- [David] In previous videos, which I've linked here, I showed you how to use Linux commands on Cisco IOS. This was using traditional Cisco IOS or monolithic Cisco IOS. You're kinda restricted in the Linux commands that you can use. In this video, however, I'm gonna show you how to
take that to the next level, by using a Linux container running directly on Cisco IOS XE. I'll show you how to use Python, in other words, create Python scripts, how to install applications within that Linux container. So you could, as an example, install Nano, that's just a basic application that I'll show you in this video. But I mean, you could install
any type of application that runs on Linux within that container. Obviously, you need to think about what you're gonna be doing, you don't want to run a huge, kind of, server database
application on the container. But the point is, is that you can run Linux directly on a Cisco IOS device. This is true Linux, so you can use any command
that's supported in Synced OS, that's the flavor of Linux
that the Cisco IOS XE uses. You can run Python scripts directly within that Linux container, or call them from within the Cisco IOS. Okay, because this is YouTube, please could I ask you to
subscribe to my YouTube channel? Please could I ask you to like this video if you find it useful? Please click on the bell
to get notifications. To make it easier for you, I've put all the scripts below this video, and links to documentation. So if you get bored, hopefully not of this video, you can refer to the
documentation below the video to get more information and samples of the
scripts that I'm running. (upbeat techno music) Now some feedback from you please, before we get started. I am creating quite complex videos here, I'm going into quite a lot of detail, with regards to the configuration of some of this network automation stuff. Are the videos too long? Do you enjoy the videos? Please put comments below this video, and let me know how I can
make this better for you. Do you want shorter videos? Do you want more in depth videos? How can I make this better for you, and help you become a
better network engineer? Okay, so to demonstrate this, I'm not using this physical equipment, that's for my Kali Linux hacking videos. In this example I'm gonna be using GNS3. I've got a Linux container here. This is a Linux server which I'm gonna use just for testing purposes. I've got a switch, I've got an IOSv router, that's simply there to enable NAT, or to run NAT to get us to the internet. So this is just a basic infrastructure running within GNS3. What I'm gonna do, however, is bring a Cisco CSR into the topology. The default here within GNS3, doesn't have enough memory, so I'm gonna right click, click configure. I'm gonna change those
to use 4,096 meg of RAM, and give it two CPU's. This device is running within the GNS3 VM, locally on my Mac. So here I'm running GNS3 version 2.2, release candidate five, I'm running that CSR on the GNS3 VM. Okay, I'm gonna start this up. Now it takes a while to boot, so while it's booting, let me talk a little bit more
about what we're doing here. I'm gonna configure the CSR router so that I can access a Linux container running within the CSR. Now CSR routers use IOS XE, that's different to
monolithic or traditional IOS. In traditional IOS or monolithic IOS, the operating system is installed
directly on the hardware. Here the operating system, IOS as we used to, runs on top of Linux. So we can have containers
running within Linux, running side by side to the Cisco IOS. Now there's a lot of documentation online showing you how to do this. Here's an example from DevNet. I'll put links tot this document
and others below the video, so that you can have a look
at that in your own time. But basically, what we're gonna enable is the guest shell application. This is a Linux container that we can run on a IOS XE device. You can do many things, such as run Linux commands, and I'm gonna show you that here. You can run Python scripts, I'll demonstrate that. There's also device-level API integration. Now in this document, and many others that I've seen online, they get you to configure NAT, or Network Address Translation, between the guest shell
container and IOS XE. We're not gonna do that, we're going to use something that's been around for many years. We're gonna use what's
called IP unnumbered, which allows you to use an IP address from one network on another. Logically what's happening within the CSR, is we have one network, let's say Gigabite Ethernet1, that connects us to the internet
or the local area network, but logically there's
a cable from the IOS XE to this container. This has been used for many, many years. So I remember back in, forgive me for showing my age, on the old, old 5500
Cisco catalyst switches, that's like going back many, many years, they had a catalyst switch that would run one operating system, and then logically there was a connection within the switch to
what was called an RSM, which was a router switch module, and you would move from Cat OS, which had set based commands, into a RSM, which was running Cisco
IOS as we know it today. So you had this logical connection that you could jump from one to the other within the same device. Same kind of concept here. A more modern example of that is a Unity Express module that runs within a Cisco CME router, so if you got a CallManager Express router that's running Cisco IOS, and then you would have
this logical connection to a Linux operating system, that ran the Unity Express
voice messaging system. So that kind of concept has
been around for a long time. But here what we're doing, is we're doing it with a container. So we are going to create
a logical connection as they've shown over
here in this document, from Cisco IOS XE to the container and we're using what's called
a virtual port group for that. I'm not gonna do it the
way they've done here, I think it's too complicated. We'll use IP unnumbered, which once again, has been around since the days of modems, CallManager Express, Unity Express, been around for a long time, used in many, many products. Okay, so my CSR device has booted up. Once again, I dragged a CSR into the GNS3 topology. This is a brand new device. So hence, we see system
configuration dialog. Do I want to enter the
initial configuration dialog? I'm gonna say no. I don't want to use the
initial configuration dialog and I want to terminate auto install. Now going back here, one of the reasons I
changed the RAM and CPU's, is I've found that when you
start up the guest shell on IOS XE, in other words, the Cisco CSR in GNS3 using the defaults, it doesn't work, causes problems. Okay, so show version, here's the command. You can see we're using Cisco IOS XE, this is the version operating system. Notice here, Linux. This is using Linux, and we can use a Linux container directly on this router. Okay, so go to global config mode, let's give it a name such as CSR1. So host name, CSR1. This interface gigabit1, is connected to my network. I've got the IOS V router here, configured as a standard internet router. So all it's doing is acting
as our default gateway to get to the internet. This IP address is actually
a physical Cisco router in my network here at home, so that actually gets me to the internet, but this router is acting
as our internet router to get us out of GNS3, into the physical world. All I've done on this router
is configure IP addresses, so it's got this IP address
as the inside IP address, this IP address as the outside IP address. So from a NAT or network address
translation point of view, that's the inside interface, this is the outside interface. This is our default gateway
to get to the internet. Okay, so back on the CSR, brand new router. All I've done is give it a host name. Okay, type end. Show IOX service. This command shows us that the IOX service is not running at the moment. So that service is not currently running. To enable it, now I'll put all these commands below, so don't worry about trying to, you know, remember or write down all the commands. In global configuration
mode I'm gonna enable IOX. Okay, so we can see that the server IOX has been notified to start. So do the show command again, show IOX service, what you'll notice is the
services are now running, I'm not going to use HA in this example, so that's okay. Okay, show IP interface brief. The router is a brand new router, we haven't configured anything on it. So the first thing I'm gonna do is give this router an IP address. So let's say 10.1.1.1.255.255.0, and no shut of the interface. Very basic stuff. This router should hopefully, be able to ping the IOS V router, which is the internet router. Okay, so interface took
a while to come up, GNS3 version two dot two
now supports link status, so we actually see the links, like on a real router, so it took it a while for
the keep alives to kick in and bring the interface up. So we can now ping our default gateway. Okay, so this is where
it gets interesting. We're gonna create an interface which is our virtual port group, as per this diagram from Cisco DevNet. So interface virtual port group, and I'm gonna pick a number zero. And this is once again, where I'm gonna use
commands from the past, rather than configuring, like they've done here, a separate subnet on
the physical interface, and then this virtual cable
between XE and the container, I'm going to simply reuse the same subnet, so this container will logically appear as if it's on the physical network, even though it's not, if you look at the logical
cables within the device. So just in your mind's eye, imagine you've got a router, physical cable to the physical network, and this logical cable to a container, typically every interface on a router needs to be in a separate subnet, but we're going to put
this in the same subnet as the physical network
by using IP unnumbered, it was a way in the past, to conserve IP addresses. Here I'm using it to
make things a lot simpler than the examples they've
got on Cisco's website. Okay, so show IP interface brief. In the output chair you can
see that the virtual port group has the same IP address
as the gigabit interface. Now from a routing point of view, that can get confusing, so we're gonna have to create
some specific static routes to make the routing work in
this topology in a moment. But for now that's all we need to do. The next command is to enable guest shell. So I'm gonna say guest shell enable, 'cause I want to run this guest shell, virtual port group is gonna be zero, the guest IP, so what IP address am I gonna
allocate to the container? Remember, we've got the router, logical cable to the container, we need to allocate a IP
address to this container. It's kinda like DHCP to
the container, if you like, not a true analogy, but there you go. Okay, now it says please
wait for completion. Now I've had problems with this, you can, as an example, at the end of this command, add a DNS server. I want to use Google because
I want to get this container to connect to the internet, and I want to install
applications on this container. So I've found sometimes in GNS3, that's giving, that gave me problems. Doing it this way worked better. I'm not sure if you can hear my Mac, but it's starting to spin
up and make a lot of noise as it starts this guest shell up. But as you can see there, that's being completed successfully. Just to show you the command, notice you could specify names over here, I've had problems doing that, so I didn't do that here. I'll do that in a moment
directly through Linux. Okay, so that's all you had to do. Just to remind you, what I did was configure a virtual port group, used the IP address from
the Gigabit1 interface. Gigabit1 has an IP address
configured intereface is no shut, and scrolling down notice
I've got IOX enabled, so that's basically all I had to do. Once again, I'll put the config below, so that you can see how
to set this up yourself. I had quite a lot of problems
getting it to work smoothly. Okay, so now what I'm gonna
do is run the guest shell. I'm gonna run bash in this example. So basically what this is doing is connecting me to that container, and I've now connected to Linux. Notice please, this is Linux, so uname -a shows us that
we're running Linux here, this is not IOS. So show IP interface brief, as an example, doesn't work, but sudo
giving me root privileges, ifconfig shows me the IP
address of this container. Again, the router allocated
the IP address to the container when we ran the guest
shell command over here. So I allocated that IP address
to the docker container. Okay so that's nice, and I get a lot of stick
for using IP config, so I'll use IP address, notice the IP address configured
on the guest shell is this. I mean, you can run commands here, like you would on any Linux device, but notice the IP addresses fail. The guest shell is not able to ping out, and the reason for that is
I need to set up routing. Notice when I look at the routing table, I only see this. 10.1.1.0 is out of Gigabit1, there's no route to the docker container. So what I need to do now is add a route to the docker container. And just to prove a point actually, before I do that, notice if I ping 10.1.1.2 from the router, it doesn't know where to send the traffic, because there's no route
to the docker container. So what I'm gonna do is IP route 10.1.1.2, this will be a slash 32 route, and I'm gonna point it to the
virtual port group of zero. So hopefully now I'll be able to ping the Linux container, which I can. There you go. Okay, but I also want to
put a route to the internet, so on my router, I'm gonna add a default
route to the IOS V router, that's my internet router. Okay, so ping 10.1.1.254. Can the router ping default gateway? Yes it can. I need to enable IP domain
lookup on this router, I need to enable a name server so that I can get to the internet, and hopefully I'll be able
to ping internet addresses, which I can. So I can ping Google.com, as an example. Can I ping Cisco.com? Yes, I can. So I have internet
reachability from the router. But what I want to do now is run bash and make sure that this
device can ping outside. Notice that didn't work before, neither did this. So I can't ping the default
gateway from the guest shell, I'll sort that out in a moment, but as an example, I won't be able to ping Google.com because I haven't configured a DNS server, cat /etc/resolve.conf shows me that there's no DNS server configured on this device. So I'm gonna copy a command here, again, I'll put this below the video. Basically, I'm gonna
echo name server Google, and append that to the file. That didn't show that nicely, but if I do cat /etc/resolve.conf, notice I've got a name server added, which I didn't have previously. So if we do have internet connectivity, that should resolve. But at the moment I'm having a problem. I have had quite a few
issues running this in GNS3, so if you do struggle with things, you might have to reboot it. Okay, so let's just confirm that I haven't done something stupid. On the CSR shell IP interface brief. Ping 10.1.1.254, I can ping the default gateway. I can ping the Linux container. And as a sanity check I'll
connect to this Linux server. See, here's my Linux PC, it's got this IP address, ping 10.1.1.1. Can I ping the CSR router? Yes I can. Can I ping the Linux container? Yes I can. So this seems to be a GNS3 problem, rather than an issue on the CSR, so I might have to delete some links. This, once again, is the IP
address of the server over here. Let me test if I can get the CSR Linux container running here to ping to the Linux container. So let's go back into
bash, ping 10.1.1.101. Okay, so notice, the Linux container on the router can ping the Linux server on network, but it can't ping the router. I'll delete some links in
a moment to sort that out, but before I get there
let's add a user here, so sudo user add David, sudo password David, I'll set a password of Cisco, not a great password. At the moment I've connected
to the shell via the console, if you like, so notice the IP address, but I'll go to the Linux server, so this device has this IP address. Can I SSH to the container
running on the router? Yes I can. Put my password in, and I'm in. So again, this is the Linux server, this is the router Linux shell. If i type who, notice I have another connection. I've now SSH'd from Linux here onto Linux on the CSR. So before I do any
troubleshooting in GNS3, I just want to make the
point that this is Linux, so PWD, that's my home directory. CD root, LS dash L, this is full-blown Linux. So you can do all kinds of things here, including installing applications. Including running Python. So this is Python running within Linux, on that CSR in the topology. So this is Python two dot
seven dot five, over there. I can install Python three if I like, but basically this is
Python as you know it. And this is Linux as you may know it, centOS running on that CSR. Okay, so GNS3, what I'm
gonna do is delete this link, and then I'll add it back again. So hopefully that'll
solve the issue between the IOS V router and the CSR. Okay, so ping 10.1.1.1. Can I ping the CSR router
from the IOS V router? Yes I can. Can I ping the container on the CSR? Yes I can. So notice by deleting that link and re-enabling it in GNS3
I've solved the problem. So let's go back to the guest shell. Again, this is the guest
shell running on the CSR. Okay, so let's see if
we can ping Google.com. Notice we can. So I'm pinging the internet
from a Linux container running within the CSR. Okay, so that works. Clear the screen. Let's install an application. So sudo yum install nano. And I'm gonna say yes just to make sure that
it downloads the software and installs it on the container. Installing this through
GNS3 can be a bit slow, so I'm installing this via a switch through an IOS V router. Download can be pretty slow in GNS3. So what I'll do is speed this up, so you don't have to
watch the installation. Okay, so the installation
is now completed. So notice I can use nano here, just like I would in Linux. VI is installed on Vim, some people get upset when I
call this VI rather than VIM, but VIM is installed by default. Nano isn't installed. Nano's gonna be a lot easier for you if you're new to Linux, than VI. So let's call this
Python script one dot py. And I'll just type
something very basic here, we've gotta do a hello
network automation script, just to prove the point
I'll save the script, so LS Python shows us that
we've got this Python script, and I'll use Python
now to run that script. So I've been able to run a Python script within the Linux guest shell on that CSR. Now again, that might not be very useful, so let's do something better here. I'll cut that text, and I'll say import sys, import CLI, and just to make sense of this, I'll do this interactively first. I've run Python, and what I can do now is import sys, and import CLI. I'm gonna be able to run CLI commands using Python on box on this device. In other words, I don't need a separate server. I'm running this Python
script directly on the CSR. And then I could use a command like CLI execute P show IP interface brief. And notice that command has executed. I could do something like show version, and there's the show
version on the router. Here's my Python command, and here's the output. I could do something like
show version include version, or something like that, and that should be upper case, actually. So there's my command, and notice there's the
version of operating system. I'm basically running shell commands within my script. Okay, so let's do that again, but through a script. Okay, so here's my script, I'll save that and then
I could run Python, Python script one, and there's the output. So let's push that to more on Linux. So my Python script over there, here's my show IP interface brief, here's my show version information, and again, I might want to
make that easier to use, so do that. Clear my script, run the script, and there you go. Now some people have asked this when I've demonstrated stuff previously, and notice I'm back on the CLI, so clear doesn't work 'cause
I'm on the router now. Can you run these Python
scripts from the CLI? And the answer is yes you can. In this document Programmability
Configuration Guide, they show you a lot more
than what I'm demonstrating. So as an example, they show you that you can run Python directly from the router, and you can also run a script that you've stored in Flash. See, here's a sample
script that they're running directly from Flash, and then here they are running
a script from guest shell. Okay, so let's demonstrate that. Okay, so once again, I'm on the router now, this is IOS XE, this is not Linux. What I can do now is say guest shell run Python, and then I'm gonna specify the script that is stored in Linux. So what this has done now
is run the Python script that's stored in the Linux container, here's the output of
show IP interface brief, here's show version. Now again, you can put
the Cisco documentation, put scripts in the Flash or the router, so you might not want to keep
them in the Linux container, you want to store them in the Flash, and then you want to
execute them from Flash. And they have a lot more
complicated examples on the Cisco documentation, much better than the examples
than I've just shown you, I'm just trying to get you started. Okay, so in this video I
showed you how to get a CSR, configured within GNS3. How to enable the guest shell, how to access the guest shell. Use Linux commands, install Linux applications. Use Python, run Python scrips, and hopefully open up a
whole new world for you, with regards to network
automation using on box methods, in other words, we don't need Python on a separate server, in separate videos I'll show you how to use Python on a
Linux server like this, and configure devices that way, but in this example I'm
running Linux and Python on the router, and I'm making changes on the router. One of the advantages of that, is here we don't need IP connectivity to the router to run scripts. So if we lost IP
connectivity to the router, the router could still
run scripts locally. Whereas if I remotely and
I lose IP connectivity to that router, my scripts will no longer work. Okay, this is a long video again. If you enjoyed this video please like it, please subscribe to my YouTube channel, and please click on the
bell to get notifications when I post a new video. I'm David Bombal, want to wish you all the very best. (upbeat techno music)