Lab 9: Guest Shell

Lab 9: Guest Shell

Configuring a Guest Shell on Cisco Routers.

Step 1: Enable IOx

  1. On cisco IOS XE CRS1000v router configure the following command.
config t

Iox will take some time to start. So wait about 5 minutes

  1. Issue following command to check status of IOx service
show iox-service

Following output will be seen

IOx Infrastructure Summary:
IOx service (CAF) 	: Running
IOx service (HA)          	: Not Supported
IOx service (IOxman)      	: Running
Libvirtd   1.3.4          	: Running

IOxman and Libvirtd services must be running to enable GuestShell successfully.

Step 2: Enabling Guest Shell

Configuration must be done to enable communication of Guest Shell container with outside network and ISO-XE router.

To enable the communication between container and IOS XE router it is necessary to create a new VirtualPortGroup interface,

VirtualPortGroup interface should be in same broadcast domain as the Guest Shell container.

Network configuration on the host router.

  1. Configure following commands:
conf t
interface VirtualPortGroup0
 ip address

Network configuration of the Container.

Guest Shell should be configured with IP address, default gateway and DNS server.

  1. Configure following commands:
conf t
app-hosting appid guestshell
 vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress netmask gateway name-server

NAT configuration of the host.

  1. Container should be connected to internet and to achieve this NAT should be configured:
conf t
interface VirtualPortGroup0
 ip nat inside
interface GigabitEthernet3
 ip nat outside
ip access-list extended NAT-ACL
 permit ip any
ip nat inside source list NAT-ACL interface GigabitEthernet3 overload

All required configurations are done and router is ready to start Guest Shell:

Stating Guest Shell

  1. To enable the Guest Shell, Type the following command:
guestshell enable

following output will be seen:

Interface will be selected if configured in app-hosting
Please wait for completion
guestshell activated successfully
Current state is: ACTIVATED
guestshell started successfully
Current state is: RUNNING
Guestshell enabled successfully

Verify your Guest Shell

  1. Type the following command:
#show app-hosting detail
App id                 : guestshell
Owner                  : iox
State                  : RUNNING
  Type                 : lxc
  Name                 : GuestShell
  Version              : 2.5.1
  Description          : Cisco Systems Guest Shell XE for x86_64
  Path                 : /guestshell/:guestshell.tar
Activated profile name : custom

Resource reservation
  Memory               : 512 MB
  Disk                 : 1 MB
  CPU                  : 800 units
  VCPU                 : 1

Attached devices
  Type              Name               Alias
  serial/shell     iox_console_shell   serial0
  serial/aux       iox_console_aux     serial1
  serial/syslog    iox_syslog          serial2
  serial/trace     iox_trace           serial3

Network interfaces
   MAC address         : 52:54:dd:55:f2:70
   IPv4 address        :
   Network name        : VPG0

Port forwarding
  Table-entry  Service  Source-port  Destination-port

Step 3: Working with the Guest Shell

  1. To enter Guest Shell, give following command:

Guest Shell container provides CentOS flavor and shell.

sudo command are allowed without a password as the guestshell user is member of sudo group.

  1. Let us play around with the shell:
[guestshell@guestshell ~]$ pwd
[guestshell@guestshell ~]$ whoami
[guestshell@guestshell ~]$ hostnamectl
   Static hostname: guestshell
         Icon name: computer-container
           Chassis: container
        Machine ID: d1133315e44e4ef0b1baef5c0d0eecc9
           Boot ID: 36e84546a1b147ec928b2f9036d87ec3
    Virtualization: lxc-libvirt
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 4.19.64
      Architecture: x86-64
[guestshell@guestshell ~]$
[guestshell@guestshell ~]$ cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)

Running CLI command from Guest Shell

  1. Type CLI command from within the guest shell use dohost binary:
[guestshell@guestshell ~]$ dohost "sho ip int brief"

Interface			IP-Address	OK? 	Method	Status	Protocol
GigabitEthernet1   	YES 	NVRAM	up 	up
GigabitEthernet2	YES 	NVRAM  	down	down
GigabitEthernet3	YES 	NVRAM  	down 	down
Loopback1   	YES 	NVRAM  	up   	up
VirtualPortGroup0	YES 	NVRAM  	up	up

[guestshell@guestshell ~]$

Installing git and nano on Guest Shell

  1. Type following CLI command in guest shell:
[guestshell@guestshell ~]$ sudo yum install -y git nano

Cloning RSTForum git repository

  1. Type following CLI command in guest shell:
[guestshell@guestshell ~]$ git clone 


  1. Type following CLI command in guest shell:
[guestshell@guestshell ~]$ cd knowledgebase/netconf/
[guestshell@guestshell netconf]$ sudo pip install -r requirements.txt

Setup SSH with Host Machine

  1. Run following CLI command in guest shell:
[guestshell@guestshell netconf]$ ssh [email protected]
The authenticity of host ' (' can't be established.
RSA key fingerprint is SHA256:nJ+pjK9MKzpHnHhZgBOEBS+XxXr5r85ZYJDfYDuLeX0.
RSA key fingerprint is MD5:21:bf:73:78:a2:ef:77:c3:40:10:a8:4c:5c:92:88:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
[email protected]'s password:

Check Python NETCONF Script

  1. Type following CLI command in guest shell:
[guestshell@guestshell netconf]$ python
<?xml version="1.0" ?>
<rpc-reply message-id="urn:uuid:21ab2152-b9c9-4a02-b3d1-41247747c000" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
                <native xmlns="">
                                        <name xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">2</name>
                                        <description>RSTForum NETCONF Script</description>
                                        <negotiation xmlns="">



  1. Type following CLI command in guest shell:
[guestshell@guestshell netconf]$ curl -i -k -X "GET" ";name" -H 'Accept: application/yang-data+json' -u 'cisco:cisco'
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Jun 2020 15:26:51 GMT
Content-Type: application/yang-data+json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache

  "Cisco-IOS-XE-native:ip": {
    "address": {
      "primary": {
        "address": "",
        "mask": ""
[guestshell@guestshell restconf]$