How realistic is this Security Lab plan?

Hi Folks,

Got my last MS exam on monday and then it's finally on to the CCIE Security. I don't have anywhere near enough spare cash to finance a full lab and have decided to try and virtualize it as much as possible. I will use rack-rentals the closer I get to the lab to get use of a more professional rig but plan to use my own setup as far as it will let me go, I do understand the home setup is not a complete solution.
I know everyone has different labs but I'd really appreciate some advice on the following, mainly if there's anything that pops out as unworkable/stupid idea.

Real:
1xCisco 2924 Switch running the latest enterprise image
3xCisco 2620s Running IOS 12.07T
1xCisco PIX 501 running 6.3

Planned Virtual:
x 3700 routers in Dynamips
x 3640 routers in Dynamips
x PEMU running PIX 7.2

Available at work
Within the next month at least one ASA5110 and AIP-SSM 10, likely multiple units and a few ASA5505's

The virtual server will have 3GB of ram, plenty of HDD space but only an Athlon64 3000 CPU for the moment. The board has 1 integrated NIC and I can add 2 more but I'm guessing that won't be an issue if I run the emulators in VMware Machines with multiple virtual NICs?

I'm hopefully going to set this up over the next week and I guess I'll find out anyway but if anyone has some pre-emptive advice that'd be great.

Thanks.

Find more posts tagged with

Comments

dtlokee

I wouldn't bother with the PIX 501 6.x, the lab uses version 7, and try to upgrade the 3620's to 12.2T. You can virtualize much of your study (you can do alot with 3 routers a switch and an ACS box) but your plan to use this for your initial preperation and renting rack time later is a good idea. Lucky for me my school just bought 24 5510 with 7.2 for the new SNPA course.

Ahriakin

Thanks for the reply. Yeah the 501 is my active firewall at home but for study was mainly for things like a hardware VPN client etc. with the real meat of the work being done on the 7.22 boxes, and hopefully those nice new ASAs should my manager deign to sign the PO.

Cheers.

mikej412

I think its a great start!

With R&S you have to cover the core (most likely OSPF/Frame Relay) if you expect to pass the Lab. The PIX/ASA is probably the "core" of the Security Lab and this setup should let you work on that.

jasonboche

I've read a few posts now where people were throwing vast amounts of PC hardware at the Dynamips emulator. Is it really that intense on hardware? Why? Sounds like questionable code to me. Or are these truely virtualized pieces of hardware much like VMware virtualizes (not emulates) x86?

Grym

It's mostly when you are doing link state routing that the computer starts to bog down, basically anything cpu intensive on the router will do the same on the PC.

I run 8 3640's, 1 Frame Relay Switch, 1 as a TS and the rest as two pods of three with an area 0 router on a Core duo laptop with 1 gig of ram, I can run the full lab plus a VMware Linux install as a second station(DSL), yea my CPU pegs out and it gets a little slow, but I can do what is needed for most labs.

Right now I am looking for a switch I can use, once i find one I will start to off load some pods onto other crappy PCs which will help with the CPU issues.

HTH

Ahriakin

Had a nice surprise this morning when I went to grab the 2620s out of storage at work, Found a nice 3640 running 12.2 sitting gathering dust and home with me it goes

. The lab groweth. There was a new 2620 there aswell and comparing it's age to the 3640 I'm pretty sure it'll have 12.2 on there in some form.

mikej412

jasonboche wrote:

I've read a few posts now where people were throwing vast amounts of PC hardware at the Dynamips emulator. Is it really that intense on hardware? Why? Sounds like questionable code to me. Or are these truely virtualized pieces of hardware much like VMware virtualizes (not emulates) x86?

The software is running the actual IOS code by emulating the MIPS processor (and simulating the hardware).

When you toss in the backbone routers and the routers running the switch modules you can have up to 15 emulated routers running at one time to do the CCIE Workbook Vendor Labs. My core 2 laptop with 2 gigs can do that -- as long as I don't autostart all the routers (and don't want to do anything else).

But usually I'll only have one instance running on my laptop with 6 routers and the fake Frame Relay cloud -- and I suspend all the routers in Dynagen when I don't need them to try anything. I use that to quickly and easily try things out -- and I don't have to wait for the hardware to boot up (or keep it running all the time).

If my hardware lab is wired for Internetwork Expert and I want to do an IPExpert lab I just jump onto my laptop -- and remotely run instances of the Dynamips server on 3 core 2 PCs that have the PIX-4FE network cards installed (and are plugged into my real switches).

There is no requirement to spend $10-20K on a hardware lab for the CCIE -- it's just a nice convenience to have if you don't mind spending the money. You can always spend less than $1000 to have some hardware to practice with, and then rent rack time for the rest.

It's the same with Dynamips/Dynagen. If you like driving the latest greatest fastest car and you need that dual Quad Xeon with 16 gig of memory to impress the other geeks at work -- then that's great. That puppy would probably let you run enough Dynamips Instances that you could run workbook labs from all the major vendors simultaneously. But you can still do a lot of routing practice with 3 or 4 emulated routers on an old single processor PC. It may not be pretty -- it may not be fast -- but it works great for studying.

And I've never seen anyone else say this, but the best thing about rack rental -- people from work (and friends) don't bother you on weekends or in the evenings if you say you've rented rack time. For some reason, if you are paying money, people respect that study time more than if you are using your home lab.

For the Security Lab I've neglected to mention I've upgraded the home lab for V2 -- so now I just say "I have Security Rack time scheduled this weekend" (or evening) and I don't get bothered after hours anymore.

jasonboche

Ahriakin wrote:

Had a nice surprise this morning when I went to grab the 2620s out of storage at work, Found a nice 3640 running 12.2 sitting gathering dust and home with me it goes . The lab groweth. There was a new 2620 there aswell and comparing it's age to the 3640 I'm pretty sure it'll have 12.2 on there in some form.

Let's just say I discovered a loaded Cisco 4006 collecting dust and it's en route to it's final destination...

Ahriakin

Well had my first crash course on restoring an image-dead router this morning. I loaded on a newer image to the 16mb-flash 3640 (the image went on fine but took up almost the entire flash). After that no reboot, said the image was too big. I put the original back on over Xmodem, joy..... You'll have to forgive my ignorance as my Router knowledge is now rusty CCNA level (we use a managed WAN service at work and only have 2 of our own Routers in the infrastructure that really do very little except sort internet/VPN routing) but if I remember rightly you can boot larger images from TFTP right? I tried the Boot system TFTP commands, set it before the Flash option to the existing image, made absolutely sure the syntax/filenames are correct but it will not boot to the TFTP image. I'm using Solarwinds and the server and router are on the same subnet (not originally but I did this to remove the intervening router as a problem source), the TFTP server reports initialising the transfer but then times out at 4068 bytes every time. I can download configs and the existing image by TFTP over the same setup without any problems. Odd. Anyway ordered some extra Ram for the 3640 and will see what I can work out with the poor little 8mb 2620's. It's all learning so I guess it's all good, even if frustrating

dtlokee

It is possible the flash memory is bad, I have had time when "show flash" displays a set amount of flash memory (16MB for example) and I was unable to copy even a 3-4MB IOS image to the device, replaced the flash and it works fine.

Ahriakin

Aye and it is a fairly old system that's been sitting on the shelf for god knows how long. I got 2x16Mb modules from Ebay over the weekend and will try them out instead. I'm going to do some research later anyway but does anyone know quickly if the 3640 flash modules are compatible with the 2620's? It'd be nice to be able to replace the existing 8mb with one of the 16Mb modules from the larger units if need be.

dtlokee

I read somewhere that the same 16mb flash memory could be used in the 2600/3600 series routers but when I tried it on a router here it did not work, I think it was a 2611 not a 2620 but Cisco has different part numbers for for the 2600 and the 3600. I don't have any 2600/3600's anymore we are now all 2811's, and 3825's so I can't test it for you.

Ahriakin

Thanks again for the replies. I went ahead and ordered a specific 2620 16mb module, Ebay lifesaver be thy name (and I guess 'cheap' be mine

).
Cheers.