how to guide virtualize your network and...

VIRTUALIZE YOUR NETWORK AND ENHANCE YOUR NETWORK SECURITY: HOW TO INTEGRATE GNS3WITH SOLARWINDS LOG & EVENT MANAGER

HOW TO GUIDE

1

HOW-TO GUIDE

INTRODUCTION

About GNS3

GNS3 is a multi-vendor tool that allows you to build, design, and test network configurations and software in a

risk-free virtual environment. This technology eliminates the need for expensive physical testing by offering a

network-attached or stand alone virtual test bed, free of charge. With real-time network emulation, users can

conduct proof of concept testing and troubleshooting on dynamic network configurations.

A “go-to” for networking professionals looking to hone their skills in preparation for certification exams or POC

testing at the office, GNS3 has been downloaded over 10MM times and is used by a growing audience of systems

and security engineers around the world. Doing so saves valuable time and resources by allowing IT pros to gain

familiarity with the products they plan to use and reduce ramp time on the road to becoming fully operational.

Visit GNS3.com for more information.

About SolarWinds Log & Event Manager

Log & Event Manager (LEM) is an affordable, all-in-one security monitoring, compliance reporting, and incident

response system. It combines automated log collection and analysis, real-time event correlation and alerting,

built-in active responses, detailed reporting, and IT search capabilities to deliver the visibility, security, and control

users need to overcome everyday IT challenges, increasingly stringent regulatory compliance requirements, and

an ever-evolving threat landscape.

SolarWinds LEM is a fully-functional Security Information and Event Management (SIEM) solution, as such, users get

out-of-the-box functionality, including hundreds of built-in filters, rules, searches, and reports, so “non-security”

and security admins alike can identify and quickly resolve problems in your infrastructure, ensure compliance with

various regulations, and achieve proactive network defense.

ABOUT THIS GUIDEThis guide provides step-by-step, command-by-command, show-me-with-pictures instructions for setting up a

GNS3 lab topology, installing ESXi™ and Lubuntu OS in VMware Workstation Player™, deploying SolarWinds LEM in

ESXi, setting up network settings, and managing LEM from Lubuntu in VMware Workstation Player.

Whether you’re a seasoned GNS3 pro that’s new to LEM, or a LEM user that’s interested in building a lab to experience

the full functionality of the product within a safe and secure virtualized instance for testing or troubleshooting,

this guide has something for you. In addition to instructing you on how to get started with VMWare, GNS3, and

LEM, we’ll help you understand some of the LEM basics to ensure you hit the ground running with this advanced

security solution.

We know that at first glance, this beefy document may appear to be too much to handle. Rest assured, we’ve

broken the guide down into digestible parts to allow the more experienced IT pro to skip around and fast-track

their way to running LEM in GNS3 successfully. Before jumping in to things, we strongly urge you to review the

VIRTUALIZE YOUR NETWORK AND ENHANCE YOUR NETWORK SECURITY: HOW TO INTEGRATE GNS3 WITH SOLARWINDS LOG & EVENT MANAGER

Use SolarWinds® Log & Event Manager (LEM), GNS3®, VMware®, and Microsoft® to create a completely virtualized network environment.

http://GNS3.com

2

HOW TO INTEGRATE GNS3 AND LEM

Getting Started section of this documentation to help identify the best course of action for ramping up with both

of these solutions.

Hardware Requirements

• 4 or more Logical cores with AMD-V® / RVI Series or Intel® VT-x / EPT - virtualization extensions present and

enabled in the BIOS.

• 8 GB of RAM or more for VMware scenario.

• 6-8 GB of RAM or more for Hyper-V scenario.

• The more the better.

• Disk space: Enough to run all software mentioned above. It’s great if you have about 300GB+ free.

Sure, you can and will use less space; it just will make the configuration process easier.

Getting Started

“You take the blue pill, the story ends, (...) You take the red pill, you stay in Wonderland...” (Morpheus)

Actually, you should make the choice about which scenario suits you best right now. Consider the following:

(A) The Hyper-V scenario is better for Windows® 8.1/10 (or Windows Server 2008 R2 /2012) with 6-8

Gigabytes of RAM or more;

(B) The VMware scenario is better if you run other OS’s and have 8 Gigabytes of RAM or more.

It often happens that Windows works faster in VMware than in Hyper-V, especially when compared with Generation-1

Hyper-V VMs (e.g. in case you install Windows 7 in Windows 10 Hyper-V).

NB! You cannot run VMware VMs when you have the active Hyper-V role installed.

Chart Your Path

Introduction.................................................................................................................................................................................1

About This Guide - must read!................................................................................................................................................1

Step 1. Download everything...................................................................................................................................................3

Step 2. (A) Install Hyper-V role on Windows (Windows 10 PRO)......................................................................................6

Step 2. (B) Install VMware Workstation Player....................................................................................................................10

Step 2.1. (B) Install VMware ESXI in VMware Workstation Player....................................................................................11

Step 3. (A) Install Windows in Hyper-V: Win7 (Generation1) vs. Win8 (Generation2) installation (optional).......14

WINDOWS 7 INSTALLATION (Generation 1)...........................................................................................................21

WINDOWS 8 INSTALLATION (Generation 2)..........................................................................................................25

Step 3. (B) Install Windows in VMware Workstation Player (optional)..........................................................................31

WINDOWS 7 INSTALLATION (in vMware Workstation Player)..............................................................................35

Step 3.1. (B) Install VMware vSphere® Client on Windows.............................................................................................38

Step 4. (A) Install LEM in Hyper-V..........................................................................................................................................40

Step 4. (B) Install LEM in VMware ESXi................................................................................................................................43

Step 5. Prepare your browser (on Windows) for LEM Web interface..............................................................................50

Step 6. Install GNS3 on Windows along with the utilities..................................................................................................52

Step 7. Configure GNS3 and set up a basic topology..........................................................................................................54

Step 8. Configure LEM to collect syslog data from the devices........................................................................................65

Step 9. Install the LEM Reports console on Windows and configure it to receive reports from LEM....................84

Step 10. Where to find the help for troubleshooting if something happens................................................................90

3


Step 1: Download everything

Make sure that you have downloaded everything needed (from the list below) before moving forward:

• GNS3: https://community.gns3.com/community/software/download

NOTE: You’ll need to create an account for the GNS3 community before the download link will work.

• (B) VMware Workstation Player: https://www.vmware.com/go/downloadplayer

• (B) VMware vSphere® Hypervisor (ESXi) and vSphere Client: https://my.vmware.com/group/vmware/evalcenter?p=free-esxi6

• LEM: http://www.solarwinds.com/log-event-manager.aspx

LEM is available for VMware ESXi or for Hyper-V, so you need either

(A) The Hyper-V version of LEM or

(B) The VMware version of LEM.

• A copy of Windows: https://www.microsoft.com/en-us/software-download

• The “images” of the network device operating system (Cisco® IOS® or other)

1. Create an account at GNS3, and download the package from here:

https://gns3.com/software/download

(B) 2. Download a copy of VMware Workstation Player for personal use:

https://www.vmware.com/go/downloadplayer

(B) 2.1. Create an account at https://my.vmware.com/

and then download VMware vSphere Hypervisor (ESXi): https://my.vmware.com/group/vmware/evalcenter?p=free-esxi6

3. Download the 30-day trial version of LEM: http://www.solarwinds.com/log-event-manager.aspx

Fill out all the needed fields, and you’ll receive a download link via email.

https://community.gns3.com/community/software/download


https://my.vmware.com/group/vmware/evalcenter?p=free-esxi6

http://www.solarwinds.com/log-event-manager.aspx

https://www.microsoft.com/en-us/software-download

https://gns3.com/software/download


https://my.vmware.com/


http://www.solarwinds.com/log-event-manager.aspx

4


Download the version appropriate to the hypervisor that you like to use for LEM (Hyper-V or VMware ESXi).

Next, extract the files from this package, run *.exe-file:

Choose the path.

The email that you’ll receive from SolarWinds may look like this:

5


You will see something like this in the destination folder:

4. You should have a copy of Windows installed either:

- on your host machine (that’s a real computer; by the way, you may come across some bugs with the Web interface,

which is why I recommend you use the clear VM installation), or

- in Hyper-V (A), or

- in VMware Workstation Player (B) to run vSphere Client (B) and the LEM Reports console and, perhaps, any other

software you may need.

In VMware I use Windows 7, and

for Hyper-V I recommend using Windows 8/8.1 or Windows 10.

You can also use Windows 7 for Hyper-V, but it does not work as smoothly in Hyper-V.

(That said, I will show you how to install Windows 7 and Windows 8 in Hyper-V).


5. The GNS3 topology needs at least one image of an IOS router.

Supported platforms for GNS3 are Cisco 7200, 3600 series (3620, 3640, and 3660), 3700 series (3725 and 3745),

and 2600 series (2610 to 2650XM and 2691).

In this lab you’ll see an image for c3640. You can either download images from Cisco.com, if you have a contract,

or download it from your working Cisco router (if you have one, of course), by using tftp protocol. Other sources

for IOS images that possibly exist on the Internet are beyond the scope of this document.


6


Step 2 (A): Install Hyper-V role on Windows (Windows 10 PRO)

For Hyper-V scenario (plan “A”), you should have installed the Windows operating system that supports the Hyper-V

server role, such as Win Server 2008 R2/2012, Windows 8.1/10 Pro, etc.

You can easily turn on Hyper-V on Windows 8.1/10 Pro as follows:

Open the Control Panel and select Programs.

Then click on Turn Windows features on or off:

7


Choose Hyper- V features and click OK:

You may need to reboot the system after this operation.

Then, you’ll be able to start Hyper-V Manager from the Start menu:

In Hyper-V Manager, click on Connect to Server (from the Actions menu on the right) and choose Local computer:

8


Let’s create an External Virtual Switch (Choose External and click Create Virtual Switch).

After doing this you will be able to create/import Virtual Machines.

The Virtual Machines will be connected to the local network and to each other, and to GNS3 lab via the Virtual Switch.

Let's create this switch. In the Actions panel, choose Virtual Switch Manager:

The following windows will pop up:

9


Let’s create an External Virtual Switch (Choose External and Click Create Virtual Switch).

You can create the name for the switch (I will just use the name New Virtual Switch).

In this window, you should also specify the network adapter you want to connect this virtual switch to. (I’m using

my Wi-Fi adapter.)

Don’t forget to tick off all Extensions for the Virtual Switch.

By the way, this adapter and the configuration of the local network it’s connected to really impacts the lab

configuration because no NAT is used on the local host.

E.g., my local network is 192.168.0.0/24, and 192.168.0.1 is the default gateway that is my Wi-Fi router.

I’m using this subnet and gateway in this lab, and if you use the other subnet, you may want to change your

subnet or the virtual host’s subnet used in this guide to make the lab.

10


Step 2 (B): Install VMware Workstation Player

NB! VMware Workstation Player cannot install alongside VMware Workstation, and if you use VMware

Workstation, you don’t need to install VMware Workstation Player.

NB! VMware Workstation Player cannot work with the turned-on Hyper-V Role (I showed how to turn it on in

Step 2 A, so you just need to reverse that operation by unticking Hyper-V in Windows features list).

The VMware scenario (plan “B”) is probably better, as I mentioned earlier, if you have at least 8 GBs of RAM or

more, and use the operating system that doesn’t include Hyper-V server.

It also works faster in other scenarios, especially when compared with Generation-1 Hyper-V VMs.

If you followed the guide step by step, you might have downloaded VMware Workstation Player already. If not,

you can download it from here:

(B) Download a copy of VMware Workstation Player for personal use:


Installing the VMware Workstation Player is very easy. Just follow the prompts, accept the license agreement...

...leave the default settings, and install the program to the desired path.


11


Enter your email address to use VMware Workstation Player for free for non-commercial use, and you can use

VMware Workstation Player:

If you followed the guide step by step, you may have downloaded VMware vSphere Hypervisor (ESXi) already. If

not, you can download it from here:

(B) Create an account at https://my.vmware.com/

and download VMware vSphere Hypervisor (ESXi): https://my.vmware.com/group/vmware/evalcenter?p=free-esxi6

Step 2.1 (B) : Install VMware ESXI in VMware Workstation Player

https://my.vmware.com/


12


Click on Create a new Virtual Machine and point to your ESXi *.iso image file.

You can change the name of your VM, as well as its location.

Next, assign two cores to VM. Assign at least 4900MB of RAM, select network type NAT and turn on Intel VT-x/

EPT or AMD-V/RVI.

The installation is easy. Accept the license agreement terms, select a disk to install (leave default settings), select a

language, and create a root password (e.g. “Wireshark1”). Remember that password!

Confirm installation and wait until the installation is complete.

13


Now let’s set up ESXi’s network configuration.

Click on F2. Type login root and root password:

Focus on Configure management network, and hit Enter:

In the IPv4 Configuration Section, select Set static ipv4 address and type

ipv4 address = 192.168.0.10

mask = 255.255.255.0

and default gateway 192.168.0.1

By the way, don't forget to install VMware tools (when you see the following pop-up in VMware, select Download

and Install):

14


You also can specify dns server (e.g. 8.8.8.8) in the DNS Configuration Section:

Hit Enter to save the configuration.

Step 3 (A): Install Windows in Hyper-V - Win7 (Generation1) vs. Win8 (Generation2) installation (optional)

Windows Installation is marked as “optional” because it’s possible to manage LEM from your host machine, since

all VMs and routers in GNS3 will be bridged with the host machine in the labs. However, if you come across some

bugs (with Flash, for instance), virtualizing Windows will be the easiest method to save time and provide practice

for LEM without making big changes to your current OS.

In this example, I will use Windows 7 X64 image.

If you have Windows 8 or Windows 10 X64-images, they will work better in Hyper-V than Windows 7, so if you have such an image, use it in Hyper-V instead of Windows 7.

Actually, you can use any other Windows OS, or just try working from your real machine. However, to avoid possible

bugs, and if you have a lot of applications installed on your system, it’s sometimes easier to use the VM for this lab

than trying to troubleshoot the problems on your real computer.

I will show you how to quickly add the VM to Hyper-V.

First, select Actions -> New -> Virtual Machine, and click Next:

15


Choose a name and location for this virtual machine, such as Windows7 or Windows8:

NB! On Windows 10 (as well as on Windows Server 2012), there is a choice when creating a new VM

between two generations of Hyper-V virtual machines. You can read about the Hyper-V Virtual machine

generations on Microsoft tech support websites. (These materials are beyond the scope of this guide).

For Windows 7, you should select Generation 1.

If you install Windows 8/8.1 or Windows Server 2012 or better, you should select Generation 2.

Choose a name and location for this virtual machine, such as Windows7 or Windows8:

16


Specify the startup memory (e.g., 1024 MB):

Now let’s connect the Virtual Machine to our Virtual Switch that we created before.

17


Create a virtual disk by selecting a name and location for the dynamically expanding virtual hard disk.

Make sure that you have enough space on the hard drive for the Virtual Machine:

Select Install an operating system from a bootable image file and

point to your Windows OS .image file:

Now let’s save the settings by clicking Finish:

18


Now this VM is available in the Virtual Machine list. Right-click on Windows 7, and select Settings:

For Windows 7, click on Add Hardware and add a Legacy Network Adapter.

For Windows 8 or better, you can use a default Network adapter.

19


Next, connect this adapter to New Virtual Switch (the name of the virtual switch that I created before), and save

the settings:

Choose something other than 1 Virtual Processor. (I hope your PC is not too old for this if you reached this part of

the guide). I am selecting 2 processors:

20


After this, we right-click on our VM and click Connect:

Let’s start the VM with Action -> Start!

21


WINDOWS 7 INSTALLATION (Generation 1)

Next comes your typical Windows installation:

Language settings

Accepting lincense terms

22


Selecting the disk for installation

Waiting for the end of the installation

23


Creating a username and a host name

...and last but not least, starting Windows and telling it that we’re connected to our local home network:

After all this, you should statically configure this VM because it will be connected to the local network. Make sure

that the following configuration will not conflict with your current configuration on your devices:

(Alternately, set another IP address that is not used in the local network.)

24


So, let’s configure the VM statically:

Go to Control Panel (Large Icons mode) -> Network and Sharing Center -> Change Adapter settings ->

-> Right-click on the adapter and click on Properties.

Select Internet Protocol Version 4, and in its properties, change the configuration to the following: ->

IP address: 192.168.0.20

Subnet mask: 255.255.255.0

Default gateway: 192.168.0.1

You also want to specify 2 DNS servers: 8.8.8.8 and 8.8.4.4.

Save the configuration by clicking OK:

25


WINDOWS 8 INSTALLATION (Generation 2)

For Windows 8, the process will look like this (after starting the VM):

Note the GENERATION2 logo

(if you install Windows 8 in Windows 10 Hyper-V as Generation 2 VM):

Language settings

26


Select where to install Windows

...and wait...wait...wait...for a long time...

27


Enter a PC name

Use default settings

28


…and create a user name and a password that you will be sure to remember and wait for a while...

After all this you should statically configure this VM. Because this VM will be connected to the local VM, make

sure that the following configuration will not conflict with your current settings:

(Alternately, set another IP address that is not being used in the local network).

29


After logging in to our newly installed OS,

let’s configure the VM statically:


-> Right-click on the adapter and click on Properties.

Select Internet Protocol Version 4, and in its properties change the configuration to the following: ->

IP address: 192.168.0.20

Subnet mask: 255.255.255.0


Specify 2 DNS servers: 8.8.8.8 and 8.8.4.4.

Save the configuration by clicking OK:

30


The final step involves checking to make sure you have Internet access:

Open command line (Windows key + R, then type cmd), and type ping 8.8.8.8

If you receive the packets back, everything is fine!

You can always save your current state with

Action-> Checkpoint,

and if you did something wrong, you can revert to the last checkpoint:

31


Step 3 (B): Install Windows in VMware Workstation Player (Optional)

First, click on Create a new Virtual Machine, and point to your Windows *.iso image file

Next, type your Windows license key, or wait until later to do this.

32


You can change the name of your VM, as well as its location:

Next, choose the disk capacity and decide whether it should be split (let's leave the default settings):

33


Next, assign one or two cores to VM (the more the better), and at least 1 GB of memory. Select network type

Bridged (also click on Configure Adapters and select your adapter that connects your host machine with a

local network)…

....and turn on Intel VT-x/EPT or AMD-V/RVI:

34


The next step is to download VMware tools for Windows to improve VM performance:

It will download VMware tools.

35


WINDOWS 7 INSTALLATION (in VMware Workstation Player)

Next, start the typical Windows installation:

It will download VMware tools.

...It looks like the Windows installation from Hyper-V section actually.

36


After this process, the OS will reboot and you will select the network location. Let’s trust the home network:

37


After this, the system reboots again. The installation is complete.

You may also need to manually assign a static IP configuration to this machine like this:


-> Right-click on the adapter and click on Properties

Select Internet Protocol Version 4, and in its properties, change the configuration to the following: ->

IP address: 192.168.0.20

Subnet mask: 255.255.255.0


Specify 2 DNS servers: 8.8.8.8 and 8.8.4.4.

Save the configuration by clicking OK.

View how VMware tools are being installed.

38


Step 3.1 (B): Install VMware vSphere Client on Windows

Windows Installation is marked as “optional” because it’s possible to manage LEM from your host machine, since all

VMs and routers in GNS3 will be bridged with the host machine in the labs. However, if you come across some bugs

(with Flash, for instance), virtualizing Windows will be the easiest method to save time and provide practice for LEM

without making big changes to your current OS.

Run *.exe file, which will extract the installer and start the installation process. Select the language,

accept the terms in the license agreement, and select the path, leaving the default settings.

After vSphere is installed, let's connect it to ESXi:

To connect to ESXi, type its IP address (192.168.0.10), login (root), and password.

39


Next, allow the self-signed certificate if you receive a security warning. Install the certificate and click Ignore

And here we go!

40


4. (A) Install LEM in Hyper-V

In the Hyper-V management interface, click on “action” and select “Import Virtual Machine…”

Browse to locate and open the SolarWinds Log and Event Manager folder previously extracted to the desktop.

41


Within this folder, you will see an additional folder with the same name. Click on this folder and “select folder”

Now, select import to install the LEM virtual machine.

42


Now that you have the LEM VHD file imported, you can use the Hyper-v Manger to configure additional setting. By

default, the VM will be configured with the minimum requirements and resource reservations will automatically be

set to ensure optimal performance.

Now it’s time to connect to your VM and power it on. Be sure to write down the IP Address that displays after the

virtual appliance starts up!

43


Step 4 (B): Install LEM in VMware ESXi

In vSphere client, let's deploy OVF Template:

Point to Deploy First - LEM Virtual Appliance.ova... from the LEM package:

44


Here you have to verify OVF Template details:

Next, you can change the template name. Let’s leave the default name ("SolarWinds...")

45


Next, it will show how much space is available on your drive:

Make sure that you have enough disk space (>250GBs).

46


After you complete this, it will deploy LEM.

After the LEM is deployed, you may want to set up the memory settings. This is especially helpful if you don't

have 16GBs of RAM. Right-click on the VM in vSphere client -> choose Edit Settings:

47


Select about 1750 MBs of RAM. You can try to run LEM with different amount of RAM, that will depend upon

your configuration and the amount of RAM that you allocated to ESXi VM in VMware:

Take in mind that we are running this VM inside of ESXi for which we allocated about 5 gigs of RAM in VMware.

If LEM doesn't start and you see red messages in Recent Tasks, then try to specify a bit less RAM.

If you can allocate more RAM, then do that, that will make LEM more stable.

As you see on the screenshot, I allocated 1752MB for RAM for LEM.

NB! This is a test deployment of LEM! In an actual deployment, reservations are needed for the LEM to

function correctly (based upon traffic volume and configurations)

48


Next power on LEM virtual machine with play button. If you have enough RAM, and have all virtualization

enabled, then after a while you'll see something like this in a console tab:

Let's assign static IP address to LEM.

Select Advanced Configuration in Console and click Enter.

Here you can also view how many resources are being used at the moment.

In the menus below, select options using Enter. To view commands, type help and click Enter.

Type appliance.

49


Next, type netconfig.

Choose networking settings like this:

IP address = 192.168.0.150, mask = 255.255.255.0, gateway = 192.168.0.1. You also should choose a

domain(e.g., LEM) and DNS-server (e.g., 8.8.8.8).

Save this configuration and restart LEM.

50


Step 5 : Prepare your browser for LEM Web interface. (This is not always necessary.)

Browse LEM 192.168.0.150:8080 in the default Web browser on your Windows virtual machine

(in Hyper-V or in VMware):

You'll be prompted to download the latest Flash Player:

Download the latest version from get.adobe.com/flashplayer/ and install it. Close your browser while you do that.

51


After that, browse LEM's login page…

...and you will be able to work with LEM's Web interface!

52


Step 6: Install GNS3 on your host machine along with the utilities

Let's install GNS3. It has a pretty easy installation:

Accept the agreement, choose the start menu folder, and select all listed components:

In the component list we can view WinPcap that is needed for packet capture, Wireshark®, Dynamips to

virtualize Cisco equipment, many additional tools, and GNS3 itself, of course.

Let's save the default destination folder.

You'll go through some component installations; just keep on clicking NEXT and OK, and leave default

settings everywhere.

53


If you don't have WinPcap, you need to install it, which is easy, then the GNS3 installer will download and

install all other components, including Wireshark and other components...

...and you should accept everything until GNS3 is installed...

...and then you can run it (Start GNS3 is ticked off by default, so when you click Finish, you'll start GNS3)!

54


Step 7: Configure GNS3 and set up a basic topology

Start GNS3 from your Windows menu.

Right after you start GNS3 you may see New Project pop up.

(If you don't see this, just Select File -> New Project).

Create the name for your project:

The next task on the agenda is to add the virtual equipment, and in this lab I'm going to use Cisco 3640

routers. (You can, of course, use something different if you like).

To add the routers to our virtual infrastructure we need to first set up the router template in GNS3:

Go to Edit -> preferences -> Dynamips -> IOS routers -> click on New, select New Image and point to the

Cisco image of yours. Click Next, leave the default amount of RAM,

55


You can also change the idle-pc value, or you can wait to do this later, as well.

…and then you can set up the router modules, or wait until later. I use the NM-4E module.

Save the settings.

56


After you add your desired image/s and save the settings, GNS3 will show all your Cisco routers.

I'm using in this lab Cisco 3640 routers (shown as c3600).

Just drag 3 nodes (c3600) to the workspace:

If you right-click on a router in the workspace, in the Slots section you'll see all its interfaces (they can be added

or removed in this menu; you could also do that when configuring the router template if you did that previously).

Let's use NM-4E module on each router. Apply the settings.

By dropping the devices and connecting them (by clicking on button, then on a device and selecting the

interface to connect to), you should make the topology like this:

57


To connect to the cloud, which is basically one of our virtual hosts, you should first configure it. Do so by right-

clicking on a cloud and select the interface ->

A: In case you use Hyper-V, you should choose the Virtual Switch (we created it in Step 2-A) that your Windows

virtual machine on Hyper-V is connected to.

B: If you use VMware, you should select the interface that connects your machine to the local network (a Wi-Fi

adapter, for example).

Just select the interface for Generic Ethernet NIO, choose the above mentioned network adapter, then click Add

and apply the settings:

Setting up the cloud for the Hyper-V scenario. (For VMware, choose your current adapter that connects you to the local network.)

-------------------------------------------------------------------------------------------------------

NB! GNS3 routers will gain access to the Internet (ping 8.8.8.8) with this configuration only in Hyper-V scenario!

However, for this lab it's not very important, but if you want to gain access to the Internet for GNS3 routers with

VMware, you can do that. Just use NAT adapter on VMware Workstation (VMware Network Adapter VMnet8

adapter has IP address of 192.168.237.2). Use it with the cloud, then change 192.168.0.0/24 subnet on R1,R2,R3 to

192.168.237.0/24. Just replace 192.168.0. in configs with 192.168.237. in Notepad and copy new configs via PuTTY

and replace the default gateway in GNS3 configs with 192.168.237.2.

Also, replace the respective IP configs for Windows, LEM, and ESXi with 192.168.237.X subnet and with 192.168.237.2

as the default gateway so that LEM will be 192.168.237.150 etc.

-------------------------------------------------------------------------------------------------------

58


Next you can connect the cloud(*) to Switch1 and turn on all the virtual routers and VMs if you hadn’t already

done that.

*NB! Sometimes, GNS3 can deny such a connection, giving the error in GNS3 console so that you can't make

the link between the Cloud and Sw1. (For example, I changed Virtual Switch type and got an error.)

And the most effective solution is to just reboot your computer (or sometimes disable and re-enable the

adapter the cloud is connected to can work).

ATTENTION: Don't forget to generate a good IDLE-PC value to spare RAM on your PC if you didn't do that

before when configuring the router template.

To do that, click on Router and select Auto Idle-PC.

Next, when all devices are connected, put these configurations into the routers via PuTTy (on Windows just

left-click on a router in GNS3 to start it ), or a similar tool.

(#-symbols will not change the configuration on Cisco. I used these symbols to comment the commands below.)

59


#Just select and copy these configurations in GNS3 via Putty #to R1, R2 and R3 respectively:

################ ROUTER 1 ################

# set up interfaces - assign ip addresses to them and get them upconf thostname R1int e0/0ip address 192.168.0.201 255.255.255.0no shutint e0/2ip address 10.0.12.1 255.255.255.248no shutint e0/3ip address 10.0.13.1 255.255.255.248no shut

#static route to 192.168.0.1 that is#default gateway of this local network in my labip route 0.0.0.0 0.0.0.0 192.168.0.1

#dynamic ospf routing, #all interfaces are in area 0, #default route is injected in area 0 ("def... originate")router ospf 1network 192.168.0.0 0.0.0.255 area 0network 10.0.12.0 0.0.0.7 area 0network 10.0.13.0 0.0.0.7 area 0default-information originateexit

#log settingsservice timestamps log datetime msec localtime show-timezone#number all messagesservice sequence-numbers#send syslog messages to LEM (*.150)logging host 192.168.0.150 #syslog level is 7 (all messages)logging trap debug#specify the facilitylogging facility local2#send syslog messages from Ethernet 0/0 interfacelogging source-interface Ethernet 0/0#log all login attemptslogin on-failure log every 1login on-success log every 1

#use dns-server 8.8.8.8ip name-server 8.8.8.8#resolve namesip domain lookup

60


#log all configuration changes (and hide passwords)archivelog configlogging enablenotify sysloghidekeysexitexit

#set up time with ntp (you can other ntp servers if you like)ntp server 0.uk.pool.ntp.org

#configure domain nameip domain-name lem#generate RSA keycrypto key generate rsa1024

#pre-configure sshusername admin privilege 15 secret 0 wireshark1line vty 0 4login localexit

#enable sship ssh version 2ip ssh rsa keypair-name R1.lemexit

################ ROUTER 2 ################


#dynamic ospf routingrouter ospf 1network 192.168.0.0 0.0.0.255 area 0network 10.0.12.0 0.0.0.7 area 0network 10.0.23.0 0.0.0.7 area 0exit

61


#log settingsservice timestamps log datetime msec localtime show-timezoneservice sequence-numberslogging host 192.168.0.150 logging trap debuglogging facility local2logging source-interface Ethernet 0/0#log all login attemptslogin on-failure log every 1login on-success log every 1


#log all configuration changes (and hide passwords)archivelog configlogging enablenotify sysloghidekeysexit exit

#set up ntp ntp server 0.uk.pool.ntp.org




################ ROUTER 3 ################


#dynamic ospf routingrouter ospf 1network 192.168.0.0 0.0.0.255 area 0network 10.0.13.0 0.0.0.7 area 0network 10.0.23.0 0.0.0.7 area 0exit

62


#log settingsservice timestamps log datetime msec localtime show-timezoneservice sequence-numberslogging host 192.168.0.150 logging trap debuglogging facility local2logging source-interface Ethernet 0/0#log all login attemptslogin on-failure log every 1login on-success log every 1


#set up ntpntp server 0.uk.pool.ntp.org

#log all configuration changes (and hide passwords)archivelog configlogging enablenotify sysloghidekeysexit exit




-------------------------------------------------------------------------------------After configuring the routers, check that you can connect to LEM from each router, and that every router and every VM can see each other:

ping 192.168.0.20ping 192.168.0.150ping 192.168.0.201ping 192.168.0.202ping 192.168.0.203

63


Checking network connectivity on Windows.

64


Checking network connectivity in GNS3 on R1 (Hyper-V scenario).

-------------------------------------------------------------------------------------------------------

NB! GNS3 routers will gain access to the Internet (ping 8.8.8.8) with this configuration only in Hyper-V scenario!

However, for this lab it's not very important, but if you want to gain access to the Internet for GNS3 routers

with VMware, you can do that. Just use the NAT adapter on VMware Workstation (VMware Network Adapter

VMnet8 adapter has IP address of 192.168.237.2), and use it with the cloud.

Change 192.168.0.0/24 subnet on R1,R2,R3 to 192.168.237.0/24 - just replace 192.168.0. in configs with

192.168.237. in Notepad and copy new configs via PuTTY) and replace the default gateway with 192.168.237.2.

Also, replace the respective IP configs for Windows, LEM, and ESXi with 192.168.237.X subnet and with

192.168.237.2 as the default gateway.

If you want to do it some other way, use information found on the VMware and GNS3 websites:

www.gns3.com

www.vmware.com

-------------------------------------------------------------------------------------------------------

http://www.gns3.com

http://www.vmware.com

65


Step 8: Configure LEM to collect syslog data from the devices

First, login to LEM in your Web browser (http://192.168.0.150:8080) - ( user = admin , password = password )

and click Connect:

Accept the license agreement:

Create a strong password. (We’ll choose the options below to save this password):

66


...then type your email, because it is required by LEM.

After this, you'll be able to start managing LEM:

After you’ve configured your routers in GNS3 (I hope that you followed the guide step-by-step ), LEM will

automatically add them as soon as they start sending syslog traffic to LEM.

67


You also can start the scanning procedure and LEM will start scanning the network for new nodes:

Manage -> Nodes -> Scan for New Nodes:

...the process may take few minutes...

…then you'll see a message like this:

Click View Now next to New Connecter(s) Found…

68


...and approve these additional nodes (and click Next).

By the way, LEM may show false positives like Cisco CatOS..., Cisco Wireless... etc. (on the screenshot above).

As a matter of fact, we should use only the connector for Cisco-IOS for these Cisco routers.

So, just unselect the connectors like Cisco Wireless ..., Cisco Cat, etc. and select only the connector for Cisco-IOS.

...then click on Finish...

...and here we go!

NB! There is also an option to manually add the nodes from the Manage menu and select a vendor manually.

Select Syslog, the IP address of the node, the vendor (Cisco) and click NEXT:

69


Sometimes you need to add a connector manually.

Add a connector to allow Cisco syslog data to be properly dissected by LEM. The connector itself is basically an *.xml -file. LEM will choose the correct connector in most cases, but often it happens to show false positives).

For our Cisco devices in GNS3, LEM will use the connector called, "Cisco PIX and IOS.”

NB! In this lab I use only common Cisco routers. To add the nodes, such as servers etc., you might need to install the agent on the respective OS.

If you want to use other Cisco devices, they may be added as follows: https://support.solarwinds.com/?title=Success_

Center/Log_%26_Event_Manager_(LEM)/Integrate_Cisco_network_devices_with_SolarWinds_LEM

And visit www.gns3.com for more information.

As soon as you add the routers using the connector, you can get syslog messages from them dissected properly.

Next, let's do something bad, something that you would definitely avoid in real life to generate syslog errors:

Let’s type on R3 in ospf section the following:

conf t

router ospf 1

network 10.0.13.0 0.0.0.7 area 1

network 10.0.23.0 0.0.0.7 area 2

end

http://www.gns3.com

70


We should receive many ospf-related messages now.

Let's see what messages we receive on LEM:

To see all messages go, to Monitor -> All events. There are a lot of events.

Let's create a new filter; click Plus and select New Filter:

Create a name (OSPF Cisco), and a description for your filter (ospf messages from Cisco routers):

Next, set the condition number 1: the protocol should be OSPF.

Click on Event Groups, select Network Audit Alerts, then select Protocol and drag it into Conditions.

Type *OSPF* as a value.

71


Let's add the second condition: we are concerned about our Cisco routers, so let's be more precise and

select DetectionIP, drag this new group to Conditions, and let's say that DetectionIP should equal *192.168.0.20*

where * means the wildcard mask (it stays for any symbol).

To choose between AND and OR, just click on the respective symbol.

Hint: The triangle symbol means “AND.”

To specify the notifications that we want to receive (if we receive the syslog messages that match the filter

conditions), let's add the notifications.

For example, add Display New Events As Unread and Display Popup Message (after 1 message/repeat after

30 ones).

Click Save to save the filter.

72


To sort the message list, you can click Pause and click on the respective rows.

After you sort the list and make all the operations you want, click Pause and then Resume.

You can view all information in detail in the Event Details:

You'll see a Filter in Overview and how many packets match this filter.

You also will see the Notification that will look like this:

73


We can also visualize the messages that match the specified filter by using a widget (by default, the place for

it is located on left-hand side of the Event Details table), create a name (OSPF_Cisco) in Widget Builder, and

a description for your filter (ospf messages from Cisco routers), change the scale, etc. and save the widget:

In the meantime, let's fix R3 in GNS3 via PuTTY (just copy the text below to PuTTY):

conf t

router ospf 1

network 192.168.0.0 0.0.0.255 area 0

network 10.0.13.0 0.0.0.7 area 0

network 10.0.23.0 0.0.0.7 area 0

exit

74


Now we can visualize the syslog errors amount (the real time is 9:40AM, and we did not receive any ospf

errors after 9:29 AM, and we see the good OSPF Full - Loading done messages):

LEM used Cisco NXOS Connector instead of Cisco-IOS Connector because I added the nodes automatically, and LEM used the wrong connector (which, in my case, works anyway).

So, our troubleshooting has been successful.

Now, let's do the following:

Let's configure LEM so that if someone tries to incorrectly log in from the IP address X.X.X.X on R1,

for, say, 7 times or more during 1 minute, then LEM, after logging this and displaying a pop-up message, will

also force ALL ROUTERS to block the traffic from X.X.X.X.

So, this will be our goal.

Logon Failure in LEM.

75


To configure LEM for this scenario you need to do the following operations:

Select Manage -> Appliances -> click on the gear and select Connectors:

Type response in Refine Results; on the right-hand side you'll find Cisco IOS Active Response. Click on its

gear and then click New:

In Cisco IOS Active Response, fill out all the fields.

Choose Alias R1 Cisco for R1, R2_Cisco for R2 etc.,

then define the IP address of the node, the credentials

(in the Cisco config of mine, I used login=admin, password = wireshark1),

then click Save.

76


This way you will add the first router R1:

Let's repeat these operations for R2 and R3:

until you add settings for all 3 routers.

77


However, by default, the connectors we configured are stopped:

Let's start them: Click on the gear and choose Start for each router:

Then, let's make the rule in LEM.

Select BUILD -> Rules:

Click the + sign.

78


You'll see the following menu:

Let's create the following rule:

Name: Block_IP_on_R1, description: Block IP when incorrectly logging on to R1.

Next, select Events -> UserLogonFailure, Fields -> DetectionIP

(It will look like UserLogonFailure.DetectionIP=192.168.0.201.)

Drag this to Correlations, and specify the IP address of R1: 192.168.0.201:

79


Correlation time: 7 events within 60 seconds, then select Actions -> Drag Block IP.

Select UserLogonFailure from Events, next choose SourceMachine Field from the list below, and drag the

UserLogonFailure-SourceMachine field (that's the IP address of the host that tries logging into R1), into the

Block IP field.

Then, Enable the Rule. You may also want to subscribe to this; you set up your email for this in a previous step.

Next, let's save the rule:

You can also create such rules for other routers, but in this lab I will use only one rule just to show you how

it works.

Click Activate Rules:

80


Let's try now to use an incorrect password (like "1") when connecting via ssh from our real machine to R1

(192.168.0.201)using PuTTY that was installed with GNS3 by default.

(Or you can download it from http://www.putty.org/):

Specify the IP address 192.168.0.201, leave the default SSH port 22, and click Open.

You’ll see a popup; click Yes:

http://www.putty.org/

81


Try to log in several times. After 4 times, Cisco will close the connection..

Start PuTTY again and quickly repeat the same operations. (Remember, you have only 60 seconds, like in

Hollywood movies.)

The third time, however, PuTTY will say that the connection timed out; it won't be possible to connect to R1:

82


You cannot ping R2 either, but LEM's host is available because we set up the Active Response for 3 Routers

in GNS3:

In Putty in GNS3 on R1 you can see that there is a route to Null0 for the host's IP address

(This is the route to "Nothing" for my real host's IP address of 192.168.0.100):

The result of running the show IP route command on R1

83


And in LEM, you'll see the following popup:

Click OK.

We can see that LEM blocked the IP address of 192.168.0.100, the real host from which we connected to

R1 via SSH:

This way, by using Rules in LEM, we can automatically block the IP addresses of bogus hosts that try to

brute-force our passwords.

84


Step 9: Install the LEM Reports console and configure it to receive reports from LEM

You can receive reports about different types of traffic from LEM on Windows by using the LEM Reports console.

To install the console, run the .exe installer file from the folder you unpacked the LEM package to. (If you

forgot what that is, it’s the initial package that was unpacked to get the LEM VM, etc.)

If you do that on VM and don't have this package there right now:

-In VMware (if you installed VMware tools), you can drag and drop this file file to the VM from your host machine.

-In Hyper-V (Generation 1), you can log in to your email and download the package, and then unpack it (or

you can use RDP, or something like TFTP, but this will be out of scope of this guide).

-If you use Hyper-V Generation 2 VM (Windows 8 installed in Hyper-V on Windows 10, for instance), you can

copy and paste the file to the VM:

For Win Server 2012 or better, read this:

How to use local resources on Hyper-V virtual machine with VMConnect

https://technet.microsoft.com/en-us/en-en/library/dn282274.aspx

85


Let’s start the installation.

The installer will show you the requirements; ensure that you have enough resources:

…and begin the installation:

After the installation is complete, let's run Reports tool.

Because it's the first time we start this tool, it doesn't know the LEM IP address:

86


Let's type its IP address, and your username and password:

Save the settings by clicking on Green Plus. Confirm the operation and close the window.

Next, we can view Reports Application, for which we just specified the manager.

Let's define what type of report we want to create. I want to create a standard report titled Network Traffic

Audit. Let's select it and click Run:

87


Next, specify the start date/time and end date/time (use the Now button to specify the current time):

The report is ready.

88


We can also export it in different formats:

Let's export it in rtf by selecting the format from the drop-down list and clicking OK.

Wait for a while:

89


...and open this report:

This way you can generate any report and export it in almost any format. It's a piece of cake!

90


© 2016 SolarWinds Worldwide, LLC. All rights reserved.

The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates.

All other trademarks are property of their respective owners. BR-1602

Step 10: Where to find the help for troubleshooting if something happens

If you experience problems, I recommend that you carefully read everything one more time; perhaps you just

didn’t follow all the steps.

Then try to :

-reboot routers within GNS3.

-delete/create the links between devices in GNS3.

-restart GNS3.

-reinstall software (GNS3/VMware).

-disable/enable (virtual or real) adapters in Windows.

- turn off your antivirus program.

-check your firewall.

-check the drivers.

-reboot your pc.

If none of those options work for you, don’t give up!

You can find a lot of information about GNS3, including tutorials, discussions etc., on:

www.gns3.com

To troubleshoot Windows and Hyper-V, browse the appropriate tech support Web resources by Microsoft for

your version of Windows.

You can find information about VMware software on:

www.vmware.com

And if you didn’t find what you need there, the universal way to find everything is just to Google it! :)

Thank you for reading this BIG GUIDE!

http://www.gns3.com

http://www.vmware.com

how to guide virtualize your network and...

Documents