Image of Cortney & Jeremy

Example Cisco IOU Topology

by Jeremy L. Gaddis on January 21, 2011 · 17 comments

in Networking

Here’s an example topology for Cisco IOU to help you get started:

In this example, SF is an IOU instance running on host “solaris”. IOUlive is also running on this host, bridging SF’s Ethernet0/0 interface to my physical network (and to the world).

SJ1, SJ2, and SJ3 are IOU instances running on host “helium”.

The Ethernet1/0 interface on SF is connected to Ethernet0/1 on SJ1 are connected, even though they are on separate physical hosts.

The Ethernet0/0 interfaces on SJ1, SJ2, and SJ3 are connected, sharing a common network segment.

Last, SJ2 and SJ3 are connected via their Serial1/0 interfaces.

Hopefully, this should be good enough to demonstrate the various options for connecting IOU instances.

The NETMAP file

When connecting IOU instances across physical hosts, the hosts should share a common NETMAP file. If it isn’t possible to use NFS, you’ll need to duplicate the file on each host. I’m not running NFS at home, so I’ve simply copied the file over to both hosts.

The IOU instance IDs are assigned as follows:

  • SF : 100
  • SF : 199 (IOUlive)
  • SJ1 : 151
  • SJ2 : 152
  • SJ3 : 153

Here’s what my NETMAP file looks like:

100:0@solaris 199:0@solaris
100:1@solaris 151:16@helium
151:0@helium 152:0@helium 153:0@helium
152:1@helium 153:1@helium

Connect SF to the real world

I’ll start by firing up the SF router on solaris:

$ ./unix-js-m 100
IOS On Unix - Cisco Systems confidential, internal use only
Port 0 is connected to:
        199:0@solaris
Port 16 is connected to:
        151:16@helium

...output snipped...

Next, I’ll startup IOUlive so that SF is connected to my physical network:

$ ./ioulive /dev/hme0 199
Port 0 is connected to:
        100:0@solaris

/dev/hme0 is the NIC on solaris that is connected to my network.

I’ll bring up the Ethernet0/0 interface on SF:

SF# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SF(config)# interface ethernet 0/0
SF(config-if)# ip address 203.0.113.2 255.255.255.0
SF(config-if)# no shutdown

Verify I can ping my (physical) router:

SF(config-if)# do ping 203.0.113.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/33/40 ms

So SF, an IOU instance, has connectivity with my physical router at home, a Cisco 1811. Just for good measure, let’s add a default route and see if we can ping hosts on the Internet:

SF(config-if)# exit
SF(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1
SF(config)# do ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/50/72 ms

Looks like we’re all set!

Bring up SJ1

Now let’s bring up the SJ1 IOU instance on helium:

$ ./i86bi_linux-ipbase-ms -e 1 -s 0 151
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers.  To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0/0 is connected to:
        152:0@helium
        153:0@helium
Port 0/1 is connected to:
        100:1@solaris

...output snipped...

Connect SJ1 to SF

Now that SJ1 is up, let’s get it connected to the SF router:

SF(config)# int e1/0
SF(config-if)# ip addr 10.0.0.1 255.255.255.0
SF(config-if)# no shutdown
SJ1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SJ1(config)# int e0/1
SJ1(config-if)# ip address 10.0.0.2 255.255.255.0
SJ1(config-if)# no shutdown

Note that SF is running on the physical host “solaris”, a Solaris 8/SPARC box, and SJ1 is running on the physical host “helium”, an Ubuntu 10.04/x86 box.

Let’s verify we have connectivity:

SJ1(config-if)# do ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/28/40 ms

Now we’ll bring up the Ethernet0/0 interface on SJ1 that shares a segment with SJ2 and SJ3:

SJ1(config-if)# int e0/0
SJ1(config-if)# ip addr 10.123.123.1 255.255.255.0
SJ1(config-if)# no shutdown

Bring up SJ2

Let’s bring up the SJ2 instance:

$ ./i86bi_linux-ipbase-ms -e 1 -s 1 152
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers.  To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0/0 is connected to:
        151:0@helium
        153:0@helium
Port 1/0 is connected to:
        153:1@helium

...output snipped...

Let’s configure the Ethernet0/0 and Serial1/0 interfaces:

SJ2# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SJ2(config)# interface ethernet 0/0
SJ2(config-if)# ip address 10.123.123.2 255.255.255.0
SJ2(config-if)# no shutdown
SJ2(config-if)# interface serial 1/0
SJ2(config-if)# ip address 10.10.23.2 255.255.255.0
SJ2(config-if)# no shutdown

Verify we can ping SJ1’s Ethernet0/0 interface:

SJ2(config-if)# do ping 10.123.123.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.123.123.1, timeout is 2 seconds
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/6/8 ms

Bring up SJ3

Now we’ll bring up the SJ3 router:

$ ./i86bi_linux-ipbase-ms -e 1 -s 1 153
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers.  To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0/0 is connected to:
        151:0@helium
        152:0@helium
Port 1/0 is connected to:
        152:1@helium

...output snipped...

Configure Ethernet0/0 and Serial1/0:

SJ3# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SJ3(config)# interface ethernet 0/0
SJ3(config-if)# ip address 10.123.123.3 255.255.255.0
SJ3(config-if)# no shutdown
SJ3(config-if)# interface serial 1/0
SJ3(config-if)# ip address 10.10.23.3 255.255.255.0
SJ3(config-if)# no shutdown

Verify we can ping SJ1 and SJ2’s Ethernet0/0 interfaces:

SJ3(config-if)# do ping 10.123.123.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.123.123.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
SJ3(config-if)# do ping 10.123.123.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.123.123.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

Verify we can ping SJ2 over the Serial1/0 interface:

SJ3(config-if)# do ping 10.10.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

Great, full connectivity so far! Let’s enable OSPF on SF and SJ1:

SF(config-if)# router ospf 42
SF(config-router)# network 10.0.0.1 0.0.0.0 area 0
SJ1(config-if)# router ospf 42
SJ1(config-router)# network 10.0.0.2 0.0.0.0 area 0
SJ1(config-router)# network 10.123.123.1 0.0.0.0 area 0

Make sure the OSPF adjacency between SF and SJ1 came up:

SF(config-router)# do sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.123.123.1      1   FULL/BDR        00:00:36    10.0.0.2        Ethernet1/0

Let’s look at the routing table on SF:

SF(config-router)# do sh ip route | begin Gateway
Gateway of last resort is 203.0.113.1 to network 0.0.0.0

C    203.0.113.0/24 is directly connected, Ethernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O       10.123.123.0 [110/20] via 10.0.0.2, 00:00:50, Ethernet1/0
C       10.0.0.0 is directly connected, Ethernet1/0
S*   0.0.0.0/0 [1/0] via 203.0.113.1

Inject default route into OSPF

Since SF has a route to the world, let’s inject a default route there into OSPF:

SF(config-router)# default-information originate

Make sure it shows up on SJ1:

SJ1(config-router)# do sh ip route | begin Gateway
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

O*E2  0.0.0.0/0 [110/1] via 10.0.0.1, 00:00:44, Ethernet0/1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Ethernet0/1
L        10.0.0.2/32 is directly connected, Ethernet0/1
C        10.123.123.0/24 is directly connected, Ethernet0/0
L        10.123.123.1/32 is directly connected, Ethernet0/0

Configure default route on SJ2 and SJ3

On SJ2 and SJ3, let’s configure a default route towards SJ1:

SJ2(config-if)# ip route 0.0.0.0 0.0.0.0 10.123.123.1
SJ3(config-if)# ip route 0.0.0.0 0.0.0.0 10.123.123.1

Make sure SF can talk to SJ2 and SJ3:

SF(config-router)# do ping 10.123.123.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.123.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/44/60 ms
SF(config-router)# do ping 10.123.123.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.123.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/52/88 ms

Configure NAT on SF

Now that we have full connectivity, let’s configure NAT on the SF router so that SJ1, SJ2, and SJ3 can talk to the outside world:

SF(config-router)# interface ethernet 0/0
SF(config-if)# ip nat outside
SF(config-if)# interface ethernet 1/0
SF(config-if)# ip nat inside

We’ll need an ACL matching the source addresses to match, of course:

SF(config-if)# ip access-list standard NAT
SF(config-std-nacl)# permit 10.0.0.0 0.0.0.255
SF(config-std-nacl)# permit 10.123.123.0 0.0.0.255
SF(config-std-nacl)# permit 10.10.23.0 0.0.0.255

Last, we’ll use “ip nat …” to tell SF how to work its magic:

SF(config-std-nacl)# ip nat inside source list NAT int e0/0 overload

Verify connectivity

At this point, all routers should have connectivity to the outside world. Let’s verify from SJ2 and SJ3 by pinging a couple of well-known public DNS servers:

SJ2(config)# do ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/128 ms
SJ3(config)# do ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/100/120 ms

Looks like everything is working properly.

Verify Internet connectivity

Last, just for good measure, let’s connect to the web server this site runs on and issue a request:

SJ3(config)# do telnet 206.125.175.18 80
Trying 206.125.175.18, 80 ... Open
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Sat, 22 Jan 2011 22:52:01 GMT
Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8n
X-Pingback: http://evilrouters.net/xmlrpc.php
Link: <http://wp.me/nzh6>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8

[Connection to 206.125.175.18 closed by foreign host]

Summary

This post demonstrated a number of concepts that should be useful for those wanting to use IOU.

First, we showed how the routers connect “physically”.

Second, we showed how to construct a working NETMAP file to match our topology.

Third, we started up our IOU instances and connect them across hosts and to the outside world.

Fourth, we configured our routers (even configuring OSPF).

Last, we showed how to verify we had connectivity with the outside world.

I hope this post was helpful. I welcome your feedback in the comments section below!

{ 15 comments… read them below or add one }

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: