure stream analytics

    Step 11: Open SQL Database Query Editor

    create table to capture the events using query editor

    Now that this step has completed successfully, head back to Stream Analytics and click on Start Stream Analytics Job. Starting the stream analytics job ensured that the input iot device telemetry is captured in the database predefined table which can be queried later on.start stream analytics job

    Authenticate to Database SQL Server where Output Table is stored.
    start stream analytics job to database

    Step 12: Click Start to begin writing stream data into Database table.
    streaming job running successfully

    Back to the Query Editor and below are the results.

    query database table for streamed events from iot

    And so there we have it, a successful stream of IoT events from a remote IoT device sending live telemetry ingested in our stream analytics and captured in our database table.

    Click here to learn more about other ways of ingesting data in Azure Stream Analytics.

    ]]>
    Access Secrets from Azure Key Vault in Azure Kubernetes Service https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/access-secrets-from-azure-key-vault-in-azure-kubernetes-service/ Wed, 19 Oct 2022 23:00:38 +0000 http://www.expertnetworkconsultant.com/?p=5607 Continue readingAccess Secrets from Azure Key Vault in Azure Kubernetes Service]]> Before we begin to discuss how to access secrets from Azure Key Vault in Azure Kubernetes Service, let us have a quick intro to Secrets in Kubernetes.

    When you hear secrets, what comes to mind is confidentiality and secrecy. In the world of Kubernetes secrets are essentially any value that you don’t want the world to know about.

    The following elements, password, an API key, a connection string to a database, all fall under what a secret is. Now when comparing Secrets and ConfigMaps in Kubernetes, the main difference is the confidential data.

    Both ConfigMaps and Secrets store the data the same way, with key/value pairs, but ConfigMaps are designed for plain text data, and secrets on the other hand are meant for data that must be secured and confidential to the application exclusively.

    By default, Secrets are stored at rest in Key Vault, in a secure encrypted store. Secrets are only stored in the AKS cluster when a pod is running with the secret mounted as a volume in a pod. As soon as the hosting pods are removed, the secret is removed from the cluster and this is a better approach as opposed to Kubernetes secrets which gets retained after the hosting pod is removed.

    RESOURCE_GROUP=corp-infrastructure-rg
    KV_RESOURCE_GROUP=corp-kv-infrastructure-rg
    LOCATION=eastus
    AKS_CLUSTER=corpakscluster
    

    #Create a resource group for the AKS cluster:

    az group create --name $RESOURCE_GROUP --location $LOCATION
    

    az group create --name

     az aks create \
       --resource-group $RESOURCE_GROUP \
       --name $AKS_CLUSTER \
       --network-plugin azure \
       --enable-managed-identity \
       --enable-addons azure-keyvault-secrets-provider \
       --generate-ssh-keys
    

    az aks create

     "identity": {
            "clientId": "1456c162-3f04-40bc-a079-f1f3f7d22b16",
            "objectId": "9f8165b6-206f-4596-932f-31e80469700f",
    }
    

    Download the cluster credentials and configure kubectl to use them:

    az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER
    
    Merged "corpakscluster" as current context in /home/%user%/.kube/config

    Check that the Secrets Store CSI Driver and the Azure Key Vault Provider are installed in the cluster:

    $ kubectl get pods -n kube-system -l 'app in (secrets-store-csi-driver, secrets-store-provider-azure)'
    

    kubectl get pods

    When we enable the Azure Key Vault secret provider, the add-on will create a user assigned managed identity in the node managed resource group. Store its resource ID in a variable for later use
    

    View the resource ID of the user assigned managed identity;

    az aks show -g $RESOURCE_GROUP -n $AKS_CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv
    1456c162-3f04-40bc-a079-f1f3f7d22b16
    

    azure key vault secrets provider managed identity

    Store the resource ID of the user assigned managed identity in a variable;

    KV_IDENTITY_RESOURCE_ID=$(az aks show -g $RESOURCE_GROUP -n $AKS_CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv)
    

    Create Azure Key Vault
    Create a resource group for Azure Key vault

    az group create --name $KV_RESOURCE_GROUP --location $LOCATION

    Create a key vault while storing its name in a variable:

    KEY_VAULT_NAME="akscorpkeyvault${RANDOM}"
    az keyvault create --name $KEY_VAULT_NAME --resource-group $KV_RESOURCE_GROUP --location $LOCATION
    
    {
     "name": "akscorpkeyvault5493"
    "objectId": "ebejced9-2f89-8176-a9u3-657f75eb36bb"
    "tenantId": "46edb775-xy69-41z6-7be1-03e4a0997e49"
    }
    

    Create a secret and a key in the Vault for later demonstration:

    az keyvault secret set --vault-name $KEY_VAULT_NAME -n FirstSecret --value StoredValueinFirstSecret
    
     "name": "FirstSecret",
      "tags": {
        "file-encoding": "utf-8"
      },
      "value": "StoredValueinFirstSecret"
    }
    

    Create a key in the Vault for later demonstration:

    az keyvault key create --vault-name $KEY_VAULT_NAME -n FirstKey --protection software
    
        "n": "t6PMnN5hTR2Oicy/fuTzQgXo49EgkS7B61gJWOeQjfw8u9tO+YoRbnPgWMnDsQWE3xE/MJyt6R0w0QwHsQa28KjdzCfq6qvJSlTSyhFfU9VJIf2YkjFtSlOpoyqYXKmHC6cS3pLrWsxDdVZTpZrgcZ8ec2deowrLDnn9mL5OKljGHmEaptocVHGWGfs9VNlxNqDAhRC4IKCQSIt6pnXc+eLo6Es0J50WhqHTGdqMG5brJGSlgEVaZobeBuvyFIxEvtt33MDjjkdiXCjKoTl8IS7/LNlvLYtDTWRvazK390IUXpldICw0xAp3layR/IDZA0diLEwQzbdESkyO18osPQ==",
    

    Grant the AKS key vault managed identity permissions to read (GET) your key vault and view its contents:

    Set policy to access keys in your key vault

    az keyvault set-policy -n $KEY_VAULT_NAME --key-permissions get --spn $KV_IDENTITY_RESOURCE_ID
    "objectId": "ebejced9-2f89-8176-a9u3-657f75eb36bb", granted the permissions to read the object     "objectId": "9f8165b6-206f-4596-932f-31e80469700f"
    
     "keys": [
                "get"
              ],
    

    Set policy to access secrets in your key vault

    az keyvault set-policy -n $KEY_VAULT_NAME --secret-permissions get --spn $KV_IDENTITY_RESOURCE_ID
    "objectId": "ebejced9-2f89-8176-a9u3-657f75eb36bb", granted the permissions to read the object     "objectId": "9f8165b6-206f-4596-932f-31e80469700f"
    "secrets": [
                "get"
              ]
    

    Set policy to access certs in your key vault

    az keyvault set-policy -n $KEY_VAULT_NAME --certificate-permissions get --spn $KV_IDENTITY_RESOURCE_ID
    
     "certificates": [
                "get"
              ],
    
    Create Kubernetes resources
    Store the tenant ID in a variable, you can get the value from the Azure AD tenant overview page:
    TENANT_ID=${{put your tenant ID here}}  | TENANT_ID=46edb775-xy69-41z6-7be1-03e4a0997e49
    

    Create a SecretProviderClass by using the following YAML, using your own values for userAssignedIdentityID, keyvaultName, tenantId, and the objects to retrieve from your key vault:

    
    cat <<EOF | kubectl apply -f -
    ---
    apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClass
    metadata:
      name: azure-kvname-user-msi
    spec:
      provider: azure
      parameters:
        usePodIdentity: "false"
        useVMManagedIdentity: "true" # true since using managed identity
        userAssignedIdentityID: 1456c162-3f04-40bc-a079-f1f3f7d22b16 #$KV_IDENTITY_RESOURCE_ID
        keyvaultName: akscorpkeyvault5493    #$KEY_VAULT_NAME
        cloudName: ""
        objects:  |
          array:
            - |
              objectName: FirstSecret        #ExampleSecret
              objectType: secret    # object types: secret, key, or cert
              objectVersion: ""     # default to latest if empty
            - |
              objectName: FirstKey        #ExampleKey
              objectType: key
              objectVersion: ""
        tenantId: 46edb775-xy69-41z6-7be1-03e4a0997e49 #$TENANT_ID
    EOF
    
    secretproviderclass.secrets-store.csi.x-k8s.io/azure-kvname-user-msi configured
    

    At this point, you need a pod that mounts the secret and the key using the secret provider class we just created earlier above:

    
    cat <<EOF | kubectl apply -f -
    ---
    kind: Pod
    apiVersion: v1
    metadata:
      name: busybox-secrets-store-inline-user-msi
    spec:
      containers:
        - name: busybox
          image: k8s.gcr.io/e2e-test-images/busybox:1.29-1
          command:
            - "/bin/sleep"
            - "10000"
          volumeMounts:
          - name: secrets-store01-inline
            mountPath: "/mnt/secrets-store"
            readOnly: true
      volumes:
        - name: secrets-store01-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "azure-kvname-user-msi"
    EOF
    
    
    pod/busybox-secrets-store-inline-user-msi created
    

    Validate secrets were mounted from the pod created earlier:

    kubectl exec busybox-secrets-store-inline-user-msi -- ls /mnt/secrets-store/
    

    Read the content(s) of the secret and key:

    kubectl exec busybox-secrets-store-inline-user-msi -- cat /mnt/secrets-store/FirstSecret
    kubectl exec busybox-secrets-store-inline-user-msi -- cat /mnt/secrets-store/FirstKey
    ]]>
    Create a Kubernetes Multi-Node Cluster with Kind https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/create-a-kubernetes-multi-node-cluster-with-kind/ Mon, 26 Sep 2022 23:00:28 +0000 http://www.expertnetworkconsultant.com/?p=5335 Continue readingCreate a Kubernetes Multi-Node Cluster with Kind]]> Did you know you could create a kubernetes multinode cluster with Kind without much bother?

    The power of clustering goes a long way to enforce technical knowledge and hands-on application of technologies, it is essential for any serious engineer to build full scale labs covering best known architectures. Learning Kubernetes is best when you are able to build a production grade cluster replica. Minikube has always been helpful but the true benefit of a real world architecture does not come with Minikubing. This is where KIND comes in, bringing the power of real hands on without dedicating much hardware and resources as you would in using virtual machines to create a Kubernetes cluster.

    Install Prerequisites

    apt-get install curl
    

    Install Docker

    
    sudo apt-get update
    
    	
    curl -fsSL https://get.docker.com -o get-docker.sh
    sh get-docker.sh
    

    Give user permissions to query Docker

    sudo usermod -aG docker $USER
    Restart your hosts (Nodes) for the permissions to take effect.
    

    Install Kind on Linux

    curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
    chmod +x ./kind
    mv ./kind /usr/local/bin
    

    Install Kubectl

    We’ll need kubectl to work with Kubernetes cluster, in case its not already installed. For this, we can use below commands:

    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    

    Set Permissions

    chmod +x ./kubectl
    

    Move kubectl to local

    sudo mv ./kubectl /usr/local/bin/kubectl
    

    Create Multi-Node Clusters – 1 Master and 2 Worker Nodes

    Create Cluster Manifest File – cluster-config-yaml.yaml

    
    # A sample multi-node cluster config file
    # A three node (two workers, one controller) cluster config
    # To add more worker nodes, add another role: worker to the list
    kind: Cluster
    apiVersion: kind.x-k8s.io/v1alpha4
    name: 
    nodes:
    - role: control-plane
      kubeadmConfigPatches:
      - |
        kind: InitConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            node-labels: "ingress-ready=true"    
      extraPortMappings:
      - containerPort: 80
        hostPort: 80
        protocol: TCP
      - containerPort: 443
        hostPort: 443
        protocol: TCP
    - role: worker
    - role: worker
    
    


    root@cluster-vm:/home/cluster# kind create cluster --name=azvmms-node --config=single-cluster.yaml
    Creating cluster "azvmms-node" ...
    ✓ Ensuring node image (kindest/node:v1.21.1) 🖼
    ✓ Preparing nodes 📦 📦
    ✓ Writing configuration 📜
    ✓ Starting control-plane 🕹
    ✓ Installing CNI 🔌
    ✓ Installing StorageClass 💾
    ✓ Joining worker nodes 🚜
    Set kubectl context to "kind-azvmms-node"
    You can now use your cluster with:

    kubectl cluster-info --context kind-azvmms-node

    Creates the Control Plane

    - role: control-plane
    

    Creates the 2 Worker Nodes

    - role: worker
    - role: worker
    

    Create Cluster

    kind create cluster --config=<cluster-config-yaml.yaml>
    

    Check Pods

    $ kubectl get pods -ns -A -o wide
    NAMESPACE            NAME                                            READY   STATUS    RESTARTS   AGE   IP           NODE                    NOMINATED NODE   READINESS GATES
    kube-system          coredns-558bd4d5db-2gszr                        1/1     Running   0          91m   10.244.0.3   spacers-control-plane              
    kube-system          coredns-558bd4d5db-46rkp                        1/1     Running   0          91m   10.244.0.2   spacers-control-plane              
    kube-system          etcd-spacers-control-plane                      1/1     Running   0          92m   172.18.0.4   spacers-control-plane              
    kube-system          kindnet-9jmwv                                   1/1     Running   0          91m   172.18.0.2   spacers-worker2                    
    kube-system          kindnet-c2jrx                                   1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
    kube-system          kindnet-hlhmx                                   1/1     Running   0          91m   172.18.0.3   spacers-worker                     
    kube-system          kube-apiserver-spacers-control-plane            1/1     Running   0          92m   172.18.0.4   spacers-control-plane              
    kube-system          kube-controller-manager-spacers-control-plane   1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
    kube-system          kube-proxy-97q94                                1/1     Running   0          91m   172.18.0.3   spacers-worker                     
    kube-system          kube-proxy-t4ltb                                1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
    kube-system          kube-proxy-xrd5l                                1/1     Running   0          91m   172.18.0.2   spacers-worker2                    
    kube-system          kube-scheduler-spacers-control-plane            1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
    local-path-storage   local-path-provisioner-547f784dff-5dgp6         1/1     Running   0          91m   10.244.0.4   spacers-control-plane              
    
    

    Deploy a Sample App

    kubectl apply -n portainer -f https://raw.githubusercontent.com/portainer/k8s/master/deploy/manifests/portainer/portainer.yaml
    

    Test Access

    https://localhost:30779/
    kubectl run my-nginx --image=nginx --replicas=2 --port=8080
    

    Delete Cluster
    kind delete clusters <cluster-name>

    ]]>
    How to Successfully RDP into Azure AD-Joined Virtual Machines https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/how-to-successfully-rdp-into-a-azure-ad-joined-vm-in-azure/ Mon, 12 Sep 2022 23:00:50 +0000 http://www.expertnetworkconsultant.com/?p=5414 Continue readingHow to Successfully RDP into Azure AD-Joined Virtual Machines]]> Remote Desktop Connection does not always work with Cloud Machines. If you want to know How to Successfully RDP into Azure AD-Joined Virtual Machines, then this article is all you’d ever need.

    If you have struggled to remote desktop to a virtual machine in Azure, then it is likely to be a Windows Server or Desktop machine.

    Azure uses the AzureAADLogin extension to enable the capabilities of user logins with their domain credentials.

    It doesn’t always work and in my experience, I haven’t had much success with it up until now when I have finally figured out how to successfully rdp into a azure ad-joined vm in Azure.

    Below are the steps needed to successfully achieve our objective.

  • Create Virtual Machine
  • Install Extensions for Azure Active Directory Login
  • Turn off Network Level Authentication
  • Step 1: Create a Virtual Machine

    
    az group create --name your-resourcegroup-name --location westus
    
    az vm create \
        --resource-group your-resourcegroup-name \
        --name your-vm-name \
        --image Win2019Datacenter \
        --assign-identity \
        --admin-username localadminuser \
        --admin-password yourpassword
    
    

    Although this extension can be installed at the time of creation of the virtual machine, using the following bash commandlet would still install the extension for you.

    Step 2: Install Required Extensions

    
    az vm extension set \
        --publisher Microsoft.Azure.ActiveDirectory \
        --name AADLoginForWindows \
        --resource-group your-resourcegroup-name \
        --vm-name your-vm-name
    
    

    This article is intended to fix a peculiar problem encountered in remote desktop connections to Windows Server Virtual Machines on Azure. With the local administrator account, I could remote desktop to the virtual machine but not with domain accounts.

    Figure 1.0 – The Logon Attempt Failed.
    the logon attempt failed

    Install required extensions for the virtual machine
    Install WindowsAADLogin Extension with RBAC
    aadloginforwindows

    Enable Remote Desktop Access | 3389 on the NSG
    This can be done at the creation of the virtual machine.

    Now that you’ve created the VM and enabled the appropriate extension(s), you need to configure an Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login.

    Add either of these IAM Roles to RBAC User

  • Virtual Machine User Login
  • Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.

  • Virtual Machine Administrator Login
  • Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.

    
    $username=$(az account show --query user.name --output tsv)
    $rg=$(az group show --resource-group your-resourcegroup-name --query id -o tsv)
    
    az role assignment create \
        --role "Virtual Machine Administrator Login" \
        --assignee $username \
        --scope $rg
    
    

    Mitigation | Steps I followed to fix this issue.

    Windows Key + R
    

    press windows key

    Type sysdm.cpl a

    type sysdm.cpl

    Uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) box.
    Uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) box

    Edit the RDP file
    Add the following lines to the RDP Connection file with a text editor of your choosing. Save the file ensuring its not formatted as any other file type except with the extension *.rdp

    
    authentication level:i:2
    enablecredsspsupport:i:0
    

    Add a space character before the AzureAD domain.

    #optional line – make a note of the full-stop character before the \azuread\

    full address:s:10.X.Y.Z:3389
    prompt for credentials:i:1
    administrative session:i:1
    
    
    authentication level:i:2
    enablecredsspsupport:i:0
    
    username:s:.\azuread\username@domain.com

    .\azuread\username@domain.ext

    If you are not interested in the optional line configuration, then you will now need to enter your credentials once connection is initiated as thus;

    username: azuread\user@domain.com
    password: **************
    

    make a note of the space character before the AzureAD domain

    edit rdp connection file

    Initiate Connection to Virtual Machine

    logon to azure virtual machine with add user account

    If you have followed the above steps diligently, then the attempt to login failure should no longer exist.

    Below is a helpful community article addressing this challenge.

    If you want to learn more of how to troubleshoot virtual machines, then please follow this useful resource from Microsoft.

    ]]>
    Configure a Linux virtual machine in Azure using Terraform https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/configure-a-linux-virtual-machine-in-azure-using-terraform/ Tue, 24 May 2022 23:00:46 +0000 http://www.expertnetworkconsultant.com/?p=5101 Continue readingConfigure a Linux virtual machine in Azure using Terraform]]> Infrastructure as Code has become the order of the day. In this article, “Configure a Linux virtual machine in Azure using Terraform”, I seek to guide you to building your first Linux Virtual Machine in Azure. Consider these set of steps as a project to enforce your terraform knowledge.

    Configure Your Environment

  • Create providers.tf file
  • Create main.tf file
  • Create vars.tf file
  • Configure Deployment Parts

  • Create a virtual network
  • Create a subnet
  • Create a public IP address
  • Create a network security group and SSH inbound rule
  • Create a virtual network interface card
  • Connect the network security group to the network interface
  • Create a storage account for boot diagnostics
  • Create SSH key
  • Create a virtual machine
  • Use SSH to connect to virtual machine
  • Create your vars.tf file

    #Variable file used to store details of repetitive references
    variable "location" {
      description = "availability zone that is a string type variable"
      type    = string
      default = "eastus2"
    }
    
    variable "prefix" {
      type    = string
      default = "emc-eus2-corporate"
    }
    

    Create your providers.tf file

    #Variable file used to store details of repetitive references
    variable "location" {
      type    = string
      default = "eastus2"
    }
    
    variable "prefix" {
      type    = string
      default = "emc-eus2-corporate"
    }
    

    In the next steps, we create the main.tf file and add the following cmdlets.

    Create a virtual network

    #Create virtual network and subnets
    resource "azurerm_virtual_network" "emc-eus2-corporate-network-vnet" {
      name                = "emc-eus2-corporate-network-vnet"
      location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
      resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      address_space       = ["172.20.0.0/16"]
    
      tags = {
        environment = "Production"
      }
    }
    

    Create a subnet

    #Create subnet - presentation tier
    resource "azurerm_subnet" "presentation-subnet" {
      name                 = "presentation-subnet"
      resource_group_name  = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      virtual_network_name = azurerm_virtual_network.emc-eus2-corporate-network-vnet.name
      address_prefixes     = ["172.20.1.0/24"]
    }
    
    #Create subnet - data access tier
    resource "azurerm_subnet" "data-access-subnet" {
      name                 = "data-access-subnet"
      resource_group_name  = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      virtual_network_name = azurerm_virtual_network.emc-eus2-corporate-network-vnet.name
      address_prefixes     = ["172.20.2.0/24"]
    }
    

    Create a public IP address

    #Create Public IP Address
    resource "azurerm_public_ip" "emc-eus2-corporate-nic-01-pip" {
      name                = "emc-eus2-corporate-nic-01-pip"
      location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
      resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      allocation_method   = "Dynamic"
    }
    

    Create a network security group and SSH inbound rule

    # Create Network Security Group and rule
    resource "azurerm_network_security_group" "emc-eus2-corporate-nsg" {
      name                = "emc-eus2-corporate-nsg"
      location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
      resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
    
      security_rule {
        name                       = "SSH"
        priority                   = 1001
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "22"
        source_address_prefix      = "*"
        destination_address_prefix = "*"
      }
    }
    
    

    Create a virtual network interface card

    # Create network interface
    resource "azurerm_network_interface" "corporate-webserver-vm-01-nic" {
      name                = "corporate-webserver-vm-01-nic"
      location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
      resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
    
      ip_configuration {
        name                          = "corporate-webserver-vm-01-nic-ip"
        subnet_id                     = azurerm_subnet.presentation-subnet.id
        private_ip_address_allocation = "Dynamic"
        public_ip_address_id          = azurerm_public_ip.corporate-webserver-vm-01-ip.id
      }
    }
    

    Connect the network security group to the network interface

    # Connect the security group to the network interface
    resource "azurerm_network_interface_security_group_association" "corporate-webserver-vm-01-nsg-link" {
      network_interface_id      = azurerm_network_interface.corporate-webserver-vm-01-nic.id
      network_security_group_id = azurerm_network_security_group.emc-eus2-corporate-nsg.id
    }
    

    Create a storage account for boot diagnostics

    # Generate random text for a unique storage account name
    resource "random_id" "randomId" {
      keepers = {
        # Generate a new ID only when a new resource group is defined
        resource_group = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      }
      byte_length = 8
    }
    

    Create a storage account for boot diagnostics

    # Create storage account for boot diagnostics
    resource "azurerm_storage_account" "corpwebservervm01storage" {
      name                     = "diag${random_id.randomId.hex}"
      location                 = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
      resource_group_name      = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      account_tier             = "Standard"
      account_replication_type = "LRS"
    }
    

    Create SSH Key

    # Create (and display) an SSH key
    resource "tls_private_key" "linuxsrvuserprivkey" {
      algorithm = "RSA"
      rsa_bits  = 4096
    }
    

    Create a virtual machine

    # Create virtual machine
    resource "azurerm_linux_virtual_machine" "emc-eus2-corporate-webserver-vm-01" {
      name                  = "emc-eus2-corporate-webserver-vm-01"
      location              = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
      resource_group_name   = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
      network_interface_ids = [azurerm_network_interface.corporate-webserver-vm-01-nic.id]
      size                  = "Standard_DC1ds_v3"
    
      os_disk {
        name                 = "corpwebservervm01disk"
        caching              = "ReadWrite"
        storage_account_type = "Premium_LRS"
      }
    
      source_image_reference {
        publisher = "Canonical"
        offer     = "0001-com-ubuntu-server-focal"
        sku       = "20_04-lts-gen2"
        version   = "latest"
      }
    
      computer_name                   = "corporate-webserver-vm-01"
      admin_username                  = "linuxsrvuser"
      disable_password_authentication = true
    
      admin_ssh_key {
        username   = "linuxsrvuser"
        public_key = tls_private_key.linuxsrvuserprivkey.public_key_openssh
      }
    }
    

    Terraform Plan

    The terraform plan command evaluates a Terraform configuration to determine the desired state of all the resources it declares, then compares that desired state to the real infrastructure objects being managed with the current working directory and workspace. It uses state data to determine which real objects correspond to which declared resources, and checks the current state of each resource using the relevant infrastructure provider’s API.

    terraform plan
    

    Terraform Apply

    The terraform apply command performs a plan just like terraform plan does, but then actually carries out the planned changes to each resource using the relevant infrastructure provider’s API. It asks for confirmation from the user before making any changes, unless it was explicitly told to skip approval.

    terraform apply
    

    Command to find an image based on the SKU.

    samuel@Azure:~$ az vm image list -s "2019-Datacenter" --output table
    You are viewing an offline list of images, use --all to retrieve an up-to-date list
    Offer          Publisher               Sku              Urn                                                          UrnAlias           Version
    -------------  ----------------------  ---------------  -----------------------------------------------------------  -----------------  ---------
    WindowsServer  MicrosoftWindowsServer  2019-Datacenter  MicrosoftWindowsServer:WindowsServer:2019-Datacenter:latest  Win2019Datacenter  latest
    samuel@Azure:~$ 
    
    samuel@Azure:~$ az vm image list -s "18.04-LTS" --output table
    You are viewing an offline list of images, use --all to retrieve an up-to-date list
    Offer         Publisher    Sku        Urn                                      UrnAlias    Version
    ------------  -----------  ---------  ---------------------------------------  ----------  ---------
    UbuntuServer  Canonical    18.04-LTS  Canonical:UbuntuServer:18.04-LTS:latest  UbuntuLTS   latest
    

    Command to find an image based on the Publisher.

    samuel@Azure:~$ az vm image list -p "Microsoft" --output table
    You are viewing an offline list of images, use --all to retrieve an up-to-date list
    Offer          Publisher               Sku                                 Urn                                                                             UrnAlias                 Version
    -------------  ----------------------  ----------------------------------  ------------------------------------------------------------------------------  -----------------------  ---------
    WindowsServer  MicrosoftWindowsServer  2022-Datacenter                     MicrosoftWindowsServer:WindowsServer:2022-Datacenter:latest                     Win2022Datacenter        latest
    WindowsServer  MicrosoftWindowsServer  2022-datacenter-azure-edition-core  MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-core:latest  Win2022AzureEditionCore  latest
    WindowsServer  MicrosoftWindowsServer  2019-Datacenter                     MicrosoftWindowsServer:WindowsServer:2019-Datacenter:latest                     Win2019Datacenter        latest
    
    samuel@Azure:~$ az vm image list -p "Canonical" --output table
    You are viewing an offline list of images, use --all to retrieve an up-to-date list
    Offer         Publisher    Sku        Urn                                      UrnAlias    Version
    ------------  -----------  ---------  ---------------------------------------  ----------  ---------
    UbuntuServer  Canonical    18.04-LTS  Canonical:UbuntuServer:18.04-LTS:latest  UbuntuLTS   latest
    

    At this point, the required pieces to build a Linux Virtual Machine on Azure is complete. It’s time to test your code.

    You can learn more from Hashicorp by visiting the following link.
    This article was helpful in troubleshooting issues with the Ubuntu SKU.

    ]]>
    Create and use an SSH public-private key pair for Linux VMs in Azure https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/create-and-use-an-ssh-public-private-key-pair-for-linux-vms-in-azure/ Wed, 04 May 2022 23:00:23 +0000 http://www.expertnetworkconsultant.com/?p=4988 Continue readingCreate and use an SSH public-private key pair for Linux VMs in Azure]]> How would you like to connect to your virtual machines securely? Did you know that VMs created using SSH keys are by default configured with passwords disabled, which greatly increases the difficulty of brute-force guessing attacks?

    In this step by step guide to Create and use an SSH public-private key pair for Linux VMs in Azure, I show you how to implement these secured practices in a heart-beat using your favourite PuTTY software.

    What you need to do first;

    1. Download Putty
    2. Create Virtual Machine
    3. Generate Private Key
    4. Load Private Key in PuTTY
    5. Save Key as PuTTY’s own format (.pkk)
    6. Add Private Key to Putty

    On Azure

    create vm nva with ssh public key

    Generate new key pair

    An SSH key pair contains both a public key and a private key. Azure doesn’t store the private key. After the SSH key resource is created, you won’t be able to download the private key again

    azure generates ssh keypair during vm creation in portal

    Save Private Key to save it in PuTTY’s own format

    save private key to save it in PuTTY's own format

    click save private key to save it in PuTTY’s own format
    click save private key to save it in PuTTY's own format

    Add Key to PuTTY

    Add SSH Key to Putty

    Connect to VM with SSH using Putty
    ssh to vm with privake key

    login as: emcrsrvusr
    Authenticating with public key "imported-openssh-key"
    Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1022-azure x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
      System information as of Wed May  4 08:59:32 UTC 2022
    
      System load:  0.08              Processes:             119
      Usage of /:   4.9% of 28.90GB   Users logged in:       0
      Memory usage: 3%                IPv4 address for eth0: 172.16.10.4
      Swap usage:   0%
    
    1 update can be applied immediately.
    To see these additional updates run: apt list --upgradable
    
    
    The list of available updates is more than a week old.
    To check for new updates run: sudo apt update
    
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    
    To run a command as administrator (user "root"), use "sudo ".
    See "man sudo_root" for details.
    
    emcrsrvusr@org-eunorth-production-nva-vm01:~$
    
    ]]>
    Configure Cisco ASAv on GNS3 for Hands-on Labs https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/configure-cisco-asav-on-gns3-for-hands-on-labs/ Tue, 22 Dec 2020 20:37:04 +0000 http://www.expertnetworkconsultant.com/?p=4252 Continue readingConfigure Cisco ASAv on GNS3 for Hands-on Labs]]> In this Configure Cisco ASAv on GNS3 for Hands-on Labs, we delve into getting the most popular Cisco virtualised firewall ASAv in GNS3 step by step.

    GNS3 labs must be rich and cover contexts of networking which gives great hands-on experience for the student and professional alike. Imagine being able to configure site-to-site vpns between your ASAv and a Cloud Instance, and being able to perform a myriad of tasks in order to understand how the real world expectation might be between the chosen technologies?

    The beauty of scalability that comes with virtualised appliances in network design architectures to prove a concept or test and troubleshoot scenarios?

    With the Cisco® Adaptive Security Virtual Appliance (ASAv), you have the flexibility to choose the performance you need for your business. ASAv is the virtualized option of our popular ASA solution and offers security in traditional physical data centers and private and public clouds. Its scalable VPN capability provides access for employees, partners, and suppliers—and protects your workloads against increasingly complex threats with world-class security controls.

    Create the initial master template for your ASAv

    Download the ASAv qcow2 file with the OS version of your choice from Cisco.com.
    Open GNS3 and click on File > + New Template >

    Select Firewalls from the GNS3 Appliances List
    Configure Cisco ASAv on GNS3 for Hands-on Labs

    Install the Appliance on GNS3 VM as Recommended
    Configure Cisco ASAv on GNS3 for Hands-on Labs

    Choose “Default” for the VM type and hit next. Name the VM (ASAV 9.8.1 for example) and hit next. Select the x86_64 Qemu binary and set the RAM to 2048mb. Hit next.

    Configure Cisco ASAv on GNS3 for Hands-on Labs

    Select ASAv Version and Install and Click Next

    GNS3 would locally locate the downloaded *qcow2 appliance and populate the list for you to make a choice. Select your ASAv version and click Next.
    Select ASAv version appliance and click next

    Click Next and Continue

    It is a good idea to trial your idea with a single ASAv and once this has worked out well, apply it to the master template as the gold image for future replica ASAv firewalls.

    Create a new GNS3 Project

    Create a new GNS3 project

    Drag ASAv into Workspace
    Drag ASAv into Workspace

    Right click on ASAv and change the symbol (this is an optional step)

    Select Symbol for your ASAv,change the category to Security Devices, and set the console type to vnc. We will change this to telnet later in the guide as we apply this to our master ASAv appliance.

    Select ASAv Symbol and Click OK

    Select vnc from the drop down to set console type to vnc
    select console type as vnc

    Uncheck Use as linked base VM(This is recommended initially until you’ve got it all working as should)

    Uncheck use as a linked base VM for ASAv
    (It is recommended to perform all the necessary configurations before enabling this option which will make newer instances inherit the global settings. We shall do it as the final step once we get each bit done.)

    Configure Cisco ASAv on GNS3 for Hands-on Labs

    Start the ASAv and Click open with Console

    Configure Terminal
    Configure Terminal in ASAv VNC

    Set Telness Access: Follow steps below
    copy coredumpinfo to use_ttyS0

    copy coredump.cfg from the coredumpinfo directory to disk0:/

    ciscoasav#conf t
    ciscoasav#cd disk0:/coredumpinfo/
    ciscoasav#copy coredump.cfg disk0:/use_ttyS0
    

    coredumpinfo successfully copied as use_ttyS0

    Verify you work (always check if what you did worked)

    ciscoasav# dir disk0:/
    
    Directory of disk0:/
    
    10     drwx  4096         07:29:52 Dec 18 2020  smart-log
    8      drwx  4096         07:28:58 Dec 18 2020  log
    11     drwx  4096         07:29:56 Dec 18 2020  coredumpinfo
    7      -rwx  59           07:36:44 Dec 18 2020  use_ttyS0
    
    1 file(s) total size: 59 bytes
    8571076608 bytes total (8549355520 bytes free/99% free)
    
    ciscoasav# 
    
    

    Once the above steps are completed, go ahead and configure the master template. Now that we are happy that the telnet access works,

    Set Console Type to Telnet

    Now that you have set the use_ttyS0 on the ASAv, go ahead and power the ASAv off.

  • Right click on the ASAv and select configure.
  • Change the console type from vnc to telnet.
  • You must power the ASAv off to do this. You can change it with the device powered on, but you would encounter the error “No connection could be made because the target machine actively refused it”.

  • Click Apply > OK to save.
  • select telnet for vm and test access via ssh

    Click the Advanced settings tab. Uncheck the “Use as a linked base VM” box. We will check this later in the guide. Click OK then Apply > OK to save the device. This device will be configured as the “master template” for the ASAv.

    Check Use as a linked base VM
    Configure the ASAv for telnet access

    Close the preferences page, click Apply > OK to save the template.

    Now that we have Cisco ASAv working exceptionally well in GNS3, let us now go into configuring a sample Cisco ASA 5506-X Deployment Topology.

    Figure 1.0 Sample Cisco ASA 5506-X Deployment Topology
    install asav on gns3

    In this lab we shall Configure ASAv for the Internet using the following configuration sample.

    Figure 1.1: ASA 5506-X Factory Default Configuration

    
    !
    interface GigabitEthernet1/0
     nameif inside
     security-level 100
     ip address 192.168.1.254 255.255.255.0 
    !
    
    interface GigabitEthernet1/1
     nameif outside
     security-level 0
     ip address dhcp setroute 
    !
    
    !
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 8.8.8.8 
     name-server 8.8.4.4 
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    !
    
    
    !
    object network obj_any
     nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 8.8.8.8 1
    !
    
    
    !
    dhcpd address 192.168.1.100-192.168.1.200 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    !
    
    
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    
    !
    policy-map global_policy
     class inspection_default
      inspect icmp 
    !
    
    
    

    Thanks for stopping by to read this article on how to Configure Cisco ASAv on GNS3 for Hands-on Labs. Below is a related article: How to Configure Cisco ASA 5506-X for Internet

    ]]>