Milestone 6 ‐ Blue Network and vyos Provisioning SP26 - InaFricke/SEC-480 GitHub Wiki
Milestone 6 - Blue Network and vyos Provisioning SP26
Milestone Overview
This lab we will be starting to branch off from our core environment to develop a new infrastructure for our end users called ‘BlueX’ (where X is your super #)
In order to segment this new environment and its hypothetical users from our existing infrastructure, we’ll segment it with a new virtual switch that we will create by adding the functionality into our 480-utils.
We will also clone a new firewall for our environment and write additional 480 utils functionality to do the following: Start & stop VMs by name Set VM network adapter settings
Finally, we will get an initial setup for Ansible with Ansible Ping.
ChatGPT and Claude (Anthropic) assisted in the writing of these scripts by answering targeted syntax and functionality questions. All architectural decisions, logic, and design were my own. All code was reviewed, tested, and fully understood by the author.
Script revamp
Before starting the lab I need to update/ replace cloner1. It does not make sense to continue with prompting. I need to split the script into a Module File and a Driver File
480-driver.ps1
# Driver script to call utility functions
# Import module
Import-Module ./480-utils.psm1 -Force
# Connect to vCenter only if not connected
Disconnect-VIServer -Server * -Force -Confirm:$false -ErrorAction SilentlyContinue
Connect-VIServer -Server "vcenter.ina.local" -User "fricke-adm" -Password "RoxiRules32" # Prompts for credentials, if not already connected
# Define Clone Parameters (Edit these values as needed)
$CloneType = "Linked" # "Linked" or "Full"
$SourceVM = "vyos base" # target clone
$SnapshotName = "baseline" # Always baseline
$VMHostName = "192.168.3.208" # 192.168.3.208
$DatastoreName = "datastore2" # Always datastore2
$NetworkName = "480-internal" # for connectivity 480-internal
$CloneName = "Test-Clone-01"
# Execute Clone Function
New-VMClone `
-CloneType $CloneType `
-SourceVM $SourceVM `
-SnapshotName $SnapshotName `
-VMHostName $VMHostName `
-DatastoreName $DatastoreName `
-NetworkName $NetworkName `
-CloneName $CloneName `
# Create Blue1 Network
New-Network `
-SwitchName "Blue1-Switch" `
-PortGroupName "Blue1-Network" `
-VMHostName "192.168.3.208"
# Test Get-IP
Get-IP -VMName "Test-Clone-01"
480-utils.psm1
# Creates either a Linked or Full clone of a VM and assigns it to a specified network.
function New-VMClone {
param (
[string]$CloneType, # "Linked" or "Full"
[string]$SourceVM, # Name of source VM
[string]$SnapshotName, # Snapshot to clone from
[string]$VMHostName, # Target ESXi host
[string]$DatastoreName, # Target datastore
[string]$NetworkName, # Network to attach to VM
[string]$CloneName # Name of new VM
)
# Retrieve required VMware objects
# Get source VM object
$vm = Get-VM -Name $SourceVM -ErrorAction Stop
# Get snapshot object from source vm
$snapshot = Get-Snapshot -VM $vm -Name $SnapshotName -ErrorAction Stop
# Get target ESXI host
$vmhost = Get-VMHost -Name $VMHostName -ErrorAction Stop
# Get datastore object
$ds = Get-Datastore -Name $DatastoreName -ErrorAction Stop
#validation checks
# Prevent duplicate VM names
if (Get-VM -Name $CloneName -ErrorAction SilentlyContinue) {
throw "A VM named '$CloneName' already exists."
}
# Validate Clone type param
if ($CloneType -ne "Linked" -and $CloneType -ne "Full") {
throw "CloneType must be 'Linked' or 'Full'."
}
# Linked Clone creation
if ($CloneType -eq "Linked") {
$newVM = New-VM `
-Name $CloneName `
-VM $vm `
-ReferenceSnapshot $snapshot `
-VMHost $vmhost `
-Datastore $ds `
-LinkedClone
}
# Full Clone creation from temporary linked clone
elseif ($CloneType -eq "Full") {
#temp vm name to convert the linked clone to a full clone
$tempName = "$CloneName-temp"
# Step 1: Create a temporary linked clone
$tempVM = New-VM `
-Name $tempName `
-VM $vm `
-ReferenceSnapshot $snapshot `
-VMHost $vmhost `
-Datastore $ds `
-LinkedClone
# Step 2: Create full clone from temporary VM
$newVM = New-VM `
-Name $CloneName `
-VM $tempVM `
-VMHost $vmhost `
-Datastore $ds
# Step 3: Remove temporary VM
Remove-VM -VM $tempVM -DeletePermanently -Confirm:$false
# Step 4: Create/ Take baseline snapshot
New-Snapshot -VM $newVM -Name "baseline" -Description "Initial snapshot"
}
# Assign Network
# Attach all network adapters on the new VM to the specified network
Get-NetworkAdapter -VM $newVM |
Set-NetworkAdapter -NetworkName $NetworkName -Confirm:$false
# Return created VM object for future use in functions
return $newVM
}
Export-ModuleMember -Function New-VMClone, New-Network, Get-IP
6.1 BlueX Networking
Add a new function (e.g. called New-Network) that creates a Virtual Switch and Portgroup
function New-Network {
param (
[string]$SwitchName,
[string]$PortGroupName,
[string]$VMHostName
)
# Get ESXi host
$vmhost = Get-VMHost -Name $VMHostName -ErrorAction Stop
# prevent a duplicate switch from being created
if (Get-VirtualSwitch -VMHost $vmhost -Name $SwitchName -ErrorAction SilentlyContinue) {
throw "Virtual Switch '$SwitchName' already exists."
}
# Create Virtual Switch
$vSwitch = New-VirtualSwitch `
-VMHost $vmhost `
-Name $SwitchName
# Create Portgroup
$portGroup = New-VirtualPortGroup `
-VirtualSwitch $vSwitch `
-Name $PortGroupName
# Returns structured data
[PSCustomObject]@{
VMHost = $VMHostName
Switch = $SwitchName
PortGroup = $PortGroupName
Status = "Created"
}
}
function Get-IP {
param (
[string]$VMName
)
# get vm object
$vm = Get-VM -Name $VMName -ErrorAction Stop
# Get first network adapter
$adapter = Get-NetworkAdapter -VM $vm | Select-Object -First 1
$mac = $adapter.MacAddress
# Get first IPv4 addresses only (not ipv6)
$ip = $vm.Guest.IPAddress |
Where-Object { $_ -match '\.' } |
Select-Object -First 1
# return structured output
[PSCustomObject]@{
VMName = $VMName
IP = $ip
MAC = $mac
}
}
6.2 blueX-fw and more utility functions
Deliverable 2. Use your cloning feature to create a new linked clone of your vyos base image called blueX-fw
Leave this VM powered off for now
Deliverable 3. Create a utility function within 480-utils.ps1 that will start a VM or VMs with by name.
Add functions to start and stop VMs
Tips: Powercli commands are Start-VM and Stop-VM Make sure to call your function something different than the PowerCli command as it can cause issues
function Start-LabVM {
param (
[string]$VMName
)
# Retrieve VM object
$vm = Get-VM -Name $VMName -ErrorAction Stop
# Start the VM (out null stops double output)
Start-VM -VM $vm -Confirm:$false | Out-Null
# Return updated VM object
return (Get-VM -Name $VMName)
}
function Stop-LabVM {
param (
[string]$VMName
)
# Retrieve VM object
$vm = Get-VM -Name $VMName -ErrorAction Stop
# Stop the VM
Stop-VM -VM $vm -Confirm:$false | Out-Null
# Return updated VM object
return (Get-VM -Name $VMName)
}
Add the functions to the export line Export-ModuleMember -Function New-VMClone, New-Network, Get-IP, Start-LabVM, Stop-LabVM
In the driver ps1 add calls
Start-LabVM -VMName $cloneName
Stop-LabVM -VMName $cloneName
I commented everything out except for Start-LabVM
Deliverable 4. Create a utility function called Set-Network within 480-utils.ps1 that sets a virtual machine network adapter to the network of your choice. In your video, demonstrate this against the internal eth1 interface on fw-blue1.
Add a function (e.g. Called Set-Network) that lets you set the network on the different interfaces on a VM
I had to rewrite parts of the script; the ones on GitHub are the final versions for 6.2 deliverables.
Code additions to driver
# Add second adapter if necessary
$adapters = Get-NetworkAdapter -VM $CloneName
if ($adapters.Count -lt 2) {
# Add second adapter for adapter 2
New-NetworkAdapter -VM $CloneName -NetworkName $Network2 -StartConnected $true
}
# Set networks
$networks = @($Network1, $Network2)
$adapters = Get-NetworkAdapter -VM $CloneName # Refresh adapters list
for ($i = 0; $i -lt $adapters.Count; $i++) {
Set-Network -VMName $CloneName -AdapterNumber ($i + 1) -NetworkName $networks[$i]
}
Code additions to utils
# Adds a network adapter
function New-NetworkAdapter {
param (
[Parameter(Mandatory = $true)]
[string]$VM, # Name of the VM
[Parameter(Mandatory = $true)]
[string]$NetworkName, # Target portgroup/network to connect to
[bool]$StartConnected = $true # Whether the adapter should start connected
)
# Get the VM object
$vmObject = Get-VM -Name $VM -ErrorAction Stop
# Check if the network exists on the host
$network = Get-VirtualNetwork -Name $NetworkName -ErrorAction Stop
# Add the new network adapter
$newAdapter = New-NetworkAdapter `
-VM $vmObject `
-NetworkName $NetworkName `
-StartConnected:$StartConnected
# Return the new adapter object
return $newAdapter
}
# Sets a specific network adapter on a VM to a new network
function Set-Network {
param (
[string]$VMName, # Name of VM
[int]$AdapterNumber, # Adapter number (1 = eth0, 2 = eth1, etc.)
[string]$NetworkName # Target network / portgroup
)
# Retrieve VM object
$vm = Get-VM -Name $VMName -ErrorAction Stop
# Retrieve target network object (ensures it exists)
$network = Get-VirtualNetwork -Name $NetworkName -ErrorAction Stop
# Retrieve specific network adapter
$adapter = Get-NetworkAdapter -VM $vm |
Where-Object { $_.Name -eq "Network adapter $AdapterNumber" }
if (-not $adapter) {
throw "Network adapter $AdapterNumber not found on VM '$VMName'."
}
# Set adapter to new network
Set-NetworkAdapter `
-NetworkAdapter $adapter `
-NetworkName $NetworkName `
-Confirm:$false | Out-Null
# Return updated adapter information
return (Get-NetworkAdapter -VM $VMName |
Where-Object { $_.Name -eq "Network adapter $AdapterNumber" })
}
6.3
- update and install Ansible and dependencies
sudo apt update
sudo apt install sshpass python3-paramiko git -y
sudo apt-add-repository ppa:ansible/ansible
sudo apt update
sudo apt install ansible -y
ansible --version
In Bash terminal:
cat >> ~/.ansible.cfg << EOF
[defaults]
host_key_checking = false
EOF
1.5
I have no IP on the VyOS because it doesn't automatically pick one up, as networking was not configured. I plan to manually connect it to DHCP, but it needs to be on eth1.
configure
set interfaces ethernet eth1 address dhcp
commit
save
exit
show interfaces
- Create your Ansible directory and inventory
bashmkdir -p /home/inag/SEC-480-GIT/SEC-480/ansible
cd /home/inag/SEC-480-GIT/SEC-480/ansible
nano inventory
[vyos] 10.0.17.101 ansible_user=vyos
ansible all -m ping -i inventory --ask-pass