Python and Linux on Cisco IOS?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- [David] In previous videos, which I've linked here, I showed you how to use Linux commands on Cisco IOS. This was using traditional Cisco IOS or monolithic Cisco IOS. You're kinda restricted in the Linux commands that you can use. In this video, however, I'm gonna show you how to take that to the next level, by using a Linux container running directly on Cisco IOS XE. I'll show you how to use Python, in other words, create Python scripts, how to install applications within that Linux container. So you could, as an example, install Nano, that's just a basic application that I'll show you in this video. But I mean, you could install any type of application that runs on Linux within that container. Obviously, you need to think about what you're gonna be doing, you don't want to run a huge, kind of, server database application on the container. But the point is, is that you can run Linux directly on a Cisco IOS device. This is true Linux, so you can use any command that's supported in Synced OS, that's the flavor of Linux that the Cisco IOS XE uses. You can run Python scripts directly within that Linux container, or call them from within the Cisco IOS. Okay, because this is YouTube, please could I ask you to subscribe to my YouTube channel? Please could I ask you to like this video if you find it useful? Please click on the bell to get notifications. To make it easier for you, I've put all the scripts below this video, and links to documentation. So if you get bored, hopefully not of this video, you can refer to the documentation below the video to get more information and samples of the scripts that I'm running. (upbeat techno music) Now some feedback from you please, before we get started. I am creating quite complex videos here, I'm going into quite a lot of detail, with regards to the configuration of some of this network automation stuff. Are the videos too long? Do you enjoy the videos? Please put comments below this video, and let me know how I can make this better for you. Do you want shorter videos? Do you want more in depth videos? How can I make this better for you, and help you become a better network engineer? Okay, so to demonstrate this, I'm not using this physical equipment, that's for my Kali Linux hacking videos. In this example I'm gonna be using GNS3. I've got a Linux container here. This is a Linux server which I'm gonna use just for testing purposes. I've got a switch, I've got an IOSv router, that's simply there to enable NAT, or to run NAT to get us to the internet. So this is just a basic infrastructure running within GNS3. What I'm gonna do, however, is bring a Cisco CSR into the topology. The default here within GNS3, doesn't have enough memory, so I'm gonna right click, click configure. I'm gonna change those to use 4,096 meg of RAM, and give it two CPU's. This device is running within the GNS3 VM, locally on my Mac. So here I'm running GNS3 version 2.2, release candidate five, I'm running that CSR on the GNS3 VM. Okay, I'm gonna start this up. Now it takes a while to boot, so while it's booting, let me talk a little bit more about what we're doing here. I'm gonna configure the CSR router so that I can access a Linux container running within the CSR. Now CSR routers use IOS XE, that's different to monolithic or traditional IOS. In traditional IOS or monolithic IOS, the operating system is installed directly on the hardware. Here the operating system, IOS as we used to, runs on top of Linux. So we can have containers running within Linux, running side by side to the Cisco IOS. Now there's a lot of documentation online showing you how to do this. Here's an example from DevNet. I'll put links tot this document and others below the video, so that you can have a look at that in your own time. But basically, what we're gonna enable is the guest shell application. This is a Linux container that we can run on a IOS XE device. You can do many things, such as run Linux commands, and I'm gonna show you that here. You can run Python scripts, I'll demonstrate that. There's also device-level API integration. Now in this document, and many others that I've seen online, they get you to configure NAT, or Network Address Translation, between the guest shell container and IOS XE. We're not gonna do that, we're going to use something that's been around for many years. We're gonna use what's called IP unnumbered, which allows you to use an IP address from one network on another. Logically what's happening within the CSR, is we have one network, let's say Gigabite Ethernet1, that connects us to the internet or the local area network, but logically there's a cable from the IOS XE to this container. This has been used for many, many years. So I remember back in, forgive me for showing my age, on the old, old 5500 Cisco catalyst switches, that's like going back many, many years, they had a catalyst switch that would run one operating system, and then logically there was a connection within the switch to what was called an RSM, which was a router switch module, and you would move from Cat OS, which had set based commands, into a RSM, which was running Cisco IOS as we know it today. So you had this logical connection that you could jump from one to the other within the same device. Same kind of concept here. A more modern example of that is a Unity Express module that runs within a Cisco CME router, so if you got a CallManager Express router that's running Cisco IOS, and then you would have this logical connection to a Linux operating system, that ran the Unity Express voice messaging system. So that kind of concept has been around for a long time. But here what we're doing, is we're doing it with a container. So we are going to create a logical connection as they've shown over here in this document, from Cisco IOS XE to the container and we're using what's called a virtual port group for that. I'm not gonna do it the way they've done here, I think it's too complicated. We'll use IP unnumbered, which once again, has been around since the days of modems, CallManager Express, Unity Express, been around for a long time, used in many, many products. Okay, so my CSR device has booted up. Once again, I dragged a CSR into the GNS3 topology. This is a brand new device. So hence, we see system configuration dialog. Do I want to enter the initial configuration dialog? I'm gonna say no. I don't want to use the initial configuration dialog and I want to terminate auto install. Now going back here, one of the reasons I changed the RAM and CPU's, is I've found that when you start up the guest shell on IOS XE, in other words, the Cisco CSR in GNS3 using the defaults, it doesn't work, causes problems. Okay, so show version, here's the command. You can see we're using Cisco IOS XE, this is the version operating system. Notice here, Linux. This is using Linux, and we can use a Linux container directly on this router. Okay, so go to global config mode, let's give it a name such as CSR1. So host name, CSR1. This interface gigabit1, is connected to my network. I've got the IOS V router here, configured as a standard internet router. So all it's doing is acting as our default gateway to get to the internet. This IP address is actually a physical Cisco router in my network here at home, so that actually gets me to the internet, but this router is acting as our internet router to get us out of GNS3, into the physical world. All I've done on this router is configure IP addresses, so it's got this IP address as the inside IP address, this IP address as the outside IP address. So from a NAT or network address translation point of view, that's the inside interface, this is the outside interface. This is our default gateway to get to the internet. Okay, so back on the CSR, brand new router. All I've done is give it a host name. Okay, type end. Show IOX service. This command shows us that the IOX service is not running at the moment. So that service is not currently running. To enable it, now I'll put all these commands below, so don't worry about trying to, you know, remember or write down all the commands. In global configuration mode I'm gonna enable IOX. Okay, so we can see that the server IOX has been notified to start. So do the show command again, show IOX service, what you'll notice is the services are now running, I'm not going to use HA in this example, so that's okay. Okay, show IP interface brief. The router is a brand new router, we haven't configured anything on it. So the first thing I'm gonna do is give this router an IP address. So let's say 10.1.1.1.255.255.0, and no shut of the interface. Very basic stuff. This router should hopefully, be able to ping the IOS V router, which is the internet router. Okay, so interface took a while to come up, GNS3 version two dot two now supports link status, so we actually see the links, like on a real router, so it took it a while for the keep alives to kick in and bring the interface up. So we can now ping our default gateway. Okay, so this is where it gets interesting. We're gonna create an interface which is our virtual port group, as per this diagram from Cisco DevNet. So interface virtual port group, and I'm gonna pick a number zero. And this is once again, where I'm gonna use commands from the past, rather than configuring, like they've done here, a separate subnet on the physical interface, and then this virtual cable between XE and the container, I'm going to simply reuse the same subnet, so this container will logically appear as if it's on the physical network, even though it's not, if you look at the logical cables within the device. So just in your mind's eye, imagine you've got a router, physical cable to the physical network, and this logical cable to a container, typically every interface on a router needs to be in a separate subnet, but we're going to put this in the same subnet as the physical network by using IP unnumbered, it was a way in the past, to conserve IP addresses. Here I'm using it to make things a lot simpler than the examples they've got on Cisco's website. Okay, so show IP interface brief. In the output chair you can see that the virtual port group has the same IP address as the gigabit interface. Now from a routing point of view, that can get confusing, so we're gonna have to create some specific static routes to make the routing work in this topology in a moment. But for now that's all we need to do. The next command is to enable guest shell. So I'm gonna say guest shell enable, 'cause I want to run this guest shell, virtual port group is gonna be zero, the guest IP, so what IP address am I gonna allocate to the container? Remember, we've got the router, logical cable to the container, we need to allocate a IP address to this container. It's kinda like DHCP to the container, if you like, not a true analogy, but there you go. Okay, now it says please wait for completion. Now I've had problems with this, you can, as an example, at the end of this command, add a DNS server. I want to use Google because I want to get this container to connect to the internet, and I want to install applications on this container. So I've found sometimes in GNS3, that's giving, that gave me problems. Doing it this way worked better. I'm not sure if you can hear my Mac, but it's starting to spin up and make a lot of noise as it starts this guest shell up. But as you can see there, that's being completed successfully. Just to show you the command, notice you could specify names over here, I've had problems doing that, so I didn't do that here. I'll do that in a moment directly through Linux. Okay, so that's all you had to do. Just to remind you, what I did was configure a virtual port group, used the IP address from the Gigabit1 interface. Gigabit1 has an IP address configured intereface is no shut, and scrolling down notice I've got IOX enabled, so that's basically all I had to do. Once again, I'll put the config below, so that you can see how to set this up yourself. I had quite a lot of problems getting it to work smoothly. Okay, so now what I'm gonna do is run the guest shell. I'm gonna run bash in this example. So basically what this is doing is connecting me to that container, and I've now connected to Linux. Notice please, this is Linux, so uname -a shows us that we're running Linux here, this is not IOS. So show IP interface brief, as an example, doesn't work, but sudo giving me root privileges, ifconfig shows me the IP address of this container. Again, the router allocated the IP address to the container when we ran the guest shell command over here. So I allocated that IP address to the docker container. Okay so that's nice, and I get a lot of stick for using IP config, so I'll use IP address, notice the IP address configured on the guest shell is this. I mean, you can run commands here, like you would on any Linux device, but notice the IP addresses fail. The guest shell is not able to ping out, and the reason for that is I need to set up routing. Notice when I look at the routing table, I only see this. 10.1.1.0 is out of Gigabit1, there's no route to the docker container. So what I need to do now is add a route to the docker container. And just to prove a point actually, before I do that, notice if I ping 10.1.1.2 from the router, it doesn't know where to send the traffic, because there's no route to the docker container. So what I'm gonna do is IP route 10.1.1.2, this will be a slash 32 route, and I'm gonna point it to the virtual port group of zero. So hopefully now I'll be able to ping the Linux container, which I can. There you go. Okay, but I also want to put a route to the internet, so on my router, I'm gonna add a default route to the IOS V router, that's my internet router. Okay, so ping 10.1.1.254. Can the router ping default gateway? Yes it can. I need to enable IP domain lookup on this router, I need to enable a name server so that I can get to the internet, and hopefully I'll be able to ping internet addresses, which I can. So I can ping Google.com, as an example. Can I ping Cisco.com? Yes, I can. So I have internet reachability from the router. But what I want to do now is run bash and make sure that this device can ping outside. Notice that didn't work before, neither did this. So I can't ping the default gateway from the guest shell, I'll sort that out in a moment, but as an example, I won't be able to ping Google.com because I haven't configured a DNS server, cat /etc/resolve.conf shows me that there's no DNS server configured on this device. So I'm gonna copy a command here, again, I'll put this below the video. Basically, I'm gonna echo name server Google, and append that to the file. That didn't show that nicely, but if I do cat /etc/resolve.conf, notice I've got a name server added, which I didn't have previously. So if we do have internet connectivity, that should resolve. But at the moment I'm having a problem. I have had quite a few issues running this in GNS3, so if you do struggle with things, you might have to reboot it. Okay, so let's just confirm that I haven't done something stupid. On the CSR shell IP interface brief. Ping 10.1.1.254, I can ping the default gateway. I can ping the Linux container. And as a sanity check I'll connect to this Linux server. See, here's my Linux PC, it's got this IP address, ping 10.1.1.1. Can I ping the CSR router? Yes I can. Can I ping the Linux container? Yes I can. So this seems to be a GNS3 problem, rather than an issue on the CSR, so I might have to delete some links. This, once again, is the IP address of the server over here. Let me test if I can get the CSR Linux container running here to ping to the Linux container. So let's go back into bash, ping 10.1.1.101. Okay, so notice, the Linux container on the router can ping the Linux server on network, but it can't ping the router. I'll delete some links in a moment to sort that out, but before I get there let's add a user here, so sudo user add David, sudo password David, I'll set a password of Cisco, not a great password. At the moment I've connected to the shell via the console, if you like, so notice the IP address, but I'll go to the Linux server, so this device has this IP address. Can I SSH to the container running on the router? Yes I can. Put my password in, and I'm in. So again, this is the Linux server, this is the router Linux shell. If i type who, notice I have another connection. I've now SSH'd from Linux here onto Linux on the CSR. So before I do any troubleshooting in GNS3, I just want to make the point that this is Linux, so PWD, that's my home directory. CD root, LS dash L, this is full-blown Linux. So you can do all kinds of things here, including installing applications. Including running Python. So this is Python running within Linux, on that CSR in the topology. So this is Python two dot seven dot five, over there. I can install Python three if I like, but basically this is Python as you know it. And this is Linux as you may know it, centOS running on that CSR. Okay, so GNS3, what I'm gonna do is delete this link, and then I'll add it back again. So hopefully that'll solve the issue between the IOS V router and the CSR. Okay, so ping 10.1.1.1. Can I ping the CSR router from the IOS V router? Yes I can. Can I ping the container on the CSR? Yes I can. So notice by deleting that link and re-enabling it in GNS3 I've solved the problem. So let's go back to the guest shell. Again, this is the guest shell running on the CSR. Okay, so let's see if we can ping Google.com. Notice we can. So I'm pinging the internet from a Linux container running within the CSR. Okay, so that works. Clear the screen. Let's install an application. So sudo yum install nano. And I'm gonna say yes just to make sure that it downloads the software and installs it on the container. Installing this through GNS3 can be a bit slow, so I'm installing this via a switch through an IOS V router. Download can be pretty slow in GNS3. So what I'll do is speed this up, so you don't have to watch the installation. Okay, so the installation is now completed. So notice I can use nano here, just like I would in Linux. VI is installed on Vim, some people get upset when I call this VI rather than VIM, but VIM is installed by default. Nano isn't installed. Nano's gonna be a lot easier for you if you're new to Linux, than VI. So let's call this Python script one dot py. And I'll just type something very basic here, we've gotta do a hello network automation script, just to prove the point I'll save the script, so LS Python shows us that we've got this Python script, and I'll use Python now to run that script. So I've been able to run a Python script within the Linux guest shell on that CSR. Now again, that might not be very useful, so let's do something better here. I'll cut that text, and I'll say import sys, import CLI, and just to make sense of this, I'll do this interactively first. I've run Python, and what I can do now is import sys, and import CLI. I'm gonna be able to run CLI commands using Python on box on this device. In other words, I don't need a separate server. I'm running this Python script directly on the CSR. And then I could use a command like CLI execute P show IP interface brief. And notice that command has executed. I could do something like show version, and there's the show version on the router. Here's my Python command, and here's the output. I could do something like show version include version, or something like that, and that should be upper case, actually. So there's my command, and notice there's the version of operating system. I'm basically running shell commands within my script. Okay, so let's do that again, but through a script. Okay, so here's my script, I'll save that and then I could run Python, Python script one, and there's the output. So let's push that to more on Linux. So my Python script over there, here's my show IP interface brief, here's my show version information, and again, I might want to make that easier to use, so do that. Clear my script, run the script, and there you go. Now some people have asked this when I've demonstrated stuff previously, and notice I'm back on the CLI, so clear doesn't work 'cause I'm on the router now. Can you run these Python scripts from the CLI? And the answer is yes you can. In this document Programmability Configuration Guide, they show you a lot more than what I'm demonstrating. So as an example, they show you that you can run Python directly from the router, and you can also run a script that you've stored in Flash. See, here's a sample script that they're running directly from Flash, and then here they are running a script from guest shell. Okay, so let's demonstrate that. Okay, so once again, I'm on the router now, this is IOS XE, this is not Linux. What I can do now is say guest shell run Python, and then I'm gonna specify the script that is stored in Linux. So what this has done now is run the Python script that's stored in the Linux container, here's the output of show IP interface brief, here's show version. Now again, you can put the Cisco documentation, put scripts in the Flash or the router, so you might not want to keep them in the Linux container, you want to store them in the Flash, and then you want to execute them from Flash. And they have a lot more complicated examples on the Cisco documentation, much better than the examples than I've just shown you, I'm just trying to get you started. Okay, so in this video I showed you how to get a CSR, configured within GNS3. How to enable the guest shell, how to access the guest shell. Use Linux commands, install Linux applications. Use Python, run Python scrips, and hopefully open up a whole new world for you, with regards to network automation using on box methods, in other words, we don't need Python on a separate server, in separate videos I'll show you how to use Python on a Linux server like this, and configure devices that way, but in this example I'm running Linux and Python on the router, and I'm making changes on the router. One of the advantages of that, is here we don't need IP connectivity to the router to run scripts. So if we lost IP connectivity to the router, the router could still run scripts locally. Whereas if I remotely and I lose IP connectivity to that router, my scripts will no longer work. Okay, this is a long video again. If you enjoyed this video please like it, please subscribe to my YouTube channel, and please click on the bell to get notifications when I post a new video. I'm David Bombal, want to wish you all the very best. (upbeat techno music)
Info
Channel: David Bombal
Views: 20,942
Rating: undefined out of 5
Keywords: python, python cisco, devnet, cisco devnet, devnet associate, docker, linux container, cisco containers, cisco linux, linux, ccna, ccna study, ccna training, cisco ccna, cisco ccna certification, cisco training, comptia linux plus, comptia, comptia linux+, information technology, kali linux, linux+ exam, lpic 1, cisco ios, cisco ios commands, gns3, gns3 david bombal, gns3 tutorial, cbt nuggets, ine, ccnp, 10x engineer, python tutorial, python programming, learn python
Id: JJjTByHN2iI
Channel Id: undefined
Length: 29min 3sec (1743 seconds)
Published: Sun Sep 29 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.