03 Nov

IOx and guestshell on IOS XE

Most of the recent firmware on Cisco devices run on top of Linux operating system. Yout IOS XE or NX-OS is just a Linux process! It is nothing new; Juniper does it for years. However, it does not mean you can access the operating system directly; this is reserved just for Cisco TAC and developers in case the base operating system might be the source of the problems. However, you can use the IOx and the guestshell container introduced in IOS XE Everest 16.5.1 release.

What is IOx?

The IOx fulfills the requirement for edge computing. Cisco calls it fog computing, and it refers to extending cloud computing to the edge of an enterprise’s network. The idea is to host the applications at the network edge across different hardware platforms. In a preferred way, it should not require any additional hardware for computing. The fog itself refers to the unique problem domain in an example the management overload. It is one of the pillars of Cisco IoT model. 

The IOx shares the CPU, SDRAM and NVRAM/Flash memory with the host system.Do you remember that a few years ago with new hardware platform based on x86 processors introduced the multicore CPU? So far only the first core (Core 0) was second core remains idle. The first core runs the IOS process. With IOx the second core is now active – the hypervisor, the host OS, and the apps are using it. However, on some platforms, like ISR 829, there Shared Core Hosting model is deployed where there is no dedicated core for IOS process but its run on top of the hypervisor and shares the resources with other applications.

Dedicated Core vs Shared hosting on Cisco platforms

Dedicated Core vs. Shared hosting on Cisco platforms (pic. from Cisco documentation)



Starting the IOx

Lets first check that the IOX subsystem is not running

CSR1000V#show iox-service 


IOx Infrastructure Summary:
IOx service (CAF) : Not Running 
IOx service (HA) : Not Running 
IOx service (IOxman) : Not Running 
Libvirtd : Running

To start the IOX, you need to execute just one command

CSR1000V#conf t

After few minutes you can check the status again

CSR1000V#show iox-service 


IOx Infrastructure Summary:
IOx service (CAF) : Running 
IOx service (HA) : Not Running 
IOx service (IOxman) : Running 
Libvirtd : Running

Now we are ready to deploy containers


The guestshell

The guestshell is a built-in container with Linux CentOS 7 operating system. It is designed to run custom Linux applications, including Python the automated provisioning (Day zero) of systems.

On CSR1000v the guestshell access is provided via bridged interface VirtualPortGroup. On other platforms, you may run it directly.

interface GigabitEthernet1
 ip address
 negotiation auto
 no mop enabled
 no mop sysid
interface VirtualPortGroup0
 ip unnumbered GigabitEthernet1
 no mop enabled
 no mop sysid

While starting the guestshell, you need to specify the IP address it will use. It is also recommended to determine the nameserver – this is the only additional parameter you can set on CSR1000V. On other devices you may also specify subnet mask and default gateway – all depends on the platform and the firmware version.

CSR1000V#guestshell enable VirtualPortGroup 0 guest-ip name-server
Please wait for completion
Guestshell enabled successfully

Now you can access your guestshell and sudo to root permissions

[guestshell@guestshell ~]$ sudo su -
[root@guestshell ~]#

The guestshell itself has the default pointing to its eth0 interface. However, the router itself needs to know how to send the traffic to guestshell. We need to add a static route.

CSR1000V(config)#ip route VirtualPortGroup 0

Also, that is the place where experience problems if we decide to use VRFs. In such configuration, we put the GigabitEthernet1 and VirtualPortGroup0 interfaces in the vrf providing proper static routes. The problem is that we cannot add static route in VRF without providing next-hop IP address which you cannot in this situation

CSR1000V(config)#ip route vrf mgmt VirtualPortGroup 0
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

The only solution I know so far is using the NAT, but this is not a flexible way.

What can I do inside of guestshell? A lot! This is Linux so you can use all available commands. If you are missing any packages just install them using yum command. It uses Centos repository. You can write python scripts and much more.

You can access guestshell externally via SSH – default authentication method is via public key. You need to download public from the guestshell account (or generate a new one) and install on your SSH client.

IOx GUI Management – check when introduced

There is GUI interface that you can use for monitoring and manage the IOx. You must have IP HTTP server enabled on the CSR1000V router

ip http server
ip http authentication local
ip http secure-server

After you log in select the Configuration | IOx from the menu of the left side and provide your credentials again.

There are just two tabs for IOx management. In System Info tab we can see basic information about IOx including software version, available storage, CPU and memory usage and interfaces statistics. The most useful feature here is Logs section where you can enable predefined logging filters and view the log files.

IOx GUI System Information Panel

In System Info tab we can see basic information about IOx including software version, available storage, CPU and memory usage and interfaces statistics.

In the Applications tab, we can find running containers and add new ones. We can quickly stop it from here. When you click manage link, you can view advanced container status, logs or allocate resources.

IOx Container Setting

You can set advanced configuration of IOx container from web panel

Disabling and removing guestshell

There are two more operations you can do on the guestshell container instance – stop it (disable) and remove (destroy)

CSR1000V#guestshell disable 
Guestshell disabled successfully 

CSR1000V#guestshell destroy 
Guestshell destroyed successfully

The disable option just stops the container and retains the files. You can restart it using the guestshell enable command again. If you use destroy option, the container stops and all files are removed. If you decide to re-enable the container in future, the system will build it as a new one with default configuration.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: