ios-xe guest shell
1 IOS XE Guestshell
On any IOS XE Cisco device, as of 16.7.1 there is a CentOS container that
has Python pre-installed. This CentOS container is called 'guest shell'.
This container also has yum installed so that you can install 3rd party
apps or development tools. Older IOS versions like 16.6.x have an older
config that I won't go into here.
2 Cisco Guestshell Sandbox
Cisco's DevNet Sandboxes can be reserved for learning about Guestnet. Once the sandbox is provisioned and you have the VPN connection established, you can access it as follows:
2.1 Accessing Sandbox
Open a terminal window and ssh developer@10.10.20.48 with a password of
C1sco12345
3 Guest Shell
First thing needed is IOx should be enabled.
#config t (config)#iox (config)#end
This will take a few minutes. #show iox-service
Then we need three things to get working. 1) Network settings on container
- network settings on the IOS device (host) and 3) NAT configuration
3.1 IOS-XE host settings
To enable host communications with IOS XE and the guest container we need an interface called *VirtualPortGroup"
#config t (config)#interface VirtualPortGroup0 (config)# ip address 3.3.3.1 255.255.255.0 (config)#end
3.2 Container network settings:
Assuming that the container will talk out an interface on the router or switch with ip address 3.3.3.1/24 you would:
#config t
(config)#app-hosting appid guestshell
(config)# vnic gateway virtualportgroup 0 guest-interface 0 guest-ipaddress
3.3.3.2 netmask 255.255.255.0 gateway3.3.3.1 name-server 8.8.8.8
(config)# end
3.3 NAT config on host
Finally, we have to configure 3.3.3.2 traffic to appear as something on a local interface of the router/switch. That's only if this container needs to get to the outside, but remember that for yum to work this is exactly what is needed, so best to implement this.
#config t (config)#interface VirtualPortGroup 0 (config)# ip nat inside (config)#! (config)#interface GigabitEthernet 3 (config)# ip nat outside (config)#! (config)#ip access-list extended NAT-ACL (config)# permit ip 3.3.3.0 0.0.0.255 any (config)#! (config)#ip nat iniside source list NAT-ACL interface GigabitEthernet 1 overload (config)# (config)#end
Where gig 1 leads to the default gateway
3.4 Enable the Guestshell
Final step is to enable the shell
#guestshell enable Interface will be selected if configured in app-hosting Please wait for completion guestshell installed successfully Current state is: DEPLOYED guestshell activated successfully Current state is: ACTIVATED guestshell started successfully Current state is: RUNNING Guestshell enabled successfully # show app-hosting detail The shell should show "RUNNING"
3.5 Accessing the Guestshell
Simply through the command guestshell
You will be in a bash shell, on a CentOS 7 machine. Go to town!
When done just exit
4 Guestshell features
The guestshell is isolated and protected from the IOS system.
Within the IOS prompt you can guestshell run cat /etc/resolv.conf or any
other CentOS command. guestshell run uname -a or guestshell run ip addr
4.1 Common IOS-XE guestshell commands:
guestshell run ls /flash guestshell run groups guestshell run uname -a guestshell run ip addr guestshell run cat /etc/resolv.conf guestshell run yum update -y guestshell run yum repolist guestshell run guestshell run guestshell run guestshell run guestshell run guestshell run
If a proxy is used, it must be configured explicitly by setting two proxy variables, httpproxy and httpsproxy. I am assuming this is in the shell.
4.2 IOS commands from within guestshell
#dohost "show memory statistics" #dohost "show ip route 0.0.0.0" #dohost "show ip int brief" #dohost "show platform software status control-processor brief"
5 Guestshell
Best to run these commands:
sudo yum check-update sudo yum install --upgrade -y sudo yum install vim -y sudo yum clean sudo yum help sudo yum list installed sudo yum info vim nano vi sudo yum clean sudo yum list pip3 sudo yum list available sudo yum repolist sudo yum upgrade -y sudo yum install -y git vim df -h git --version git clone https://github.com/CiscoDevNet/dne-dna-code.git