Running a Cisco IOx App on a Cisco IE93xx Series Switch

The Cisco IE9300 Series is a family of ruggedized, industrial Ethernet switches designed to meet the demands of harsh environments and critical infrastructures such as industrial automation, utilities, transportation, and smart cities.

An additional license is not required to run IOx on Cisco IE9300 series switches as IOx is included in the Network Essentials feature set.

Supported Platforms

  • IE9310-26S2C-E/A
  • IE9320-26S2C-E/A
  • IE9320-22S2C4X-E/A
  • IE9320-24P4S-E/A
  • IE9320-24T4X-E/A
  • IE9320-24P4X-E/A
  • IE9320-16P8U4X-E/A

For more information refer to the product documentation: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-ie9300-rugged-series/catalyst-ie9300-rugged-series-ds.html

System Resources Available for IOx

For the system resources requirements, see the Platform Matrix on DevNet: https://developer.cisco.com/docs/iox/#!platform-support-matrix/platform-support-matrix

Formatting an SD Card and Enabling IOx

An SD card with size greater than or equal to 4GB must be formatted with the ext4 file system before you can enable Cisco IOx on the device. Formatting an SD card permanently deletes any data that is on that card.

To format an SD card: 1. Insert the SD card in the SD-card slot on the device. 2. Enter the command partition sdflash: iox to format the SD card with the ext4 file system. Leave the card in the device until the operation completes.

Enabling Cisco IOx

IOx is disabled by default and needs to be enabled. During enablement, IOx copies a number of essential files to the SD card. Disable IOx before removing the card.

Use an SSH client to access the switch, and enter the following commands to enter terminal monitor mode and enable IOx:

  • conf t
  • iox
  • end
   IE9300-Stack(config)#iox
   Warning: Do not remove SD flash card when IOx is enabled or errors on SD device could occur.

   IE9300-Stack(config)#
   *May 31 18:42:17.718: %UICFGEXP-6-SERVER_NOTIFIED_START: Switch 1 R0/0: psd: Server iox has been notified to start
   *May 31 18:42:17.718: %UICFGEXP-6-SERVER_NOTIFIED_START: Switch 2 R0/0: psd: Server standby-ioxcfg has been notified to start
   *May 31 18:42:49.413: %IM-6-IOX_ENABLEMENT: Switch 1 R0/0: ioxman: IOX is ready.

Enter the following commands to verify that CAF, IOxman, Libvirtd, and Dockerd are in Running state:

  • show iox
   IE9300-Stack#show iox 

   IOx Infrastructure Summary:
   ---------------------------
   IOx service (CAF)              : Running
   IOx service (HA)               : Running 
   IOx service (IOxman)           : Running 
   IOx service (Sec storage)      : Running 
   Libvirtd 5.5.0                 : Running
   Dockerd v19.03.13-ce           : Running
   Redundancy Status              : Ready 
   Sync status                    : Successful
   Last application sync time     : 2024-05-31 18:42:54.027350

   IE9300-Stack#

Configuring the AppGigabitEthernet Interface

For network connectivity to IOx applications, Cisco IE9300 series switches provide an internal virtual switch interface called AppGigabitEthernet1/0/1. This interface connects to an internal Linux bridge to which the different IOx apps are connected. Apps can have one or more interfaces and be placed in any VLAN.

Note: Only L2 mode ("switchport") is supported for an AppGigabitEthernet1/0/1 interface.

Enter the following commands to configure the AppGigabitEthernet1/0/1interface as a trunk and to allow the VLANs (in this case VLAN 10) that IOx apps require. Configure the IPv4 or IPv6 address as necessary

  • conf t

  • interface AppGigabitEthernet1/0/1

  • switchport mode trunk

  • switchport trunk allowed vlan 10

  • end

  • interface Vlan10

  • ip address 10.10.10.1 255.255.255.0

  • ipv6 address 2001::1/64

  • end

Before you can install an IOx app on a device, you must configure the appid, VLANs, and the IP address for the app. The appid parameter is string that you enter to identify the app. You can configure one app with several interfaces (for example, one for management and one for monitoring).

  • Network interfaces are represented as eth0, eth1… inside the app.
  • Configurable app resources include CPU, Memory, VCPU(s), and persistent disk.

Here is an example of the configuration that is needed:

  • appid is configured as App1.
  • eth0 network interface is in vlan 10
IE9300-Stack(config)#app-hosting appid App1
IE9300-Stack(config-app-hosting)#app-vnic AppGigabitEthernet trunk
IE9300-Stack(config-config-app-hosting-trunk)#vlan 10 guest-interface 0
IE9300-Stack(config-config-app-hosting-vlan-access-ip)#guest-ipaddress 10.10.10.11 netmask 255.255.255.0
IE9300-Stack(config-config-app-hosting-vlan-access-ip)#app-default-gateway 10.10.10.1 guest-interface 0

Installing and Starting an App

This section explains how to copy, install, activate, and start an app. If changes are to be made to the IOx application (network, resources, and so forth), the IOx application needs to be stopped, deactivated and activated which is when the changes made will come into effect and the IOx application can be started.

  1. Enter this command to install the app package, where appid is the ID that is assigned to the app:

    IE9300-Stack# app-hosting install appid App1 package ‘flash:CiscoCyberVision-IOx- aarch64-4.2.0.tar Installing package 'bootflash:CiscoCyberVision-IOx- aarch64-4.2.0.tar ' for ‘App1'. Use 'show app-hosting list' for progress. 
IE9300-Stack#sh app-hosting list
App id                                   State
---------------------------------------------------------
App1                                    DEPLOYED

  1. Enter this command to activate the app:

    IE9300-Stack#app-hosting activate appid App1

    App1 activated successfully
    Current state is: ACTIVATED

  2. When you see the message that the app is activated successfully, enter the following command to start the app:

    IE9300-Stack#app-hosting start appid App1

    App1 started successfully Current state is: RUNNING

Iox App Sign verification

During the Installation of the app it is verified if the App is .signed or not. The option for sign verification can be enabled or disabled with the command

IE9300-Stack#app-hosting verification ?
  disable  App verification disable
  enable   App verification enable
IE9300-Stack#

The sign verification enabled or disabled can be verified with the ‘show app-hosting infra’ cli. 

IE9300-Stack#show app-hosting infra 
IOx version: 2.11.0.0
App signature verification: disabled
Internal working directory: /mnt/usb0/IOx

Application Interface Mapping
|AppGigabitEthernet Port # |  Interface Name         |  Port Type        |Bandwidth  |
|--------------------------|-------------------------|-------------------|-----------|
|           1              | AppGigabitEthernet1/0/1 |KR Port - Internal |  1G       |

When sign verification is enabled any “unsigned app cannot be activated” and signed app can move to different states irrespective of the app sign verification enabled or disabled. We can disable or enable sign verification at any time irrespective of any installed app states

Quitting and Uninstalling the App

IE9300-Stack#app-hosting stop appid App1 
App1 stopped successfully
Current state is: STOPPED
IE-9300-Stack#

IE9300-Stack#app-hosting deactivate appid App1 
App1 deactivated successfully
Current state is: DEPLOYED
IE-9300-Stack#

IE9300-Stack#app-hosting uninstall appid App1 
Uninstalling 'App1 '. Use 'show app-hosting list' for progress.
IE-9300-Stack#

IOx on IE9300 Stacked Environment

  • IOx HA is not supported on IE9300
  • When IOx is enabled, the service will be executing on the Active switch of the Stack
  • The IOx service and meta data will not be synced with the standby
  • Only the active Switch sdflash will be used for the IOx storage
  • Configuration related to the app will be synced with Standby and after switchover the Apps need a fresh installation