Building a Cisco Security LAB with Meraki and VMware

ASA-FTD
Getting noticed

Building a Cisco Security LAB with Meraki and VMware

Hello,

I am wondering how best to design a "part Meraki part VMware virtual lab" using the following equipment to help me study for the CCIE Security v5 lab.

 

Meraki part:

* MX67

* MS120-8LP

* MS220-8P

 

Dell/VM part:

  • Dell Precision T5600 Workstation running VMware vSphere 6.5
    • 2 x Hexa Core Xeon Processors (12 Cores total)
    • 128 GB RAM and plenty of HD space

 

Option 1:

I can create the many VLANS / subnets that I will need on the MX67 to be the default gateway.

A trunk port on the Meraki switch that passes ALL VLANS to the vSwitch on the ESXi host.

Spin up a CSR 1000v router with one interface pointed to the physical network and the other interface pointed inwards to the LAB environment.

 

Option 2:

  • Add a single additional VLAN/SUBNET to the Meraki MX67 (example: 192.168.15.0/24)
  • VLAN 15 (192.168.15.1 /24) would be the VLAN and default gateway hosted on the Meraki.
  • Create VLAN 15 on the Meraki switch and configure a trunk port that connects to the ESXi host
  • Spin up a CSR 1000v router with one interface pointed to the physical network and the other interface has lots of SUB-INTERFACES that host all the VLAN/SUBNETS for the SECURITY lab. 

 

 

 

PRINT_ME 1.jpgPRINT_ME_5.jpgPRINT_ME_5.gifs-l1600.jpg

 

 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
List of VLAN's configured in the Server:
 
  • V10 - ACSv1 - 172.16.1.1
  • V20 - ACSv2 - 172.16.2.1
  • V30 - ISEv1 - 172.16.3.1
  • V40 - ISEv2  - 172.16.4.1, etc, etc.
  • V50 - WSAv1-M1
  • V60 - WSAv2-M1
  • V70 - ESAv1-M1
  • V80 - ESAv2-M1
  • V90 - WLCv1-MGMT
  • V91 - WLCv1-DATA
  • V100 - TEST-SRV-A
  • V110 - NGIPSv1-MGMT
  • V111 - NGIPSv1-INT
  • V112 - NGIPSv1-EXT
  • V120 - NGIPSv2-MGM
  • V121 - NGIPSv2-INT
  • V122 - NGIPSv2-EXT
  • V130 - FTDv1-M0
  • V140 - FTDv2-M0
  • V150 - FMCv1
  • V160 - FMCv2
  • V200 - TEST-SRV-B
  • V210 - PHONE-TFTP
  • V230 - IP-PHONE-A-DATA 
  • V231 - IP-PHONE-A-VO 
  • V240 - IP-PHONE-B-DATA 
  • V241 - IP-PHONE-B-VO 
  • V310 - ASAV1-M0/0 
  • V320 - ASAV2-M0/0 
  • V330 - ASAV3-M0/0 
  • V331 - ASAV3-G0/0 
  • V332 - ASAV3-G0/1 
  • V340 - ASAV4-M0/0 
  • V341 - ASAV4-G0/0 
  • V342 - ASAV4-G0/1 

 

Thank you to the readers if you have read this far.

 

What do you think?

 

Any suggestions? Improvements? Just think I'm crazy?

 

Lets discuss!

 

-----
David Burgess
CCNP R&S, Security,
CCNA Wireless, MCNA, ECMS1
2 REPLIES 2
PhilipDAth
Kind of a big deal

I would just create all the layer 3 interfaces on the MX and not bother creating them on the CSR, but both of your options will work fine.

ASA-FTD
Getting noticed

I am still working on the design.
I will post how I did it when I get my lab functionally working.
-----
David Burgess
CCNP R&S, Security,
CCNA Wireless, MCNA, ECMS1
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels