Getting Started with IOS-XE Guestshell (Cisco Catalyst - On-box Python & Linux Shell)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
In this video, I wanted to take a couple  of minutes and look at a feature called   guestshell. This is something that is available on  Cisco's Catalyst 9000 series switches, some of the   older 3800 series switches, as well as the new  Catalyst 8000 routers, and even some of the ISR   4000s. In these newer platforms, Cisco has built  something that they call application hosting.   While we call the feature guestshell,  in reality it's just the ability to run   a lightweight native linux container directly on  top of a Catalyst device - so that we can have   access to a linux shell and a Python interpreter  right on our Catalyst series switch or router.   This opens up a lot of possibilities for being  able to run custom scripts and commands and help   with troubleshooting by being able to run  Python scripts directly on the box itself.   So let's go ahead and just dive right into  'how do we get this running on our device?'...   For the purpose of this video, I'll be using a  Catalyst 8000v. This is a virtual router image   that's offered by Cisco and easy to stand up in a  lab - which is why I'm using it for today's video.   So as you can see on the screen, I currently  have the Catalyst 8000v command line up. The   first thing that we'll do is a command "show  iox". IOX is the underlying application hosting   subsystems that allow us to run containers on top  of our switch. Now as we can see here most of the   services are showing that they're either not  running or not supported on this device. So the   first thing that we'll have to do is enable the  IOX services to allow us to build our containers   on top of this router. So we'll go "config t" and  we'll just type the command "iox"... and now if   we go back to check the status of those services,  we can see now that we have the services that were   previously listed as not running are now showing  that they are in fact running. Next we're going   to walk through a little bit of pre-configuration  that's going to be required for our Linux-based   guest shell container to be able to communicate  with the outside world. So first we'll start with   configuring a NAT policy. We'll create a standard  access list and we'll name it "IOX_NAT"... and the   IP range that we'll be using for our container is  192.168.100.0. Next we'll enter our NAT statement   which is going to be "ip nat inside source list  IOX_NAT interface gigabitethernet 1 overload"..   This will allow our container to communicate with  the outside world by NAT'ing it to the gigabit   ethernet 1 interface on our virtual router. Next  we'll go to that interface and mark it as the   outside NAT interface with the command "ip nat  outside".. Now for the container side of things,   we're actually going to create a virtual port  group interface that'll be used for communication   directly with the container. This interface  will act as the upstream gateway from the   container itself, to be routed out our gigabit  one interface. So we'll start with "interface   virtualportgroup 0" - then we'll add our IP  address, which for this interface will use   192.168.100.1. Similarly we'll do an "ip nat  inside". Now that our NAT configuration is done,   we'll have to specify some configuration for  the container itself. So we'll begin by doing   "app-hosting appid guestshell" - then we'll create  a virtual network interface for our container,   and link that to the virtualportgroup 0.  We'll do this using the command "app-vnic   gateway 0 virtualportgroup 0 guest-interface  0". Under this config section we'll also apply   the IP configuration for our container  by doing "guest-ipaddress 192.168.100.5   netmask 255.255.255.0". We'll also specify a  default gateway for the interface, with the   command "app-default-gateway 192.168.100.1" and  that is out guest-interface 0. And lastly we want   to set a DNS server so we'll just use "nameserver0  8.8.8.8". Once we're done with all of that, we're   ready to enable our guest shell container and  start making use of it. So for this we'll actually   drop all the way down to normal exec-mode.  And first we'll do a "show app-hosting list"   and we'll see that right now we have no containers  available or running. We'll automatically deploy   and activate the guest shell container with the  command "guestshell enable" and this will take   just a second to complete... In the background,  this is loading the guest shell container,   getting it ready for deployment, and then it'll  spin it up and make it ready for us to use.   And so we can see it was deployed, activated,  and now it is running successfully. Again - we   can check this using the "show app-hosting list"  command... and yep we see that our guest shell   app is running. Before we jump into our container.  we can also see some additional details by doing   "show app-hosting detail appid guestshell". The  output of this command will show some additional   detail on the container itself. For example, that  it is an LXC Linux container. It is version 3.2.   It'll also show what hardware resources  we have reserved for this container.  And if we scroll down just a little bit further,  we can also see the current network config...   and sure enough it looks like the configuration  that we specified was applied to our container   successfully. One way to interact with our guest  shell container is by using the "guestshell run"   command. This will take whatever command we input  and execute it on the guest shell, return it to   our cli, without entering the container itself.  So we'll do a "guestshell run uname -a"...   and that'll output what you'd expect just  as if you were running it on a Linux system.   Now that's helpful if you just want to run one  off commands, but if you want to get access to   the linux shell itself - all you have to do is  use the "guestshell" command. Now we see that we   have a Linux shell, and we can perform the same  "uname -a" command and see that we get the exact   same output that we did when we ran that from the  catalyst command line. We can also check that our   networking config worked - let's go ahead and  try to "ping 8.8.8.8"... and sure enough we do   have internet access. Now for all intents and  purposes this is a live Linux system. So if we   had an additional Linux package that we needed to  install, or we just wanted to run updates - this   currently runs CentOS - so we can use the YUM  package manager to update or install. For example,   if I do a "sudo yum update" - this will go out  and fetch new updates available for the system.   I'll go ahead and hit CTRL-C now, since I don't  actually want to allow the updates to complete.   The real fun comes in now since we have access  to a python interpreter that's running on top   of a catalyst device. We have the ability to  run all sorts of different scripts to help us   with device management, troubleshooting, or even  performance monitoring. For example, maybe we have   an intermittent network issue that we need help  troubleshooting, and we could write a script, that   on a given interval, runs a couple of different  troubleshooting commands, collects information,   and then either logs that locally or sends an  email out to someone. Or we might be able to   write a Python script that does ping and page load  testing to test performance from an edge device,   where maybe we don't have a server or end  client that's capable of running that.   Also included within guest shell is a  Python module called cli - this allows   us to run both exec-mode and configuration  commands on the catalyst CLI - which allows   us to monitor and configure the device  straight from our python script itself.   So let's take a look at this. We'll go ahead and  enter the python interpreter and we'll "import   cli". If we wanted to run an exec-mode command,  we would use the function "cli.execute". So for   example in this case we'll do a "write mem" and  see if we can save the device configuration from   python... Pretty quickly we get back a similar  response that we would expect on a command line.   On the opposite side, if we wanted to run a  configuration command - let's say we wanted   to configure a new interface - we can do that as  well. First I'll create an object that contains   a multi-line comment, that creates interface  loopback 200, and then assigns an IP address to   it. Now while I use a multi-line comment for this,  the function also supports using a Python list.   So you could list out each command  in order that it needs to be run.   Now in order to create that interface, we'll use  the "cli.configure" function and pass that our   "config_data" variable that contains the commands  we want to run. The helpful thing here is that   for each individual line of commands that we've  passed to it, we'll get a success or failure - if   the command was successfully able to execute.  We can also make use of our normal validation   methods by doing a "cli.execute" and passing  the command "show run interface loopback200".   Now of course, I'm just having all of this  output just dumped the command line...   but we could easily store this in a Python  variable and parse through it to make sure that   everything completed correctly, and add in our own  error checking and validation. So now that we're   done here, I'll go ahead and quit the python  interpreter. Another thing that's good to know   about, is that like before when we could use the  "guestshell run" command to run something within   the linux shell without leaving our Catalyst CLI  - the reverse is also true. Within guest shell,   we can use the "dohost" command to execute  something on the Catalyst CLI without having   to leave our Linux shell. So for an example we'll  use the same "write mem" command from earlier..   and we'll see that our device configuration  has been saved. Now once we're done, we can go   ahead and just exit out of the guest shell. And if  we're done using our container for the time being,   we can go ahead and use the "guestshell disable"  command to stop the container for now. And we'll   do a "show app-hosting list" - and we see  now that our container is no longer running   but instead it's in the state 'deployed'. Now  if we were completely done and we never wanted   to use the guest shell container again, we  would use "guestshell destroy". This command   will completely remove the guest shell container  that we just built. And we can again verify this   by doing a "show app-hosting list". And we'll  see that there are now no applications found. Okay and that's it for this video. I hope that  it was helpful - and thank you for watching!!
Info
Channel: 0x2142 - Networking Nonsense
Views: 1,168
Rating: undefined out of 5
Keywords: DEVCOR, DevNet, Network Automation, Cisco, Screen Scraping, CLI, Python, 350-901, 300-435, ENAUTO, IOS-XE, NX-OS, Guestshell, centos, LXC, container, docker, yum, DevNet Expert
Id: KiVbDq0Czdg
Channel Id: undefined
Length: 10min 20sec (620 seconds)
Published: Tue Jan 26 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.