I am somehow unable to get my guestshell (in this example bash) to access my network.
At the end of the day I want to access the internet with it to install some apps.
Tried I on three different switches (Catalyst 3850/9300/9500) running 16.9.4, 16.12.1 and 16.12.2 IOS-XE Code..
After a lot of googling I tried couple different configs,
everytime I could access the guestshell afterwards, it had IP address 192.168.30.2 configured (not what I want).
After another bit of research, I came up with two different configs, where the guestshell is not even getting enabled any more (two different errors).
Posting my configs with corresponding errors below.
Also tried "guestshell destroy" followed by "conf t / no iox" followed by a "reload" in between, to be sure.
conf t iox interface VirtualPortGroup0 ip unnumbered <MGMT INT> no shut exit app-hosting appid guestshell vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress 172.20.81.110 netmask 255.255.255.0 gateway 172.20.81.109 name-server 22.214.171.124 default vnic management guest-interface 3 guest-ipaddress 172.20.81.111 netmask 255.255.255.0 gateway 172.20.81.109 name-server 126.96.36.199 default end guestshell enable % Error: Error while creating domain XML error: Domain interface: Missing required gateway attribute in route definition
conf t iox interface VirtualPortGroup0 ip unnumbered <MGMT INT> no shut exit app-hosting appid guestshell vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress 172.20.81.110 netmask 255.255.255.0 gateway 172.20.81.109 name-server 188.8.131.52 default vnic management guest-interface 0 end guestshell enable % Error: Duplicated interface number
I want to use VLAN81 for guestshell to access the internet .. interface vlan81 has 172.20.81.109 ..
<MGMT INT> above would be vlan81.
Any ideas on where I am going the wrong way and how to fix it?
Any input highly appreciated.
Thanks a lot in advance and best regards
here is some rerence guide :
Hi julian.bendix ,
Please go through the below document:
I hope you are doing the Guest Shell using the Management VRF since it is only supported on this. Please see below comment from the above link:
"Front panel networking is not supported for: Cisco Catalyst 3650 Series Switches, Cisco Catalyst 3850 Series Switches, Cisco Catalyst 9300 Series Switches, and Cisco Catalyst 9500 Series Switches. The reason for this is that although the guestshell enable command with arguments can be entered, you cannot then configure NAT on these platforms and therefore networking does not work. Only the management mode is supported"
If you are using the Management VRF you dont need these virtual group. It will automatically work without that. Just enabling the guest shell is enough and Management VRF should be reachable through internet.
Hope this helps.
Hi @Naresh Murali ,
thanks a lot for your reply.
Just to confirm, since 16.7.x, there is no other way anymore for the guestshell to have network access, than cabling the MGMT Port?
Unfortunately I don't have any MGMT Ports cabled so far..
Thanks and best regards
Thanks the way move forward for now.
In case if i got something I will keep you posted.
Have a look at this Cisco Live presentation -
interface VirtualPortGroup 0 ip address 192.168.35.1 255.255.255.0 ip nat inside interface GigabitEthernet1 <<< Connect to Local Network ip nat outside ip access-list standard NAT_ACL permit 192.168.0.0 0.0.255.255 ip nat inside source list NAT_ACL interface GigabitEthernet1 overload app-hosting appid guestshell app-vnic gateway0 virtualportgroup 0 guest-interface 0 guest-ipaddress 192.168.35.2 netmask 255.255.255.0 name-server0 184.108.40.206
I have configured this on a sandbox .. you can have a look at the config access guestshell here -
[guestshell@guestshell ~]$ ping 220.127.116.11 PING 18.104.22.168 (22.214.171.124) 56(84) bytes of data. 64 bytes from 126.96.36.199: icmp_seq=1 ttl=53 time=36.0 ms 64 bytes from 188.8.131.52: icmp_seq=2 ttl=53 time=35.9 ms 64 bytes from 184.108.40.206: icmp_seq=3 ttl=53 time=35.8 ms
- Dont forget to disable and enable guestshell after making changes
- Guestshell works in NAT mode
- Guestshell vnic gets IP address in range 192.168.30.0/24 by default
- If you cannot enter arguments after guestshell enable
csr1000v#guestshell enable ? <cr> <cr>
given method should work.
If you can give arguments then -
guestshell enable VirtualPortGroup 0 guest-ip 192.168.35.2 gateway 192.168.35.1 netmask 255.255.255.0 name-server220.127.116.11
Hi @omz ,
thanks a lot for your reply.
So can you confirm, that there is absolutely no other way than going over MGMT Port Gi 0/0?
In older releases (16.6.x and before) this was possible.
Also, is it not possible anymore to use "ip unnumbered" on the VirtualPortGroup Interface?
Thanks and best regards
I am stuck at the same spot as you! Trying to use ip unnumbered for the vpg, and not using the management vrf. Did you ever get this working?
Nope I never got this working.
It seems like in "newer" IOS-XE releases you really have to put it into the mgmt VRF and give it a seperate IP from your network, or NAT it internally ..
Unfortunately the mgmt Port isn't patched anywhere in my network,
so it seems I won't be able to get this working.