Virtualized environment without double virtualization with GNS3

Document created by chomjakrichard on Apr 21, 2014Last modified by chomjakrichard on May 7, 2014
Version 6Show Document
  • View in full screen mode



this tutorial is about `how to create and use Cisco virtual image (onePK) with GNS3`.


FIRST READ TUTORIAL, AFTER DO (you can create it in AiO image too, than you can port to "native" os).

GNS3 with QEMU works in Windows too, but .simpleCA certificates you SHOULD generate on unix machine (easiest way).

I never use onePK in Windows.



What is a gns3?

GNS 3 is Graphical Network Simulator.

That tools is usually use to learn something new from network world.


Why I should use GNS3 instead vmware?

From my view, I really hate double virtualization with AllInOne. My computer is very slow for larger topologies such 3node.

GNS3 uses for 3rd part virtualization QEMU/KVM. With QEMU/KVM is possible virtualize Cisco onePK image.

With GNS3 is easier create topology than edit some XMLs... Vmware in AiO uses qemu.


What I need?

My tutorial is based on ubuntu 12.04 LTS, desktop version. And some packages (read more).

Copy directory /home/cisco/.simpleCA and read more for next steps


1) Install GNS3, qemu, kvm, tftp server


sudo apt-get install gns3 -y
#qemu and kvm
sudo apt-get install qemu-kvm qemu-utils -y
sudo apt-get install tftp-hpa

NOTE: KVM is special support for QEMU, but you can use qemu without KVM. If you want use KVM in qemu, your CPU  MUST supports that instruction (vmx or svm).

egrep -c '(vmx|svm)' /proc/cpuinfo

If return 1, than is OK -- your CPU has KVM support.


2) Extract image from vios.ov

If you read /home/cisco/vmcloud-example-networks/3node/3node.virl you probably saw this line

<node name="router1" type="SIMPLE" subtype="vios" location="188,263" vmImage="/usr/share/vmcloud/data/images/vios.ova">

vmImage is location where is image for virtual router.


Extract image

Qemu don't know handle direct with 'ova' file. We must untar vios.ova to get direct access into virtual image.

ova images are only  abstraction on another virtualization format. That abstraction is compressed with tar compression algorithm,

and includes control sum file: .mf, setting file: *.ovf, and virtual format -- in this case *.vmdk.


cd /usr/share/vmcloud/data/images && sudo tar -xf vios.ova


After this process, we copy *.vmdk into GNS3 image directory.



3) Copy image *.vmdk to gns3 images directory -- optional (dont' forget change permissions)

sudo cp vios-adventerprisek9-m.vmdk /home/cisco/GNS3/Images/


change permissions cisco is a user and group name try command `id`

cd /home/cisco/GNS3/Images
sudo chgrp cisco vios-adventerprisek9-m.vmdk
sudo chown cisco vios-adventerprisek9-m.vmdk


4) Configuration of GNS3

Turn on GNS3


on righ tab (General Settings)

set path and configuration

#my config

Screenshot from 2014-04-21 10:16:54.png

create virtual image in GNS3

click on Qemu Guest

#my config

Screenshot from 2014-04-21 10:30:08.png

NOTE: if your CPU supports KVM use it and try other options (Monitor mode...), YOU MUST use NIC model'e1000' and nographic option in this case. How many RAM I need? 384 MB (3node.virl). MAXIMUM NUMBER OF NIC (in my case is 8)



#And this is my little topology



Screenshot from 2014-04-21 10:40:36.png


Ok, we have topology, but How Can I connect to controller/application - outside of the our little world?

One simple solution is create tap interface (linux). On windows create ms loopback# Adding your own PC to GNS3 with MS Loopback - YouTube , but in newest GNS3 you can do it in GNS3 (menu, tool->loopback manager) reboot and if you want use loopback in cloud "device" you must run gns3 as administrator.


We need tap interface, create tap interface and assign it to user cisco (in my case is user cisco, use command `id`)

sudo tunctl -u cisco -t tap0


asssign IP address to tap

sudo ifconfig tap0 inet promisc up


#connect from GNS3 to tap interface



Screenshot from 2014-04-21 11:32:40.png

If you want access to Internet (outside network) create new cloud -> NIO GENERIC use ethX.

Another method exists for access to the Internet and local interface,  use brctl to create bridge between tap and ethX interface.

If you use only ethX in cloud, that is not possible connect to local interface, but you can access to the Internet(outside network)


Ok, we have access to local machine.

Generate new certification for access to our router via TLS (onePK)

./.simpleCA/ -cn Router -ip -out Router.p12 -pass cisco1 is IP address of router


#TFTP process


cat /etc/default/tftpd-hpa

# /etc/default/tftpd-hpa





TFTP_OPTIONS="--secure --create"


Probably you must change TFTP_ADDRESS, change it to

restart service

sudo service tftpd-hpa restart


copy certificate into TFTP_DIRECTORY, in my case /tftpboot

sudo cp Router.p12 /tftpboot/


on router

conf t
crypto pki import demoTP pkcs12 tftp:// password cisco1

# is IP of TUN interface, password cisco1 is same as in process of generation new certification.


Enable onepk on router side (onepk 1.2.0)

conf t
transport type tls localcert demoTP disable-remotecert-validation

create user on router

username jozko password jozkovce
username jozko privilege 15


connect to router from application

INFO:onep:VTYTutorial:Connecting to Network Element...

INFO:onep:BaseTutorial:We have a NetworkElement :

NetworkElement [ ]


INFO:onep:BaseTutorial:Successful connection to NetworkElement -