guestshell issue on Catalyst 9300/9500/3850 with IOS-XE 16.9.x or higher

julian.bendix · ‎05-23-2020

Hi folks,

I am somehow unable to get my guestshell (in this example bash) to access my network.
At the end of the day I want to access the internet with it to install some apps.

Tried I on three different switches (Catalyst 3850/9300/9500) running 16.9.4, 16.12.1 and 16.12.2 IOS-XE Code..

After a lot of googling I tried couple different configs,
everytime I could access the guestshell afterwards, it had IP address 192.168.30.2 configured (not what I want).

After another bit of research, I came up with two different configs, where the guestshell is not even getting enabled any more (two different errors).

Posting my configs with corresponding errors below.
Also tried "guestshell destroy" followed by "conf t / no iox" followed by a "reload" in between, to be sure.

conf t

 iox

 interface VirtualPortGroup0
  ip unnumbered <MGMT INT>
  no shut
  exit

 app-hosting appid guestshell
  vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress 172.20.81.110 netmask 255.255.255.0 gateway 172.20.81.109 name-server 8.8.8.8 default
  vnic management guest-interface 3 guest-ipaddress 172.20.81.111 netmask 255.255.255.0 gateway 172.20.81.109 name-server 8.8.8.8 default 
  end

guestshell enable 
% Error: Error while creating domain XML error: Domain interface: Missing required gateway attribute in route definition

conf t

 iox

 interface VirtualPortGroup0
  ip unnumbered <MGMT INT>
  no shut
  exit

 app-hosting appid guestshell
  vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress 172.20.81.110 netmask 255.255.255.0 gateway 172.20.81.109 name-server 8.8.8.8 default
  vnic management guest-interface 0
  end

guestshell enable 
% Error: Duplicated interface number

I want to use VLAN81 for guestshell to access the internet .. interface vlan81 has 172.20.81.109 ..
<MGMT INT> above would be vlan81.

Any ideas on where I am going the wrong way and how to fix it?

Any input highly appreciated.

Thanks a lot in advance and best regards
Juls

balaji.bandi · ‎05-23-2020

here is some rerence guide :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/166/b_166_programmability_cg/guest_shell.html

DEVNET

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Naresh Murali · ‎05-23-2020

Hi julian.bendix ,

Please go through the below document:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/169/b_169_programmability_cg/guest_shell.html

I hope you are doing the Guest Shell using the Management VRF since it is only supported on this. Please see below comment from the above link:

"Front panel networking is not supported for: Cisco Catalyst 3650 Series Switches, Cisco Catalyst 3850 Series Switches, Cisco Catalyst 9300 Series Switches, and Cisco Catalyst 9500 Series Switches. The reason for this is that although the guestshell enable command with arguments can be entered, you cannot then configure NAT on these platforms and therefore networking does not work. Only the management mode is supported"

If you are using the Management VRF you dont need these virtual group. It will automatically work without that. Just enabling the guest shell is enough and Management VRF should be reachable through internet.

Hope this helps.

Regards

Naresh M

julian.bendix · ‎05-24-2020

Hi @Naresh Murali ,

thanks a lot for your reply.

Just to confirm, since 16.7.x, there is no other way anymore for the guestshell to have network access, than cabling the MGMT Port?

Unfortunately I don't have any MGMT Ports cabled so far..

Thanks and best regards
Julian

Naresh Murali · ‎05-24-2020

Hi julian.bendix,

Thanks the way move forward for now.

In case if i got something I will keep you posted.

Regards

Naresh M

omz · ‎05-23-2020

Hi

Have a look at this Cisco Live presentation -

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/DEVNET-1695.pdf

interface VirtualPortGroup 0
ip address 192.168.35.1 255.255.255.0
ip nat inside

interface GigabitEthernet1  <<< Connect to Local Network
ip nat outside

ip access-list standard NAT_ACL
 permit 192.168.0.0 0.0.255.255

ip nat inside source list NAT_ACL interface GigabitEthernet1 overload

app-hosting appid guestshell
 app-vnic gateway0 virtualportgroup 0 guest-interface 0 guest-ipaddress 192.168.35.2 netmask 255.255.255.0 name-server0 208.67.222.222

I have configured this on a sandbox .. you can have a look at the config access guestshell here -

https://devnetsandbox.cisco.com/RM/Diagram/Index/27d9747a-db48-4565-8d44-df318fce37ad?diagramType=Topology

[guestshell@guestshell ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=36.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=35.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=53 time=35.8 ms

Edit:

- Dont forget to disable and enable guestshell after making changes

- Guestshell works in NAT mode

- Guestshell vnic gets IP address in range 192.168.30.0/24 by default

- If you cannot enter arguments after guestshell enable

csr1000v#guestshell enable ?
  <cr>  <cr>

given method should work.

If you can give arguments then -

guestshell enable VirtualPortGroup 0 guest-ip 192.168.35.2 gateway 192.168.35.1 netmask 255.255.255.0 name-server208.67.222.222

julian.bendix · ‎05-24-2020

Hi @omz ,

thanks a lot for your reply.

So can you confirm, that there is absolutely no other way than going over MGMT Port Gi 0/0?

In older releases (16.6.x and before) this was possible.

Also, is it not possible anymore to use "ip unnumbered" on the VirtualPortGroup Interface?

Thanks and best regards
Julian

pboynton1 · ‎07-23-2020

julian,

I am stuck at the same spot as you! Trying to use ip unnumbered for the vpg, and not using the management vrf. Did you ever get this working?

julian.bendix · ‎08-02-2020

Hey!

Nope I never got this working.

It seems like in "newer" IOS-XE releases you really have to put it into the mgmt VRF and give it a seperate IP from your network, or NAT it internally ..

Unfortunately the mgmt Port isn't patched anywhere in my network,
so it seems I won't be able to get this working.

BR

Juls

leon.mflai · ‎09-14-2020

Hi, is this restriction to use only GigEth1 interface as dedicated Guestshell interface a limitation as of IOS-XE version 16.12 or later?

Lj_1975 · ‎09-03-2021

You're missing the add-default-gateway; the newer version don't seem to like gateway0 so use a 1 instead.. see attached pic with my running-config,,,

good luck!

aziabdullah · ‎06-26-2023

hello All,

after a while i manage to complete the guestshell setup on my Cat 9500 series.

This is my setup on Cisco Cat9500 series:

note: please be inform that im not using NAT on my setup and this setting is pretty straight forward.

interface VirtualPortGroup0
ip address 192.168.2.1 255.255.255.0
ip nat inside

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
ip nat outside

ip access-list extended NAT-ACL
10 permit ip 192.168.2.0 0.0.0.255 any

app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.2.2 netmask 255.255.255.0
app-default-gateway 192.168.2.1 guest-interface 0
name-server0 8.8.8.8