Wednesday, March 2, 2016

Quagga/Zebra - IOS like shell built in Linux

So today I'll be installing quagga in centos, and turning that centos vm into an IOS-like router.

After that, the goal is to test said faux Cisco router in GNS3 with some 7200 images. It's actually a pretty cool little concept, even if the source code looks like it hasn't been updated in a couple years. The concept? Take a Linux machine, slap a shell on it similar to Cisco IOS and use said Linux machine as a router. So, let's freaking do it!! I'll be using Centos 7, because I love Red Hat. First things first, let's install centos (minimal install here, you can have a GUI if you want one), and update it.

I used the basic settings for RHEL 64bit in Virtualbox, disabled the USB and audio controllers, and enabled Serial Port but left it disconnected for now. I bolded the 'enabled serial port' because, that will be important later. 

Now let's power this sucker on and boot from centos 7 minimal install. You can pretty much next->next->finish the install, however DO make sure you go into Network & Hostname section to enable your network adapter and set a hostname. 

Before install Quagga and getting into the configuration, let's update our system and enable console access over the Serial port.

Enable Serial Port

1) Add highlighted line to /etc/sysconfig/grub   (net.ifnames=0 gives you legacy interface names, ie eth0)

GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet net.ifnames=0 console=ttyS0"

2) Run the following

stty -F /dev/ttyS0 speed 9600
grub2-mkconfig -o /boot/grub2/grub.cfg
systemctl start getty@ttyS0
systemctl enable getty@ttyS0

Install Quagga, configure selinux, and get base settings in place

1) Install quagga

yum install quagga -y
cd /etc/quagga/

2) Copy basic conf files for OSPF and BGP into /etc/quagga/

cd /etc/quagga/
cp /usr/share/doc/quagga- .
cp /usr/share/doc/quagga- .
mv ospfd.conf.sample ospfd.conf
mv bgpd.conf.sample bgpd.conf  

3) Change owner and set proper permissions on ospfd.conf and bgp.conf

chown quagga:quagga bgpd.conf 
chown quagga:quagga ospfd.conf
chmod 640 bgpd.conf 
chmod 640 ospfd.conf 

4) Configure selinux to allow zebra to write to config files

setsebool -P zebra_write_config 1

5) Enable IP Forwarding (otherwise we'll just drop transit traffic)

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

6) Make sure firewalld/iptables is disabled

[root@cent-router ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[root@cent-router ~]# systemctl status firewalld
* firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

We can explore enabling firewall features in the future, but for now... we just want to route. Luckily the minimal install doesn't include either firewalld or iptables. If firewalld is running issue the following:

systemctl stop firewalld
systemctl disable firewalld

7) Enable Zebra, OSPF, and BGP on boot and start services.

systemctl enable zebra.service
systemctl enable ospfd.service
systemctl enable bgpd.service 
systemctl start zebra.service 
systemctl start ospfd.service 
systemctl start bgpd.service 

8) Finally, test IOS-like shell.

[root@cent-router ~]# vtysh 

Hello, this is Quagga (version
Copyright 1996-2005 Kunihiro Ishiguro, et al.

cent-router# show run
Building configuration...

Current configuration:
hostname cent-router
hostname ospfd
log stdout
hostname bgpd
password zebra
interface enp0s3
 ipv6 nd suppress-ra
interface lo
router bgp 7675
 bgp router-id
line vty
cent-router# conf t

Beautiful!! Now we can shut this bad boy down, make (1) minor tweak and import it into virtualbox as a linked clone. This tweak is just marking network adapter 1 as "Not Attached", since we're relying on GNS3 to build these connections for us.

Last but not least, import this VM into GNS3.

Video Demo, Coming Soon...