Enterprise Network on GNS3 - Part 1 - Introduction

Several months ago I had created a simple GNS3 network topology for practicing my networking skills. What had firstly begun as a simple lab, later grew in to a real world enterprise network consisting of a campus, data center, DMZ network blocks and ISPs. During the next several weeks I added new devices into the topology, struggling with no time due to complicated family circumstances. In March 2017 I completely stopped working on this project. Luckily, I was done with the configuration of all devices and I wrote several articles describing my progress. Now, almost a half of the year later, I am ready to share my experience with the blog readers and publish the articles. Below is the list of the articles. I hope you find them useful.

Enterprise Network on GNS3 - Part 1 - Introduction
Enterprise Network on GNS3 - Part 2 - Access Layer
Enterprise Network on GNS3 - Part 3 - Distribution and Core Layers
Enterprise Network on GNS3 - Part 4 - Cisco ASAv-I
Enterprise Network on GNS3 - Part 5 - Data Center
Enterprise Network on GNS3 - Part 6 - Edge Router and ISPs
Enterprise Network on GNS3 - Part 7 - DMZ

The name of the enterprise is CompanyXYZ. The complete enterprise network topology is shown on the picture below. As I have mentioned, it composes of the campus network, data center (DC), DMZ and ISPs.

Picture 1 - Enterprise Network Running On Laptop with GNS3

The entire topology is virtualized, running on the ASUS K55VM laptop with the following hardware and software specification:

Host Hardware:
1. CPU: Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
2. RAM: 16GB: 2x Kingston 8192 MB DDR3, speed 1600Mhz
3. Ethernet card: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

Host Software:
1. OS: Ubuntu 16.04.2 LTS Xenial
2. GNS3: version 1.5.3
3. QEMU emulator and KVM: version 2.8.0
4. Dynamips emulator: version 0.2.16

The enterprise campus network consists of the access, distribution and core layers. The data center is composed of the layer 3 Cisco switch and the server. The design of the DC is very simplified as the network tiers are squeezed to a single switch layer 3 switch. Unlike the campus network, the aim is to show configuration of the services running on the Server1 instead of discussing the complete DC design. The company edge router is connected to the Internet using two Internet Service Providers (ISPs). The Cisco ASA firewall connects a campus network, data Center and the edge router. The edge router connected DMZ to the rest of the enterprise network and to the Internet. The DMZ consists of the Cisco ASA firewall, layer 3 Cisco switch and the DMZ server. The enterprise is connected to the ISP1 and ISP2 routers via enterprise edge router. Both ISP routers  are bridged via GNS3 clouds to the laptop Ethernet Card RTL8168 (enp4s0f2) in order to simulate connection to the Internet.

Now we can spend few words about devices in enterprise network and software they are running .

Enterprise Campus Network
1. PC1 - PC4: Linux Core 6.3, kernel 3.16.6
2. Access switches: OpenSwitch 0.4.0 (Linux core-4.1-noarch:core-4.1-x86_64)
3. Distribution switches: Arista vEOS, version 4.17.2F
4. Core switches: Cisco vIOS l2 software, vios_l2-ADVENTERPRISEK9-M, version 15.2

Firewall ASAv-I: Cisco Adaptive Security Appliance Software Version 9.6(1)

Data Center:
1. Server: Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-92-generic x86_64)
2. Switch: Cisco vIOS l2 software, vios_l2-ADVENTERPRISEK9-M, version 15.2

Edge Router: Cisco IOSv software, VIOS-ADVENTERPRISEK9-M, version 15.6(2)T,

DMZ:
1. Firewall: Cisco Adaptive Security Appliance Software Version 9.6(1)
2. Switch: Cisco vIOS l2 Software, vios_l2-ADVENTERPRISEK9-M, version 15.2
3. Server: Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-92-generic x86_64)

ISPs: Cisco 7206VXR (NPE400), Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), version 15.2(4)S4

Public IP Addresses Assignment
The company has assigned a block of the public IP addresses 195.1.1.0/24. This is the entire class C network. The first a half of the IP addresses range is used for NAT and the second half of the range is used for DMZ. Below is the complete list of  used subnets and their assignment.

195.1.1.0/25 - NAT
- 195.1.1.128/25 - DMZ
   195.1.1.128/32 - point-to-point connection - in use
   195.1.1.132/32 - point-to-point connection - in use
   195.1.1.136/32 - point-to-point connection - free
   195.1.1.140/32 - point-to-point connection - free
   195.1.1.144/32 - point-to-point connection - free
   195.1.1.148/32 - point-to-point connection - free
   195.1.1.152/32 - point-to-point connection - free
   195.1.1.156/32 - point-to-point connection - free
   195.1.1.160/29 - Vlan 10 - in use
   195.1.1.192/29 - free
   195.1.1.224/29 - free

Note: The router vIOS-EDGE-I has assigned a public IP address 198.10.10.2 from the ISP1 IP address range and the IP address 197.10.10.2 from ISP2 IP address range.

Private IP Addresses Assignment
Users connected to the ports of the access switches have their IP addresses assigned from the networks 192.168.10-40.0/24. Point-to-points links between Distribution and Core switches are configured with IP addresses from the subnets 10.0.0.0/24. Point-to-point links between ASAv-I, campus network and data center are configured with IP addresses from the subnet 172.16.0.0/24. The server Server1 is connected to the Cisco L3 switch vIOS-Ser-I in a DC and it has IP address assigned from the subnet 172.16.50.0/24. Loopback and management IP addresses are assigned from the subnet 10.1.1.0/24.

Users: 192.168.10-40.0/24
Distribution and core layer links: 10.0.0.0/24
ASAv-I, campus and data center links: 172.16.0.0/24
Server1 (DC): 17.16.50.0/24
Loopbacks: 10.1.1.0/24 and management

Services Provided by Servers
Servers Server1 in a DC and the SERV-DMZ-I in DMZ provide the following services.

1. DNS: Domain name resolution for network devices and workstations
2. DHCP: automatic IP address assigment for workstations
3. Syslog: logging for network devices
4. NTP: precise time for network devices
5. Radius: remote authentication for network devices (except DMZ and vIOS-EDGE-I)
6. Web: company WEB server for Internet users (only DMZ)

Interfaces Naming
Each network interface in the topology has assigned two interface names although the both names represent a single interface. The first name is assigned by GNS3 itself (e0, e1, e2 etc.). The second name is the interface name that is shown in the configuration of the device. For instance, the ASAv-I is connected with the vIOS-Core-II with the interface e1. However, the interface e1 is represented by the interface Gi0/0 in the ASA configuration.

Login Credentials
Below is the list of the changed usernames and passwords for all devices in the topology. The string before the slash represents a username and the string after the slash represents the password.

1. Local Credentials for Cisco and Arista Devices

Local User  - Level 1
admin/cisco

Local User -  Level 15
admin15/cisco15

Local Enable
cisco

2. Radius Credentials for Cisco and Arista Devices

Radius User - Level 1
raadmin/racisco

Radius User - Level 15
raadmin15/racisco15

Radius Enable
racisco

3. Local Credentials for Openswitch Appliance

netop/cisco
Linux: admin/cisco or admin/admin

4. Credentials for PC1 - PC4:   tc/tc

5. Credentials for Linux Ubuntu:  ubuntu/ubuntu

6. ISP1 and ISP2:  devices are not configured for authentication.

Bandwidth Limitation
Cisco ASAv is unlicensed so the traffic rate is limited to 100 kbps and maximum connection limit is set to 100. For this reason, connection to the Internet is limited to 100 kbps.

Configuration Files
OpenSwitch-Acc-IOpenSwitch-Acc-II vEOS-DIS-I,  vEOS-DIS-IIvIOS-Core-IvIOS-Core-IIvASA-I,  vIOS-Serv-IvIOS-EDGE-I, ISP1ISP2, ASAv-DMZ-I, vIOS-DMZ-I.

Issues
I noticed some mysterious issues while running the devices that I could not explain. Luckily, very often restarting a port for a particular device solved a problem. For instance, network traffic originated on ISP1 was sent to the Internet from the Gi0/0. However, the router ISP1 did not forward incoming data traffic to the Internet that entered the interface Gi0/1. In this case, restart of the port Gi0/0 on the ISP1 solved the issue. The other issue that I noticed was about 2% loss of the packets destined for the Internet when both ISP routers were running simultaneously. If the both routers were not needed to run at the same time, shutdown of the ISP2 router represented a workaround. As the last point, I recommend to use vIOS-l2 instead of the OpenSwitch appliances as I have spent hours troubleshooting OpenSwitch unexpected behavior. As I have mentioned, very often temporary shutdown of VLAN or VLAN interface solved a mystery.

Appliances Download
This section contains a list of appliances that I am allowed to share with you.

Open switch 0.4.0 VMDK

41 thoughts on “Enterprise Network on GNS3 - Part 1 - Introduction

      1. Radovan,

        I would also like to commend you on the great work putting lab together. If the config is available, kindly share also

    1. Hi Radovan,

      Thank you for your great and time-consuming work!
      What do you think about a little bit changing this lab, for example, to use pfSense instead of Cisco ASA? ;) :D :D

  1. Hi, thank you for your precious work!
    I have the whole topology working. When I testing it with a Lubuntu client and access the Internet, peaks are presented in CPU consumption by the vEOS and ASA that generate delays in navigation. Which configurations are the most appropriate (in addition to the RAM) to optimize the operation of these devices and avoid bottlenecks? or retransmissions are normal because it is a large emulated network?

  2. Hello Dear Radovan and thank you for this great effort i have weird problem when i try to import the VMDK file for the open switch into virtual box its give me message " that the system is busy please try again in few second " how can i fix this issue , i try to configure open switch into virtual box from scratch but with no luck also. also i try to sort the problem in from within the open switch mail list but also no luck

        1. Hello, I've try to reproduced your error but my OPS VBox instance is working. Here is my config file.

          However, I had to switched from 512MB RAM to 1024MB otherwise interfaces aren't presented. Password is netop/netop.

          I use Oracle VirtualBox 6.0.18 r136238 (Qt5.11.3).

          md5sum of the OpenSwitch.vmdk is ac3b83b1cc449ab276c93e7457d7150a

          Good luck!

  3. Hello Dear Radovan and thank you for this great effort i have wierd problem when i try to import the VMDK file for the open switch into virtual box its give me message " that the system is busy please try again in few second " how can i fix this issue , i try to configure open switch into virtual box from scratch but with no luck also

  4. Brezular
    Your work is awsome , I bookmark your page as I found some other very usefull articles !

    Thank you from Paris ( France )

  5. I am preparing for CCIE routing and switching.
    It's much more than awesome.
    What a great job man .... thanks for sharing and writing such posts.
    This is first time a click at "Notify me of new posts by email" because i don't want to miss a single post from your side.
    Thank you so much again !!!

  6. This is awesome!! Thank you so much. Can i get the config. I would love to use this for my practice lab.

  7. May I get the openswitch image you used in this lab, i'm trying to follow step by step but can't find this image,

    and thanks alot for the great tutorial,

  8. great series. i followed it closely. but the PC's can't get IP add from the dhcp server. however if i ping the vlan 10,20,30 gateway on DC Switch sourcing from vlan 50, the ping is successful. i can also ping the access layer switch from the Data Center switch but the PC's cannot get an IP from the dhcp server. Any thoughts?

  9. Thanks for this amazingly well done work.
    Small question - is it necessary to supply the edge router with a global IP from ISP1/2, or could this be behind the ISP NAT? Since anyways we already have the class C for the organization.

  10. Thank you, for this lab I have learned a lot, I did get it working even though I accounted issues with the firewall.

Leave a Reply to Radovan Brezula Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.