Re: Guest Shell on ISR4321 Management Network / Mgmt-intf not working

brian.denk · ‎12-05-2020

I have been working with XE 16.9.6 on an ISR4321 router. Although I have been successful with enabling and implementing guest shell using a VirtualPortGroup configuration, I have not been able to successfully implement over the built-in management interface/vrf.

Below is the relevant portion of the configuration along with the output from the show app-hosting detail. It appears I am missing some configuration as the eth0 address assigned within the container is not within the management vrf (Mgmt-intf).

Can Guest Shell use the ISR4321 management network? Any guidance would be appreciated.

Brian

ISR4321-LXC#show run vrf Mgmt-intf
Building configuration...

Current configuration : 304 bytes
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.13 255.255.255.0
negotiation auto
no cdp enable
!
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.1.1
!
end

ISR4321-LXC#show run | sec app-hosting
app-hosting appid guestshell
app-vnic management guest-interface 0
ISR4321-LXC#show app-hosting detail
App id : guestshell
Owner : iox
State : RUNNING
Application
Type : lxc
Name : GuestShell
Version : 2.5.3
Description : Cisco Systems Guest Shell XE for x86_64
Activated profile name : custom

Resource reservation
Memory : 256 MB
Disk : 1 MB
CPU : 800 units

Attached devices
Type Name Alias
---------------------------------------------
serial/shell iox_console_shell serial0
serial/aux iox_console_aux serial1
serial/syslog iox_syslog serial2
serial/trace iox_trace serial3

Network interfaces
---------------------------------------
eth0:
MAC address : 52:54:dd:c5:4:6a
IPv4 address : 192.168.30.2

Port forwarding
Table-entry Service Source-port Destination-port
---------------------------------------------------

ISR4321-LXC#

balaji.bandi · ‎12-06-2020

Not sure you, I understand the problem, is your requirement must use mgmt-VRF? or communication required from outside to inside?

below example config : (is this what you looking ?

Device> enable
Device# configure terminal
Device(config)# interface VirtualPortGroup 0
Device(config-if)# ip address 192.168.35.1 255.255.255.0
Device(config-if)# ip nat inside
Device(config-if)# no mop enabled
Device(config-if)# no mop sysid
Device(config-if)# exit
Device(config)# interface GigabitEthernet 0/0/3
Device(config-if)# ip address 10.0.12.19 255.255.0.0
Device(config-if)# ip nat outside
Device(config-if)# negotiation auto
Device(config-if)# exit
Device(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1
Device(config)# ip route 10.0.0.0 255.0.0.0 10.0.0.1
!Port forwarding to use ports for SSH and so on.
Device(config)# ip nat inside source static tcp 192.168.35.2 7023 10.0.12.19 7023 extendable
Device(config)# ip nat outside source list NAT_ACL interface GigabitEthernet 0/0/3 overload
Device(config)# ip access-list standard NAT_ACL
Device(config-std-nacl)# permit 192.168.0.0 0.0.255.255
Device(config-std-nacl)# exit
Device(config)# exit

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

brian.denk · ‎12-06-2020

The requirement is to enable / use Guest Shell on the Mgmt-intf vrf for networking. However, it appears this is not possible in ISR 4000 with XE 16.9.

brian.denk · ‎12-06-2020

After additional testing, it appears the app-vnic management guest-interface 0 configuration command does cause the Guest Shell to use the Mgmt-intf vrf for networking.

However, it also appears when app-vnic management is configured, additional configuration such as guest-ipaddress and app-default-gateway is ignored and the container's eth0 address is automatically configured with 192.168.30.2/29.

Thus far, I have been unsuccessful with reconfiguring the eth0 address within guestshell.

ISR4321-LXC#show run vrf Mgmt-intf
Building configuration...

Current configuration : 304 bytes
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.13 255.255.255.0
negotiation auto
no cdp enable
!
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.1.1
!
end
ISR4321-LXC#show run | sec app-hosting
app-hosting appid guestshell
app-vnic management guest-interface 0
guest-ipaddress 192.168.1.14 netmask 255.255.255.0
app-default-gateway 192.168.1.13 guest-interface 0
ISR4321-LXC#

[guestshell@guestshell ~]$ sudo ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.30.2 netmask 255.255.255.248 broadcast 192.168.30.7
inet6 fe80::5054:ddff:fe07:2310 prefixlen 64 scopeid 0x20<link>
ether 52:54:dd:07:23:10 txqueuelen 1000 (Ethernet)
RX packets 8 bytes 648 (648.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 217 bytes 32228 (31.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 217 bytes 32228 (31.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[guestshell@guestshell ~]$ ping -c 4 192.168.1.13
PING 192.168.1.13 (192.168.1.13) 56(84) bytes of data.
64 bytes from 192.168.1.13: icmp_seq=1 ttl=64 time=0.150 ms
64 bytes from 192.168.1.13: icmp_seq=2 ttl=64 time=0.092 ms
64 bytes from 192.168.1.13: icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from 192.168.1.13: icmp_seq=4 ttl=64 time=0.082 ms

--- 192.168.1.13 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.082/0.104/0.150/0.028 ms
[guestshell@guestshell ~]$