Emulating Cisco networks for fun and profit

If you happened to read my Deep End blog earlier this week, you know I’m currently in a bind with a large WAN project. Cisco’s ASA shortage has been threatening to leave me high and dry, with the very real potential of live circuits in three major metropolitan areas going live with no hardware to plug into them. The immediate fallback plan is to use pfSense running on workstation-class systems to at least test the circuits. The problem is that there’s little time to get this project done, and a shortage of Cisco ASAs means there will be virtually no time to stage and test the hardware before I hop on several planes.

Out of desperation, I explored the current state of Cisco IOS emulation software — specifically open source tools. I found that GNS3 has come a long, long way since the last time I used it. In fact, it’s become a simply fantastic tool for network administrators of any stripe or skill level.

GNS3 stands for Graphical Network Simulator, version 3. It’s a Python application that runs on Windows, Mac OS X, and Linux, providing a drag-and-drop GUI for sketching out network architectures. It functions as a design and interconnect environment, leveraging Dynamips and QEMU for the actual hardware emulation.

The upshot is that within a few minutes of installation, I was building out my planned WAN architecture with Cisco routers and ASA firewalls, connecting them in the GUI as you would a standard network diagram in Visio or OmniGraffle. Better still, each of the routers and firewalls could be booted in emulation, configured, tweaked, and tested, and the configuration pulled off for use in production. It has proven to be invaluable in this time of Cisco supply woes.

Bring your own Cisco IOS Note that GNS3 provides an emulation framework only. You have to supply your own IOS images to use any of the Cisco emulation tools. (Some Juniper devices are supported as well.) In the case of the Cisco ASA firewalls, a significant amount of manual labor is required to peel apart ASA images for use in Qemu. This part isn’t for the faint of heart, but in reality is not difficult, and it’s documented in a variety of sites discussing GNS3 and Qemu (for instance, see “How to emulate Cisco ASA“).

Another caveat is that you’re on your own. Since GNS3 and QEMU aren’t exactly supported by Cisco, there’s no vendor hand-holding. Versions of ASA code over 8.1 aren’t functional at the moment, but ASA version 8.02 appears to function just fine.

For Cisco routers, it’s much simpler. Select a router model, point GNS3 at the IOS image, and up it comes. It boots in a matter of seconds too.

In the GUI editor, you can add interface modules to the routers, select the link types you want to use (ATM, T1, Fast Ethernet, Gigabit Ethernet), and link the routers, firewalls, and even emulated host systems. Virtual Ethernet and ATM switches are available with VLAN and trunking support.

I’ve found that GNS3 functions best on the Linux platform, and there are step-by-step guides to install it on Ubuntu. The Windows version comes complete with all the requisite supporting packages, and the Mac OS X version provides everything but QEMU, which can be a hassle to install unless you’re versed in the use of MacPorts. I built my installation on CentOS with few problems other than compiling Qt 2.4.3, SIP, PyQt, and a patched QEMU from scratch. All told, the install on CentOS took about 45 minutes, mostly waiting for various packages to compile. On Windows, the install is basically just a double-click, roughly the same for Ubuntu.

Once you have everything in place and built your virtual network, each device can be accessed via console. In my setup, I emulated the Layer-3 switched environment of three sites connected by 100Mbit links to a central router that functioned as the provider cloud. I was able to configure and test internal routers for each site, and do all the LAN-to-LAN VPN configurations on the ASAs. I was also able to implement all of the OSPF over VPN and QoS configurations that would be necessary in the production environment and to test the rule sets. In order to run full testing of QoS rules and whatnot, hosts were needed at each virtual site to generate certain types of traffic. Luckily, that’s not a problem in GNS3.

I built a custom Qemu image of a minimal CentOS 5.4 system and linked it to GNS3. This allowed me to drop several virtual Linux systems into each emulated site. Once they booted, they were the perfect tools to test the entire network configuration. It does take some twiddling to get the images right. They must be set to boot with a serial console if you wish to use GNS3’s built-in console connections, and CentOS’s habit of trying to get DHCP for each new interface is a bummer when you have six interfaces per virtual host. But once those hurdles are overcome, the image can be dropped into the network anywhere in a matter of seconds.

GNS3 also has the capability to pull the running configurations from all of the routers at once and save them to a specified directory. This isn’t possible for the ASAs, as they are not emulated the same way as the routers, but it’s not difficult to pull those configurations either. Also, GNS3 allows for the inclusion of a “cloud” in the virtual network that can be linked to a physical Ethernet interface on the host system, so your virtual network can connect to the real world should you need that. There’s also built-in support for packet capture, so you can pull apart traffic flowing across your simulated links and dig right into the stream with Wireshark.

GNS3 gotchas I have a few tips for those who want to give this a shot. First, Dynamips can put a hurt on your host CPU resources. This is because the emulator essentially runs full-steam for every emulated router, no matter what the processing requirements for that router may be at the moment. Even an idle router is using 100 percent at the emulation level. There’s a facility to combat this, called Idle PC, which seeks to determine the router’s functional level when idle. When this is properly configured, the CPU utilization drops dramatically. Second, it pays to read the forum threads carefully when peeling apart your ASA images. There are a few scripts that can greatly ease the initial setup.

I did run into a few bugs here and there, involving the occasional inability to delete links if one of the routers on that link was deleted prior to the link itself. Nevertheless, generally speaking, GNS3 is fairly tight, considering the work it can do. Finally, there are a few operational limitations. For instance, GNS3 doesn’t support Cisco 2800- and 3800-series routers, or ASA version 8.2 or later as of now, but that might change in the future.

As it stands, I was able to use GNS3 to build and thoroughly test a large, complex network topology using real addressing, and then save off my configurations. When Cisco finally does find a few ASA 5510s for this project, I’ll be able to drop those configs on them and have the network up and running extremely quickly. Naturally, GNS3 is also an excellent way to test proposed network configuration changes, and it’s an easy way to train for Cisco certification exams. If you have the required IOS or Juniper images, it’s worth the time.

This story, “Emulating Cisco networks for fun and profit,” was originally published at InfoWorld.com. Follow the latest developments in networking, read InfoWorld Test Center product reviews, and dive into Paul Venezia’s The Deep End blog at InfoWorld.com.