Home
Microsoft

Thursday 6 May 2021

Home Lab Step-by-Step Part-4-virtual router

 

In my previous post HomeLab Step-by-Step Part-3-Networking, we have completed configuration of required port groups, datastore etc. Now we are ready to start deployment of virtual router.

We will be creating a network topology shown in this image.



In any datacenter (physical/virtual) we always keep management network separate from data network. For management of our nested SDDC we have kept vlan 1611 with network range 172.16.11.x mask address 255.255.255.0 and gateway 172.16.11.254.

Hence, we will start the deployment of the CSR1000v router on the management network.

We have renamed default PG “VM network” to “External-192.168.1.x” on vSwitch0, to achieve the network topology shown in the above Image.


Let's start, Login to ESXi with root credentials, navigate to Virtual machines and select the option “Create/Register VM”.

It will open “New virtual machine” wizard, here we decide if we want to use ISO for deployment or OVA/OVF file. We will use the OVA file we downloaded in our post HomeLab Step-by-Step Part-2-Hostconfig. If you have not you can download from this link.

Name the virtual machine, select OVA file and click next.

Select storage to host virtual router, and click next.

Select the network mapping, at the moment we will keep all the network cards attached to 1611 management vlan, we will update this once we will start configuring the router. We will keep the disk provisioning as thin and we want this to power on automatically upon completion. Click next.


Review the settings and click on finish.

Once Virtual router is deployed and powered on, wait for 10 minutes before starting next step. Open VM console and once you get system configuration dialog, answer no and hit enter, let the router complete its boot process.

Once the boot process is complete, just click inside the console and hit enter once, you will be getting the screen as shown in below image. This is User EXEC mode. 

Now we will start the configuration of the router, to start we need to enter into Globalconfiguration, which can entered from PrivilegedEXEC mode, first we need to enter command enable followed by config t, now we can start putting the configuration. I would recommend running “wr mem” command after every configuration to save it.

Enter command “hostname csr01-a”, press enter.

Once hostname is configured, we will secure the router console with the password, in order to set the password for access we need to enter in to console line mode.

  • line console 0
  • password password (you can choose password of your choice)
  • login
  • Exit
  • exit
  • exit (Last exit will take you to console screen)


Press enter and you will be presented with login screen, enter the console password

Let’s disable the dns lookup for each word which is not a command, we will use the command “no ip domain-lookup”

In Lab environment I prefer to disable auto log off from console, using the commands

  • Line console 0
  • Exec-timeout 0 0
  • exit

When we deployed this appliance, we had 3 NIC cards, now we will disconnect 2 of them and we will configure management range gateway.

Now check the status of all the attached interfaces, run command “sh ip int brief”


By default, all the interfaces are admin down, hence we will run the command “no shut” for the range of interfaces. Now you will see one interface has status “up” and remain are “down”.


Let’s assign the management range gateway IP on the first interface, 172.16.11.254 mask address 255.255.255.0

Int gigabitethernet 1

Ip address 172.16.11.254 255.255.255.0

Exit

Now go to the edit settings of the virtual machine and connect second adaptor to vmotion port group. And assign vMotion range gateway address to the second adaptor following the same process we used for management address. IP address 172.16.12.254 mask 255.255.255.0

Add additional adaptors and follow above steps for rest of the gateways, once completed edit setting screen and interface summary inside the router console would look something like this.


Now we have all the interfaces configured for Layer 3 of our nested SDDC, however in order to reach to the Nested networks from external network we need to create a default route in our virtual router pointing to the physical router gateway address, and create return routes on our physical router for nested networks. You need to check on your home router, how to put a return route for these networks.

Command to enter route in virtual router is "ip route 0.0.0.0 0.0.0.0 192.168.1.254"

Enter command "copy running-config startup-config" at the end of the configuration and successful testing.


Below image shows, routes I have added in my physical router (Home Router).

Routes added on physical router

After this we are ready to route traffic between these networks as well as connectivity to external world is also established, that too we are not using any physical uplink connected to our NESTED virtual switch, everything is routed thru CSR1000v router we deployed, and topology which I have shown in the beginning is achieved. Let’s do few ping tests from my base machine connected to 192.168.1.x network and validate gateway reachability.

Test 1 for vlans 1611,1612,1613,1614


Test 2 for vlans 2711, 2712, 2713


As all tests are successful, now we are good to move to the next part of the lab where we need to deploy services such as AD, DNS, DHCP and iSCSi server for shared storage of our nested environment.

You can run some additional commands on your virtual router to enable access thru SSH, I have not enabled it as I am ok accessing it thru console.

I am listing down the commands for your reference.

  • ip domain-name yourdomainname (ex. ip domain-name vmwarensxcloud.com)
  • crypto key generate rsa

enter the bits value as 1024

Create a user for SSH access, using command

  • User “username” privilege 15 password “password”

Run below command to enable password encryption

  • service password-encryption
  • line vty 0 4
  • transport input ssh
  • login local
  • exit
  • exit
  • copy run start

Now you should be able to SSH to your virtual router as well.

                                             

In our next post Home Lab Step-by-Step Part-5-Infrastructure Services we will deploy a windows server which will provide services such as,

  • Active Directory
  • DNS
  • DHCP
  • iSCSi server.

I hope I was able to add value, if your answer is yes, then don't forget to share and subscribe. 😊

If you want me to write on specific content or you have any feedback on this post, kindly comment below.

If you want, you can connect with me on Linkedin, and please like and subscribe my youtube channel VMwareNSXCloud for step by step technical videos.

Affiliate link of home router I am using for this setup.

35 comments:

  1. Awesome .. Thanks a lot for taking time for this ....

    ReplyDelete
  2. I cannot thank you enough Paddy. It means a lot for putting the lab layout. I'm pleased this is the first blog series I have seen where you have clearly described how to do nested lab with "Single PNIC". I look forward to reading your blog. Likewise, I would be glad to share this over LinkedIn. You might be surprised, that I saw this blog via Facebook...
    If you are also on linkedin, let me know I will tag you.....Preetam Zare

    ReplyDelete
    Replies
    1. Dear Preetam,

      Thank you for your kind words, I am glad to know that it is helping. :)

      Delete
  3. Hello,

    As per the above screenshot where we are binding the CIDR gateway address to the router interface. There is a IP address 192.168.1.30, is it interface IP of the physical NIC or the Gateway address of the external CIDR ( 192.x.x.x)

    Also in the below you have mention 192.168.1.254 as a gateway address for the 192 CIDR..


    kindly clarify

    ReplyDelete
    Replies
    1. Dear,
      192.168.1.254 is my physical router, 192.168.1.30 is the interface ip of the Virtual CSR1000v router.

      Now the static routes I have created on my physical router are pointing to interface IP of the csr and .254 is the gateway for any traffic which needs to go out of our network (eg internet).

      Hope this helps!

      Delete
  4. Hello,

    Do we have any kind of dependency on exposing the vmotion traffic to the external network ?

    ReplyDelete
    Replies
    1. There is no such dependency, in real environments vmotion networks should only be Layer 2.

      Delete
  5. Hi Bro.

    I am stuck at the step below.

    Enter command "copy running-config startup-config" at the end of the configuration and successful testing.

    alos how do you have opened the router console which is shown the blogs?


    ReplyDelete
    Replies
    1. Hi Abhijit,

      I have opened the console of the virtual machine we have deployed, Login to Physical ESXi, navigate to virtual machines, select the Router VM and click on the console, or right click on the VM>>console and select console.
      VMware Article for reference : https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.hostclient.doc/GUID-A51A6608-FCBC-435C-A3C2-CE7F5C72A4C9.html


      About copy running-config startup-config command, please share the error which you are getting, so that I can help with that. This is the command used in cisco IOS to save running config (stored in RAM) to start up config (which is stored in NVRAM)

      Delete
    2. Sorry to say I am not taking about the router vm Access I was saying that the console of connectivity view and change the router settings option ..

      Delete
    3. I understand what you are referring, I hope it should be clear now.

      Delete
  6. I cannot download the OVA image of the router you are using, I don't have CSR1000v image and I cannot download it because my account in Cisco is limited can you uploaded it on Google Drive and share the link please or share any downloadable link as I need to follow all your series and this will help me a lot ?.

    ReplyDelete
  7. you have to add one important command (login local) after the configuration of the SSH because my virtual router didn't work until I added this command

    ReplyDelete
    Replies
    1. Dear Mosab, Thank you for catching the missed entry, updated the commands.

      Delete
  8. Hi you really did great on this posts series, thanks man!

    ReplyDelete
  9. hello. Thanks for your lab instruction. However, im confused by your screenshots in this post. First you tell us to config CSR gi1 as 172.16.11.254 ( vm network adaptor 1)
    Then your next screenshot shows gi1 now having a 192.168.1.30 address, and you have moved the 172.16.11.254 address to vm network adaptor 2. Can you confirm that these screenshots and your accompanying text is out of sync ?

    ReplyDelete
    Replies
    1. When I did the configuration on my router I assigned first interface to external port group which is visible in the screenshots I shared. however you can do that with the 8th adaptor when you follow the post from start. This shouldn't confuse you as interface IP should match the port group that interface is connected. Hope it helps.

      Delete
  10. Hi Pradhuman,

    What type of router did you use for home internet, my home ISP router doesn't have option to add static route.

    Thanks.
    Dualeh

    ReplyDelete
    Replies
    1. I am using a linksys router, which has option to create static routes. However if you do not have that option then you can use NAT feature of virtual router.
      Please add below commands on your virtual router instance. Replace x with the interface where external IP is configured.
      #config t
      #interface gig "X"
      #ip nat outside

      now in below commands replace X with remaining interfaces one by one.
      #config t
      #interface gig "X"
      #ip nat inside
      #exit
      #wr mem

      Then create accesslist, replace X with external network IP interface
      #config t
      #access-list 10 permit any
      #ip nat inside source list 10 interface gig X overload
      #do write
      #exit

      After adding this config to your CSR you would be able to access internet on internal subnets.

      Delete
    2. I'm also having this same issue as Dualeh and hoping you can assist

      My router (google nest wifi - 192.168.86.1) is behind ISP router (only being used as direct connect to google router "wan" - 192.168.1.254). Since google router has no config to add static routes, I followed the above instructions to add ip nat with all interfaces. After doing this I still cannot ping internal networks form outside. Is this expected since there are no return routes?

      My thinking is the nat rules above add the needed connectivity to from internal 172 networks to outside. Would you be open to chat offline for assistance?

      Delete
    3. Dear Javier,

      You are correct this opens communication for internal subnets to internet however outside network is not aware of these networks. Internet will work on these subnets but accessing these subnets without proper routing is a challenge.

      Delete
  11. Thank you so much Pradhuman, appreciated. one question, did you use physical switch, i followed and insert above command my virtual router but still i cannot ping different network, did you create svi on each network. I am connecting laptop with wifi 192.168.1.x, so when i ping any network from my laptop e.g 172.16.11.254 i am not able to reach none of them. on virtual router i create static route point to my external G/W 192.168.1.254.

    ReplyDelete
    Replies
    1. Dear Dualeh,

      I ran these commands on virtual CSR1000V router to enable NAT feature, as you stated your physical home router is not capable of adding static routes.

      Share your mail address with me and May be we can look into your issue together.

      Delete
  12. Hi Pradhuman,

    You did great job on the series. But it's for nested environment. Recently I am also setting up the VCF 4.3 in production environment and stuck on the CB validation process. There are many warnings there mostly on network. I am confused on the network configuration and the deployment-parameter excel. Could you help me out of that? Many thanks if you can help. My email: kingright@126.com could we discuss in the email?

    ReplyDelete
    Replies
    1. Hi Dear, Please check your mail. If its ok connect on linkedin and we can chat for fast response.

      Delete
  13. Hello Pradhuman! Very nice guides you have here. My question is in regards license of this cisco virtual router. I read that after the evaluation is over you're limited to a few kilobytes of traffic throughput. Is that so for the version of the router that you share the link here?

    ReplyDelete
    Replies
    1. Dear Serega, you are right it has an evolution license. I will share a post on another option of router which can be leveraged to achieve this. CSR gives a good understanding on basic config of cisco devices which are generally used in DC space.

      Delete
  14. my wireless access point does not have the feature to configure static route to get connectivity to outside world. I have followed the same configuration as described in this post and have also use NAT feature of virtual router but can't still get to the outside world. Any idea what I should do?

    ReplyDelete
  15. Hi Pradhuman,

    I really appicate the great effort in making this amazing lab! i did follow all the steps to the end however right now i am having a sever slowness in my lab, i did an invitation and i found out that cisco csr 1000v router comes with a default throughput of 2.5 mb. i do really believe it's the reason behind this slowness. do you have any thoughts on how to overcome this challenge?

    ReplyDelete
    Replies
    1. please note that i am currently trying to deploy nsx t however the slowness in logging to the nested esxi hosts are not letting me procced.

      Delete
    2. Dear Malek,

      I would suggest you to deploy NSX-T manager on your physical host and manage your nested hosts with the manager. Secondly about speed issue yes you are right CSR free license has speed limitation. To overcome that you can use another virtual router such as PFsense or vyos.

      Delete
  16. Dear Pradhuman,

    Thank you so much Pradhuman, appreciated. I have a question that: I have a VM1 with vlan 1611, i can not ping to VM2 with vlan 2711, 2712, 2713. VM1 can ping to VM3 with vlans 1612, 1613, 1614.

    I don't know why i can not ping to vlan 2711, 2712, 2713. Please help me.

    ReplyDelete
  17. Hi,
    I need help with this design to create trunk network on vlan 4095 and assign this vlan to nested hosts and migrate hosts from VSS to VDS

    ReplyDelete

Popular posts