Virtual datacenter

My physical ESXi box, a lowly AMD FX 8320

One of the more cooler features of VMWare 5 is that it is capable of running itself.  While it

may seem silly at first, this is a great way to build a virtual environment where you can test scripts for provisioning (and destroying) stuff, along with testing API level calls without having to worry about screwing up production, begging for a ‘lab’ environment, or even better snapshotting the whole thing so you can revert whatever it is you are doing at a block level.  In short virtual datacenters really rock, especially for people like me who like to play in a really destructive manner.

So the first thing is that for this test I’m going to use a ‘freebie’ ESXi that I’ve been using for quite some time.  Naturally this should work for version 6, but since the stuff that I’m testing is all in 5.0 and 5.5 (the majority being 5.5) I wan to build a 5.5 environment.  In my insane scenario I have deployment access to a 2003 R2 x64 server with .net 2.0, and the majority of the environment I care about is VMWare ESX 5.5 along with vCenter. 5.5 on Windows 2008 servers.  So trying to mirror this a bit, that means that I’m going to skip the new fangled appliance, I don’t know if it really matters for what I want, but for the sake of trying to keep things the same I’m going to match what I can.

Creating the VMWare ESXi VM

I setup a generic ‘Other 2.6.x Linux (64-bit)’ VM, with a single socket, dual core processor, 4GB of RAM, a LSI SAS controller, with a 32GB disk, and 3 NIC’s with the VMXNET3 driver.  For some reason I had to change the CPU to explicitly allow for hardware MMU emulation.

Hardware MMU emulation

It’s also worth mentioning that when you are going to run ESXi on ESXi that any physical adapters that you want your virtual ESXi host to be able to lauch VMs and have them communicate onto you will need to enable the ‘Forged Transmits’ setting in the vSwitch properties.

vSwitch properties

With that in place, I was able to use my ESXi 5.5 ISO, and install into the VM.  There isn’t much to really say the installer will install ESXi, and reboot and you get the console.

ESXi running on ESXi

I went ahead and gave this ESXi server a static address, and that was pretty much it for the server.

Installing vCenter

I went ahead and used an eval copy of 2008 R2 that is available at Microsoft here.  The installation is really simple, not much to say but for my needs I gave the VM a static address, HOWEVER I did NOT install Active Directory as you cannot install vCenter onto a DC, and I really was not in the mood to have a DC along with a vCenter 2008 VMs as I’m only interested in doing API testing I don’t care about authentication plugins I’m only concerned with other aspects.  Obviously if you do care, then you’ll want to install 2 2008 servers.  I gave my 2008 server a static address of 192.168.1.12 so that I could easily find it on the network post-install.

Since I have no imagination, I renamed the server “vcenter” which of course will factor into the login credentials later on.

My ‘client’ gave me the ISO for vCenter “VMware-VIMSetup-all-5.5.0-3254792-20151201-update03.iso” which of course needs to be installed onto the 2008 server.

install vSphere vCenter

I did the easy install, as again I’m not building a real enterprise.  However I should point out that the easy install has a habit of popping alerts and prompts UNDER the current window so you could be waiting for quite a long long time for this to install when it really shouldn’t take all that long.  I also kept the option for the 2008 Express edition as I’m not going to try to stress the count of VMs 50 is far more than I require as again I’m only interested in limited stuff at this point.

vCenter ‘simple install’ ports

Again I just selected the defaults for the install as I’m not all that worried.  Phew with all of that done, it’s now ready to use!

Logging in

Now I went ahead and hit the following site:

https://192.168.1.12:9443/vsphere-client/#

I went ahead and installed the pluggin for a more ‘full’ experience with the web client.  The link is on the bottom of the page.

download this!

With all of that in place, I finally could use the web/flash site to login, using the local administrator account.  However upon logging in the domain was barren, no vcenters no data centers, nothing.

Empty data-center!

Obviously I must have screwed something up!  Even worse using the ‘fat’ C#/J# client (that I still love…) I would simply get this fun error:

You do not have permission to login to the server!

What? I don’t have permission?

A little digging around, and I found out of course, that it is because I don’t have an Active Directory, and that for ‘workgroup’ installs like this, you need to simply login as administrator@machine.local or ‘administrator@vsphere.local’ in my case, using the password that had to be set during the SSO installation.

Login

And now I was prompted to create my data-center, and add in the ESXi server into the virtual data-center.

vCenter is now operational

So now I have a virtual vCenter, along with an ESXi host to deploy stuff onto, and destroy all I want.  Even better VMWare Player & VMWare Fusion can also run ESXi nested, so you can take your virtual data-center with you on a laptop!  You can boot 2008 with vCenter in 2GB of RAM, although it really should have 4GB if not more, and with 4GB for an ESXi server that would be 8GB+ on any laptop or desktop.  However I’m lucky my ESXi server has 32GB of RAM, and my laptop has 16.  So it’s also a great excuse to upgrade!

Thanks for reading about Nested VMWare ESXi and you can find many more on my actual blog: Fun with virtualization.

Well for the longest time there was no generally available way to emulate a cisco L2 switch. right before Dynamips was abandoned, in 0.28RC1, there was actually some work on the the Catalyst 6000 Supervisor 1 line card, although no interfaces are supported, and it was largely seen as impossible at the time.

While there may have been leaks of the internal IOU or IOS on UNIX, these are even more dubious than buying your own cisco 7200 and running that IOS on Dynamips.  Indeed in the old days you’d no doubt find people with home labs that look something like this:

My sad lab.

So yeah, I know it’s not new but it was new to me.  But yes, VIRL is something us mere mortals can buy without a CCIE on hand, or a multi-million dollar contract on hand.  Although it isn’t free, but compared to everything else cisco sells it’s cheap…

So VIRL comes in a few different flavors.  They do have an ISO to run on bare metal x86 machines, OVAs for deployment on VMWare Workstation, and ESXi (Although for player you’ll have to get VIX and the vmnet config util from workstation, as I went through here & here).

Although that’s not so much what I’m interested in.  As always I’m more interested in something that lets me run it on my own.

Downloading the l2 image

So as of today, the latest file is vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E, with the MD5 checksum of 1a3a21f5697cae64bb930895b986d71e.

So as a first test, you can run the L2 image with Qemu/KVM!  I found it works better renaming vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E to vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.vmdk otherwise there was some issues with Qemu picking up the image.

The command line for a switch can be a little crazy so it’ll break some of it up onto separate lines.  This way you can see that I bound a few interfaces to listen on UDP, while most of them are unbound, but you get the idea.  Naturally it being a cisco product, it drives with a serial console.

qemu-system-i386w.exe
-m 768M
-smp cpus=1
-boot order=c
-drive file=vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.vmdk,if=ide,index=0,media=disk
-serial telnet:127.0.0.1:5000,server,nowait
-monitor tcp:127.0.0.1:51492,server,nowait
-net none -device e1000,mac=00:2e:3c:92:26:00
-device e1000,mac=00:2e:3c:92:26:01,netdev=gns3-1
-netdev socket,id=gns3-1,udp=127.0.0.1:10003,localaddr=127.0.0.1:10002
-device e1000,mac=00:2e:3c:92:26:02
-device e1000,mac=00:2e:3c:92:26:03
-device e1000,mac=00:2e:3c:92:26:04
-device e1000,mac=00:2e:3c:92:26:05,netdev=gns3-5
-netdev socket,id=gns3-5,udp=127.0.0.1:10000,localaddr=127.0.0.1:10001
-device e1000,mac=00:2e:3c:92:26:06 -device e1000,mac=00:2e:3c:92:26:07
-device e1000,mac=00:2e:3c:92:26:08 -device e1000,mac=00:2e:3c:92:26:09
-device e1000,mac=00:2e:3c:92:26:0a -device e1000,mac=00:2e:3c:92:26:0b
-nographic

In some ways, this is very much like running Solaris on QEMU via a serial console.  Once booted up, if you grab the console you’ll see:

l2’s grub console

Now, while I think it’s interesting to play with, but I know many people don’t like to setup and run a dozen programs manually, so how do we get this to run under GNS3!

As of right now the current version is 1.5.3, so let’s step through this real quick

Version 1.5.3

First when you fire it up (by default) you’ll get the option to specify using a local server

use local server

Next you will want to check the box to add a Qemu VM

Add a Qemu VM

give it a name like adventerprisek9-m.vmdk.SSA.152-4.0.55.E… Or anything else you wish to call it.

give it a name

Next I set the emulator to qemu-system-i386.exe and give it 768MB of RAM.

set the Qemu emulator & RAM

hit next, and then it’ll prompt to select a disk image.  In this example, remember I had renamed the downloaded VIRL image to have a VMDK extension.

select the image

Then GNS3 will prompt to add it to the default images directory

add it to the images directory

After that the wizard is complete.

Then finish

However there is still a bunch of settings that still need to change.  If you don’t make these changes you’ll have a switch with a single Ethernet port, and you will only be able to deploy a single switch, so that won’t be any fun!.

Once the wizard has finished you’ll be in the Preferences.  Just hit edit, on the template we just added, or otherwise it’s under Edit->Preferences.

Hit edit

First thing is kind of cosmetic, but go ahead and set the Category to Switches, so that way it ‘flows’ nice in the UI.

set category

Next hit the Network tab, and then add some adapters.

set the adapters to something more usable like 12

I’ve set the switch to 12 adapters.  The default of 1 isn’t too useful.  Next up hit the Advanced settings tab.  Be sure to un-check the ‘Use as a linked base VM’ . This will let you deploy multiple copies.  On Windows there is some weird issue where changes are seemingly not saved, so be sure to have a config backup strategy beyond saving the config locally.

uncheck the Use as linked base VM

Great, hit OK, and now we’ve got our L2 template for GNS3!

As a bonus, I put it on Linux, and it’ll run under KVM, however if you use the cisco downloaded files, you’ll see this error while booting:

-Traceback= 1DBB7C8z 8DBFE5z 90522Ez 904F50z 904D5Dz 900F45z 901B7Bz 901B0Fz 8D7C0Dz 8D7B0Dz 887061z 8BAE73z 8B9FD7z 8B7827z 8BCCC4z 8C0587z – Process “Async write process”, CPU hog, PC 0x008D7D62

Over and over, and it’ll be generally slow.  For some reason KVM/Qemu on Linux is struggling with the VMDK.  So the solution is to simply convert it from a VMWare VMDK into a Qcow2 image with:

qemu-img convert -f vmdk -O qcow2 vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.vmdk  vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.qcow2

Now using the qcow2 file, the switch will boot up just fine!

For any reference I’m running Ubuntu 16.10

and the KVM version is:

# kvm –version

QEMU emulator version 2.6.1 (Debian 1:2.6.1+dfsg-0ubuntu5.3), Copyright (c) 2003-2008 Fabrice Bellard

Thanks for reading about Getting started with cisco VIRL L2 virtual Ethernet switches and you can find many more on my actual blog: Fun with virtualization.

So, in my fun and excitement I was putting together a ‘cisco’ network using dynamips that spans a few sites across the world.  I’m using ancient copies of NT for some servers, although I plan on adding in some 386BSD, SunOS SPARC, and maybe even 68010 based, along with other stuff.

I have the routers running fine, but I felt like adding some kind of external authentication service, and TACACS certainly fits the bill!  And to be all vintage as usual, I’m not going to use TACACS+ as it’s simply too new, and too big.  So first things first, I need a copy of the source to TACACS as I’m certainly not going to write my own!  I found this directory on ftp.funet.fi which has a bunch of old cisco related material, and sure enough there is a tacacsd.c

Even better it’s from 1989 which suits my need for something positively ancient, and simple enough to be a single C file.

/*
 * TACACS daemon suitable for using on Un*x systems.
 *
 * Janruary 1989, Greg Satz
 *
 * Copyright (c) 1989 by cisco Systems, Inc.
 * All rights reserved.
 */

Since I have VMWare Player installed on my machine, I can use the VMNet 8 connection to talk to my host computer.  The hard part of course is trying to figure out which NIC is which, but dynamips -e will give you a list like this:

Cisco Router Simulation Platform (version 0.2.16-experimental(merge uppc smips)Build-1-x86/MinGW stable)
Copyright (c) 2005-2011 Christophe Fillot.
Build date: Dec 15 2016 04:20:41

Pcap version [WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)]
Network device list:

   \Device\NPF_{D3DF08C4-7A33-4FE2-9351-000153705A30} : VMware Virtual Ethernet Adapter
   \Device\NPF_{3FB194EF-F3A4-45F2-AFAB-A4ABA98E8FF7} : Qualcomm Atheros Ar81xx series PCI-E Ethernet Controller
   \Device\NPF_{C46B48B8-74E1-4938-9BFE-E407949A7940} : Microsoft
   \Device\NPF_{F72C65CD-C6BC-44FE-9019-C5057DB1D9AB} : VMware Virtual Ethernet Adapter
   \Device\NPF_{CE75B9C1-8189-4C8F-8EF6-6CEB0C6D0329} : Microsoft
   \Device\NPF_{737A8B62-9A87-4739-9CC2-BF05CDC315D0} : Microsoft

..\dynamips.exe -P 7200 ..\c7200-is-mz.19991126.bin -t npe-200 -p 0:C7200-IO-FE -s 0:0:gen_eth:\Device\NPF_{D3DF08C4-7A33-4FE2-9351-000153705A30}  –idle-pc 0x604f1da0 -X

And I’m off booting!

Cisco Router Simulation Platform (version 0.2.16-experimental(merge uppc smips)Build-1-x86/MinGW stable)
Copyright (c) 2005-2011 Christophe Fillot.
Build date: Dec 15 2016 04:20:41

Pcap version [WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)]
Idle PC set to 0x604f1da0.
IOS image file: ..\c7200-is-mz.19991126.bin

ILT: loaded table "mips64j" from cache.
ILT: loaded table "mips64e" from cache.
ILT: loaded table "ppc32j" from cache.
ILT: loaded table "ppc32e" from cache.
vtty_term_init
CPU0: carved JIT exec zone of 64 Mb into 2048 pages of 32 Kb.
C7200 instance 'default' (id 0):
  VM Status  : 0
  RAM size   : 256 Mb
  IOMEM size : 0 Mb
  NVRAM size : 128 Kb
  NPE model  : npe-200
  Midplane   : vxr
  IOS image  : ..\c7200-is-mz.19991126.bin

Loading ELF file '..\c7200-is-mz.19991126.bin'...
ELF entry point: 0x80008000

C7200 'default': starting simulation (CPU0 PC=0xffffffffbfc00000), JIT enabled.
mips64_test.s ROMMON emulation microcode.

mips64_test.s Launching IOS image at 0x80008000...
Self decompressing the image : ####()## [OK]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IS-M), Experimental Version 12.0(20000110:181554) [otroan-thanksgiving-rel 175]
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Thu 20-Jan-00 15:07 by otroan
Image text-base: 0x60008900, data-base: 0x613D0000

cisco 7206VXR (NPE200) processor with 253952K/8192K bytes of memory.
R5000 CPU at 200Mhz, Implementation 35, Rev 1.2
6 slot VXR midplane, Version 2.1

Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
125K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::fcd4:2983:bcba:2d63%19
   IPv4 Address. . . . . . . . . . . : 192.168.254.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

00:00:02: %DEC21140-3-DUPLEX_SPEED: FastEthernet0/0 doesn't support the configured duplexand speed combination
00:00:02: %DEC21140-3-DUPLEX_SPEED: FastEthernet0/0 doesn't support the configured duplexand speed combination
00:00:02: %DEC21140-3-DUPLEX_SPEED: FastEthernet0/0 doesn't support the configured duplexand speed combination
00:00:32: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
00:00:32: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating Sys
Router>
Router>tem Software
IOS (tm) 7200 Software (C7200-IS-M), Experimental Version 12.0(20000110:181554) [otroan-thanksgiving-rel 175]
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Thu 20-Jan-00 15:07 by otroan
00:00:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
Router>ena
Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int fa0/0
Router(config-if)#ip address 192.168.254.10 255.255.255.0
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.254.1
00:01:29: %DEC21140-3-DUPLEX_SPEED: FastEthernet0/0 doesn't support the configured duplexand speed combination
00:01:31: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:01:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config)#no ip domain-lookup
Router(config)#exit
Router#wr
Building configuration...
[OK]
Router#
00:01:39: %SYS-5-CONFIG_I: Configured from console by console

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\neozeed>ping 192.168.254.10

Pinging 192.168.254.10 with 32 bytes of data:
Reply from 192.168.254.10: bytes=32 time=54ms TTL=255
Reply from 192.168.254.10: bytes=32 time=31ms TTL=255
Reply from 192.168.254.10: bytes=32 time=31ms TTL=255
Reply from 192.168.254.10: bytes=32 time=31ms TTL=255

Ping statistics for 192.168.254.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 31ms, Maximum = 54ms, Average = 36ms

C:\Users\neozeed>

Router#ping 192.168.254.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Router#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.254.1           0   0050.56c0.0008  ARPA   FastEthernet0/0
Internet  192.168.254.10          -   ca00.3730.0000  ARPA   FastEthernet0/0

So hit the advanced settings to the left.

Click on the ‘Inbound Rules’, and now we are going to create a new rule.

Select a Custom Rule

Allow ‘All Programs’

Then set the protocol to ICMPv4

Now we can select the scope of the rule, in this case we are going to allow the 192.168.254.0/24 network to pass icmp traffic to us.  Add it as a source and destination.

In this quick example I’m applying it everywhere.  I suppose a better  setup would be to make sure the VMNet 8 adapter is a ‘Private’ network, and ONLY apply this to the Private domain.

Then give it a name, something like ‘ICMP for VMnet8’

Router#ping 192.168.254.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/30/36 ms

Now for the fun, I go ahead and compile my hacked up tacacsd.c, and run it, and then permit it to run on all networks:

And now I can configure the router to use TACACS.  Keep in mind, once gain that this is *NOT* TACACS+ so this is done a little differently.  I’m going to simply set TACACS for telnet connections.

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#tacacs-server host 192.168.254.1
Router(config)#line vty 0 4
Router(config-line)#login tacacs
Router(config-line)#exit
Router(config)#enable password 0 cisco
Router(config)#exit
Router#wr
Building configuration...
[OK]
Router#
00:01:28: %SYS-5-CONFIG_I: Configured from console by console

User Access Verification

Username: user
Password:
Router>who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:11
*  2 vty 0     user       idle                 00:00:00 192.168.254.1

  Interface  User      Mode                     Idle Peer Address

Router>

D:\dynamips\tacacs>tacacsd.exe
server starting
using port 12544
validation request from 192.168.254.10
query for user (pw->pw_gecos) accepted

WireShark capture of TACACS traffic

As you can see the username & password go over the wire in plain text.  Even the response is simple enough to decode:

Access granted!

Needless to say this is something that you would NEVER EVER EVER run in a real network.  Of course a system that sits on telnet is vulnerable anyways, but I suppose a TACACS server that lets anyone log in, makes either a VERY trusting network, or a good honeypot.  Against my better judgement, here is tacacsd_win32.c  Naturally it could be easily made to verify passwords against pretty much anything.

Thanks for reading about TACACS for Windows and you can find many more on my actual blog: Fun with virtualization.

So yeah, let’s build a NetWare 3.12 server! I’ve covered this over and over and over, but heh let’s do it again!

First things first, the default position of the NE2000 card at 0x300/IRQ 9 does NOT WORK.  This is the biggest stumbling block, and time waster right there.  I loaded a PCnet driver, and it didn’t lock, but it didn’t work.  I loaded 2 ne2000’s thinking the second would come up in the correct position but that didn’t work either.  The solution of course is to dive into the parameters for QEMU to drive devices.

So for the fun of it, here is how I’m going to run this in a nested VM.  It’s also why I didn’t bother enabling the ‘-enable-kvm’ flag.  Although on a real machine I would.

qemu-system-i386 -m 16 \
-cpu 486 \
-net none \
-vnc :1 \
-device ne2k_isa,mac=00:2e:3c:92:11:01,netdev=lan,irq=11,iobase=0x320  \
-netdev vde,id=lan,sock=/tmp/local \
-hda netware312.qcow2 \
-hdb netware312_data.qcow2 \
-parallel none \
-monitor tcp::4400,server,nowait

bus: isa.0
type ISA
dev: ne2k_isa, id ""
  iobase = 800 (0x320)
  irq = 11 (0xb)
  mac = "00:2e:3c:92:11:01"
  vlan =
  netdev = "lan"
  isa irq 11

Now the fun part goes back to the old days of Netware when your network could run several possible frame times.  If you have 2 machines with different frames, they will not see each-other.  it was a cheap way to hide networks well until the wide spread availability of sniffers.  Naturally cisco and Novell have different terms for the same things.  Below are the ones that are relevant to Ethernet:

So in my case on my Netware server I simply load my NE2000 like this:

LOAD NE2000 PORT=320 INT=A FRAME=ETHERNET_802.3
BIND IPX TO NE2000 NET=800852

ipx routing ca00.06a3.0000

interface FastEthernet0/0
ipx network 800852

HKOffice#sho ipx servers
Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + = detail
U - Per-user static
1 Total IPX Servers

Table ordering is based on routing and server info

Type Name Net Address Port Route Hops Itf
P 4 HONGKONG 852.0000.0000.0001:0451 2/01 1 Fa0/0
HKOffice#

NetWare 3.12

NetWare servers advertise their internal networks, much like how people should be using loopback adapters in OSPF, or EIGRP … So if you check the IPX routing table, you’ll see the wire route to the internal network:

HKOffice#sho ipx route
Codes: C - Connected primary network, c - Connected secondary network
S - Static, F - Floating static, L - Local (internal), W - IPXWAN
R - RIP, E - EIGRP, N - NLSP, X - External, A - Aggregate
s - seconds, u - uses, U - Per-user static/Unknown, H - Hold-down

2 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C 800852 (NOVELL-ETHER), Fa0/0
R 852 [02/01] via 800852.002e.3c92.1101, 150s, Fa0/0

One thing to note, on VDE, I had an issue where the NetWare server takes about a minute before it’ll see traffic.  It could be my IOS for all I know…..

Thanks for reading about Running Netware 3.12 on Qemu / KVM 2.8.0 and you can find many more on my actual blog: Fun with virtualization.

I found this fun page over on retroweb.maclab.org  What is interesting is that it encorporates PeerJS and WebRTC to allow for a virtual network, letting you play multiplayer AppleTalk.  Just enable the network, and scan for other users.

It’s pretty cool, in a zero config kind of way!

PCE-MacPlus

And for coolness it’ll embed in a snazzy picture of a Mac Plus.  Although you can magnify the screen, so you don’t have to squint so much.

Thanks for reading about Multiplayer Macintosh Plus via Javascript/ and you can find many more on my actual blog: Fun with virtualization.

I got this question the other day, and I thought I’d make something of it.

“What is a VLAN?”

And more importantly…

Do you know of a good tutorial  / tool / game that I can use to understand vlans?

Sure do, GNS3.  So in this series as I know I’ll have to break it up as it’s going to be a LOT of images, I’m going to go over the installation of GNS3 on Windows (I’m not interested in obsolete package versions on whatever distro of the minute is the fancy in Linux world), I’ll go over how to use QEMU to install a Windows NT VM, go over how networking works with a simple hub, then install two switches, a trunk connection, and show how to observe the VLAN tagging in action.  Then add in other VM’s and more VLANs and then go over bridging vs routing.

The installation options are pretty simple.  I’m going to just stick with the default.

You can install it wherever you like.  You don’t have to install it on the C drive if you do not wish to.

And with that, hit next and it’s installed.

Im not interested in the solar winds stuff, so I just declined.  Nothing was missed.  After that go ahead and launch GNS 3, and you are welcomed with this screen.

I’m going to run everything on my computer.  I’m not going to get into slave machines, or even wondering why they don’t just launch multiple instances of dynamips where needed.  Or even what capabilities there are or even at the moment trying to force my MinGW Dynamips into the project.

It’ll pick a port and host binding.  It’ really doesn’t matter too much, maybe you want it for a proper LAN connection.  again I’m focused on using this as a self contained thing so the default option ought to work.

And with that said we can now move onto configuring a QEMU template for Windows NT (part 2).

Thanks for reading about What is a VLAN (part 1) and you can find many more on my actual blog: Fun with virtualization.

WIth Windows NT installed, it’s time to look at it on the network side.

The killer feature of GNS3 is that we can inspect traffic everywhere we draw a connection.  So simply right click on the connection from the Qemu VM to the Hub, and you can start a packet capture.

GNS3 will then prompt what the link type media is, in this case it’s Ethernet, and what the link name is.  After hitting OK, it’ll then start WireShark on the virtual link.

And in no time we can see the NT machine broadcasting on the network.  OK everything is looking fine.

As you can see our packet is an 802.3 Ethernet packet, with a LLC header, and a NetBIOS packet.  This is what we are expecting as the connection to the hub is ‘raw’.

Now that we have verified that we can connect to the network and capture, we can close Wireshark.

We then should right click on the link, and tell it to stop capturing.

OK, now what about VLANs?  Let’s start with a simple lab.  We are going to get rid of the Hub for now, and add in two switches.  One switch will be our ‘core’ switch, the other will be our access switch.  We will then put our PC onto the access switch, and then setup an 802.1q trunk between the two switches, and then observer the NT broadcase traffic in the trunk so we can see the VLAN tag in action.

Right click on the hub, and delete it.

Yes we do want to delete it

Drag out a switch, and then right click and rename it to core.

Now we are going to configure the core switch.

Right click on the core switch, and choose configure.

By default every port is on VLAN 1, and is a port type of ‘access’.  You would typically connect end devices like servers to access ports.  I probably should have deleted them all, but since we are going from my session I deleted ports 0 & 1.

Now I’m going to add port 0 with a native VLAN of 1, but a type of dot1q. This port will be used to connect to the access switch.

And then port 1 will be an access port on VLAN 2.  Hit OK and it’ll close the window.

And we are good to go.

*HOWEVER* this is a source of some confusion at least for me.  Go back and right click on the core switch, and look at the ports.  GNS3 for me changed the port numbers so it did not preserve my port choices, however there is still an access port on VLAN 2, and an 802.1q port.

As you can see on the core switch, port 6 is now the dot1q trunk port, and port 7 is the VLAN 2 access port.

Add in a second switch, and change it’s hostname to access

Now let’s configure this switch the same way we configured the core.

Same steps, in that we delete some ports first

Add in an access port for the Qemu PC on VLAN 2

And then add in a port with a type of dot1q, and a native VLAN of VLAN 1.

And our access switch is configured, so you can hit OK.

As you can see GNS3 has changed our trunk port to port 7, and our Qemu access port is now port 6.  This should be a bug…

So with this confusion in mind we connect port 7 of the access switch to port 6 of the core switch, by selecting the cable tool, and the appropriate ports.

And we will now have connected the two switches.  Now to connect the Qemu PC.

Again using the cable tool, it’s the only port on the Qemu VM

And to port 6 of the access switch.

Now we can start a capture on the connection between the two switches.  Right click on the link and start the capture.  It’ll be the same as last time, the default options are fine, and it’ll start Wireshark.

Now when the NT server sends a packet on the network, the access port is in VLAN 2.  Broadcast packets will be sent to all the other member ports on the network, in this case we do have an access port on the core switch in VLAN 2.  But while the packet is going between switches it needs a way to identify what VLAN the traffic came from, so as you can see from the capture There is now another protocol layer going on.  In this case we have an Ethernet II packet, but now the next layer is the 802.1Q frame, that gives the priority level, along with the VLAN number.  Then the NetBIOS packet is under that.  As you can see it is *NOT* TCP/IP only, but rather any Ethernet frame can be encapsulated in a VLAN, and then across 802.1q links they can be transmitted by encapsulating the packet in an 802.1q header to keep track of which VLAN the traffic was bound to.

But how about data egressing on the other side?

Let’s take a HUB and drag it out to the infrastructure pane.

Now we are going to connect that hub on any port to the core switch.

In this case, port 7 was our access port on VLAN 2.

And now we can start a capture on the connection from the core switch to the hub.

And as you can see the NetBIOS arrives on the other side without any 802.1q header, and any machine on the other side wouldn’t even know it’s been through an 802.1q trunk, or that it’s even on a VLAN.

So why use VLANs?  Isn’t it easy enough to add infrastructure for every network as needed?  Sure you *could* but it becomes very costly.  And you end up supporting quite a number of devices.  Then it never fails that you have one user or device in part of the network that doesn’t warrent a good network connection, but when it breaks, like it always does they generate a lot of heat about it.  Just as LAN segmentation is a popular way corporations restrict internal access as they can have firewalls to control traffic entering and leaving each network.  But doing this the old way means that every tiny move add and change will require someone to do something physically making it very expensive to maintain.  VLANS solve these issues by letting you deploy good infrastructure everywhere that everyone can benefit from as they can share the hardware, however with things like QOS, you can ensure that they do not stomp on each-other for the uplinks, but they are isolated in their own VLANs.

And what is the big deal with 802.1q?  Well going back to our VLANs vs using physical switches, if we had 1,000 VLANS on a switch, and we wanted to connect 300 of those VLANs to a single server without 802.1q you would need 300 network cards.  Just as adding another switch would require you to use 1,000 ports to carry all those VLANs from one switch to another.  By using 802.1q to tag each VLAN through the trunk port it lets you use a single physical connection, and appear on each network.

Hopefully this is enough to get you started, both in terms of how to set things up, but what to look for.

Thanks for reading about What is a VLAN (part 6) and you can find many more on my actual blog: Fun with virtualization.

After seeing the spotlight on twitter from WinWorld, on NetManage Chameleon, an old TCP/IP stack that supported Windows 3.0! With more details over on the forum. I was inspired to set it up myself.

I did go a bit overboard showing how to install MS-DOS & Windows 3.0 on Qemu. Maybe it’ll help someone who wants to try to use Qemu, but is too scared? Maybe I moved too quickly.

One thing I did do differently in this run, is launching the monitor and a serial port as tcp servers so I could telnet into the VM, effectively having a way to share text like a clipboard back and forth. I’m kind of surprised I hadn’t really started using Qemu in this manner much earlier.

qemu.exe -L pc-bios ^
-m 16 ^
-hda apricot.vmdk ^
-net nic,model=pcnet -net user ^
-monitor telnet:127.0.0.1:4000,server,nowait ^
-serial telnet:127.0.0.1:4001,server,nowait ^
-fda yourdisk_here.vfd

Surprisingly it went surprisingly well, other than my goof of having the OS/2 driver instead of the MS-DOS driver for the nic.

Sadly, the tn3270 program bundled with Chameleon doesn’t work properly with Hercules.

As always I’ve uploaded it to archive.org: apricot-dos4-win3-chameleon3.7z

I finally broke down and made a quick video on setting up the DLSw ‘lab’ that I had uploaded on Internet Archive.

Although I should have gone more in depth with the cisco part.

Namely showing how to check the interfaces, the ethernet l2 traffic, how the DLSw peers, and then the establishment of the circuit once the session is established.

But I wanted to be quick. I don’t think I can edit a video that is up so I’ll probably follow it up with another quick video.

Trying to put it into words, the Windows 3.1 VM hosts Extra! 4.2 talking SNA to the Loop_SNA virtual Ethernet interface, which then is connected to the virtual cisco router, which also has a TCP/IP enabled interface, Loop_TCPIP, which the host Windows 10 machine can talk to, allowing it to communicate with the Hercules VM which I had compiled to run as a native Win64 EXE for Windows.

Basically, at it’s heart, this is the important part of the cisco config:

source-bridge ring-group 1
dlsw local-peer peer-id 192.168.146.5
dlsw remote-peer 0 tcp 192.168.146.1
dlsw mac-addr 4000.1020.0100 remote-peer ip-address 192.168.146.1
dlsw udp-disable
dlsw transparent switch-support

interface FastEthernet0/0
 ip address 192.168.146.5 255.255.255.0
 no shut

interface Ethernet1/0
 dlsw transparent redundancy-enable 5555.5555.5000
 dlsw transparent map local-mac 4000.1020.0100  remote-mac 4000.0999.0100
 no shut

I used a ‘clean’ VMware virtual machine to host this test, just to show how to do the setup from scratch, taking nothing for granted.

Hopefully this explains it a bit better for those who wanted to know, along with the video to show the high level of it working. Not sure anyone would want to watch me stumble through setting up MVS, along with going into more detail on the cisco config & workstation config.

As always, thanks to 9track for providing the patches, and showing that this whole setup was possible!

UPDATE* ME from the future, I was ind of right in that something was missing, nothing was eating the trafic, rather 86box only had the all MAC broadcast address set as a filter, and older protocols like NetBEUI instead use magical protocol-based multicast/broadcast addresses. Hopefully in an upcoming release of 86box it’ll be updated!

I don’t know what is going on, other than it feels like something is filtering me on either Windows 10 or 11. I have a Windows 2000 server with NetBEUI running under Hyper-V, and trying to map to it from OS/2 using the Lan Manager 2.2 disks floating around (you have to merge them as some stuff is missing like #2 driver disks), lets you map directly but finding each-other seems to be difficult. Even trying to rebuild on the same machine using either a MS Loopback interface, or a VMware interface also has endless weirdness, or in the capture above they can be seen on Wireshark speaking but not hearing each-other. I thought it was LAN drivers, or the old friends, IO/IRQ/DMA channel issues, but after trying various configs, I tried TCP/IP and..

They find each-other right away. Instantly, it just works. Have we hit the point where there is silent filters screwing up non TCP/IP protocols using pcap injection on Windows? Am I going insane?

Speaking of OS/2 weirdness, I was doing some SQL installs, and I came across disk images for 4.1A, and in there is the graphical tools for Windows & OS/2! Although I didn’t think Microsoft ever did port the graphical tools to OS/2, and I’d be right. However on setup disk 2 is WLO/Porthole! Turns out this was used in a shipping product! Unlike the one for Excel 3.0, or the applettes, this installs into the C:\OS2\DLL directory! So, this is the real deal!

I could logon to my Windows 2000 server from OS/2, but the opposite would never work. On the capture I just see it endlessly trying to find by name, but OS/2 is silent.

I must be missing something obvious somewhere.

I’m hoping to be building this towards something, so I’ll update later.

Obviously, this was wrong.

And besides the NetBEUI being eaten on the network for no reason I can see, as I’m sure these machines should be able to talk to each-other this was the end result:

And what about not trying to create a machine account?

I should have expected this not to work.

Having dumped NetBEUI for TCP/IP, I can see them talk, it’s not a name resolution issue or anything like that. On the flip side can LAN Manager join a Windows NT domain? I’m not sure on that one either.

And not too surprising using the LAN Manager DOS client I can log onto the OS/2 domain just fine.

Kind of verbose and annoying but yes, it works!

However, despite LAN Manager 2.2 providing a TCP/IP stack to connect to both OS/2 and NT servers, there is no winsock interoperability dll. Do I really have to load more than one NIC and stack at the same time?!

The one thing I had been hoping to build up to was using mailslots, a UDP like IPC/RPC mechanism from back in the old dark days of early LAN Manager 1.0 The can be broadcasted to all nodes on the network that are listening by writing to \\*\MAILSLOT\<YOUR LOCAL BOX>. On the surface these broadcast type things are modern day terrible, we prefer lookup services like DNS, but in the 80’s it’s not like people were going to put tens of thousands of machines on a single network…

I cannot thank my Patrons enough for this attempt at doing something multitenant as I really did need Microsoft C 6, and the Windows 3.0 SDK. The example from the Lan Manager 2.0 Programmer’s Toolkit (Why was this stuff never in the base SDK?!) shows an OS/2 LAN Manager service providing rendering services over the network to render the Mandelbrot to the Win16 client. It’s actually very neat. It really gives OS/2 that pre-Windows NT feel, with the services as they are not in your face, although at the same time I’ve found that I had to do an interactive logon to get things started, so maybe LAN Manager OS/2 servers were not “Lights out”? I guess I need to look more into it, as it just feels more and more how NTOS2/ clearly grew out of OS/2 + LAN Manager.

Obviously as soon as I see this, thanks to getting my hands on the OS/2 6.78 network client, I also see it’s not only obsolete but going to be removed. If anything, it’s impressive that an OS/2 feature has remained in NT for so long.

The LAN Manager 1.0 disk sets, actually include headers & libraries, but no examples.

I had wanted to do something with TCPIP and mailslots, and I had figured that Windows NT would be the best glue being in that perfect space of OS/2 compatibility and robust TCP/IP, but I wasted far too much time to basically see that if they are not part of the same domain, the mailslot’s just don’t work.

I haven’t given up, but I primarily used Netware for PC networking back in the 90’s so this is all kind of new to me. Looking through resource kits online there doesn’t seem to be a lot of material about integrating LAN Manager into a NT Domain.

I’ll have to re-think this.