- Introduction to IOx
- IOx Edge Compute Devices
- IC3000-series
- IR 800-series
- IR 1100 Series
- IE 4000-series
- IE3x00 Series
- IE93xx Series
- CGR 1000 Compute Module
- ISR 800-series
- Catalyst 9000-series
- ISR 4000/ASR 1000-series
- Comparison of IOx Devices
- IOx Resource Downloads
- IOx Local Manager
- IOx Development Tools
- ioxclient Reference
- What is ioxclient?
- Profiles
- App management
- App file management
- App console
- Service management
- Platform management
- Getting CAF Metrics
- Manage devices
- Managing logical networks
- Manage platform log files
- Manage package signature validation
- Debuggability and Diagnostics
- Platform Certificates
- Smart License Management
- Cartridge management
- Messaging service
- Docker commands
- Docker Layers
- Docker Toolchain Setup
- ioxclient Reference
- IOx App Tutorials
- Docker Applications
- Overview
- Tutorial: Deploy Dockerhub Image
- Tutorial: Create Custom Package Descriptor for Docker Apps
- Tutorial: Build Sample Docker Type IOx app Using Docker Toolchain
- Tutorial: Build Sample Docker Type Python Simple App
- Tutorial: Build Sample Docker Type C Based Simple App
- Tutorial: Build Sample Docker Type Python with C App
- Tutorial:Build Sample Docker Type C++ Based Simple App
- Tutorial: Build Sample Docker Type nodejs Based HTTP Server Using Alpine Base Image
- Tutorial: Build Sample Docker Type IOx App That Consumes GPS Service
- VM Applications
- Legacy Styles
- Docker Applications
- IOx App Concepts
- Advanced Features
- Application Groups
- Remote Docker workflow
- OVA to IOx VM App Package Deployment
- Debuggability and Diagnostics
- USB Storage and Serial Device
- IOx Services
- Key Value Datastore
- Cisco Local Manager Based App Console Access
- Fog Director API Documentation
- IOx Smart Licensing
- Access GPS data from an IOx App via serial interface on IR1101
- Troubleshooting Guide
- Developer Resources
- Community and Support
ISR 8xx Platforms
The Cisco 800 Series ISRs come in various fixed configurations and deliver a consistent experience to suit heterogeneous deployment scenarios, feature requirements, performance levels and use cases.
Please see the following page for more information:
Cisco 800 Series Routers - Products & Services
The c800 is an attractive device to host 3rd party applications, some of those advantages are:
- Small form factor
- Hardened package available
- Low power consumption
- Wireless modem available (3G/4G) - enabling mobile application
- Can be connected to serial devices (through the front-panel connector)
Platform architecture – high level
Additional software is included in an IOS image that has IOx support to provide the Application Hosting capability.
When an IOx enabled IOS image is running on c800 platforms, the software distribution is as follows:
- IOS is running on the first CPU core
- IOx Infrastructure and Hosted Applications are running on the 2nd CPU core
IOS:
IOS mostly controls and manages the device, it does:
- Boot the first core (ROMMON)
- Control almost all peripherals: Network Interfaces, Console Port, Serial Interface(s), Storage..
- Bootstrap Linux running on the 2nd CPU core (in AMP mode) which provides Application Hosting feature (IOx)
- Handles all network traffic of the device
IOx Infra:
IOx Infra does communicate with the IOS through ICC (inter-core communication) for interacting with devices:
- Access to network
- Receive CLI config/exec statements (from IOS config)
- Access to storage/flash (through NFS).
- IOx (based on Linux) is bootstrapped by IOS at system bootup.
IOS image
The minimum IOS version required for IOx support is 15.6(1)T1.
Image download, install and enable IOx
You need to install an IOx enabled IOS image on c800 platform to enable IOx application hosting. Installing release IOS image installs IOS on the 1st core and IOx-infra Linux image on 2nd core.
It is possible to install IOx-infra Linux image separately in special cases. Booting IOx-infra Linux image independently is done by using the following IOS commands:
Copyiox-819-03#conf t
Enter configuration commands, one per line. End with CNTL/Z.
iox-819-03(config)#iox
iox-819-03(config-iox)#host boot flash:p1021_c800.20160112.bin
iox-819-03(config-iox)#end
iox-819-03#
iox-819-03#write
Building configuration...
[OK]
iox-819-03#reload
Proceed with reload? [confirm]
For above steps to work, IOx-infra Linux image and any acompanying binary files should be copied to flash via regular IOS procedures.
Flash storage usage by applications
The storage capability on c800 series for the application is very limited.
The limiting factors originates from the platform's design:
- The flash device is controlled by IOS
- Software running on the 2nd core (IOx Infrastructure and Application) access the data through NFS (NFS Server hosted by IOS)
This prevents certain usage scenarios from the Application perspective, here are some of those side effects and usage:
- Files used by the application are "visible" from IOS
- The Application can't format or create partitions
Cisco 800 series devices do not provide dedicated storage for apps. These devces have a single, soldered-on flash storage that is shared between Cisco IOS and apps. The flash part is not field replaceable.
Flash has a finite number of P/E cycles. Flash lasts as long as the device lifecycle if the flash is used only for Cisco IOS configuration. If apps write to the flash frequently, flash wear out becomes a serious concern.
Developers and customers are encouraged to monitor and throttle the frequency of writes to flash. If an application or use case demands frequent writes or a large amount of data storage, we recommend that data be exported for off-device storage.
Number of applications:
There is no limit for number of PAAS applications that can be activated and running on a c800 series platform as long as total system resources are available.
Only one VM style application can be activated and be running at a time on these platforms. This limit is enforced because of practical memory restraints on the platform and that the KVM virtual machine has additional overhead memory load on the host system.
IOS configuration to enable IOX
Let's go through the basic configuration which is the first step towards setting up your networking to access IOx Hosting Infra and the Application properly.
1-) First of all, you set-up the internal networking so that IOS can talk to the IOx infrastructure.
You have do this no matter in what scenario you are running the box
1a) Start off by configuring the score interface on IOS, which is Ethernet1
Copyiox-819-13#config t
iox-819-13(config)#interface Ethernet1 // get into interface submode
iox-819-13(config-if)#ip address 192.168.3.1 255.255.255.0 // set the ip address/mask for this interface
iox-819-13(config-if)#ip nat inside // this interface is on the inside of NAT
iox-819-13(config-if)#no shutdown // make sure interface comes up
iox-819-13(config-if)#exit // exit interface submode
1b) Next, configure the IOx Host Infrastructure interface IP address.
Copyiox-819-13(config)#iox // enter iox submode
iox-819-13(config-iox)#host ip address 192.168.3.2 255.255.255.0 // configure IOx hosting infrastucture IP and netmask
iox-819-13(config-iox)#host ip default-gateway 192.168.3.1 // configure the default gateway
iox-819-13(config-iox)#exit // exit iox submode
At this point you should be able to ping "host ip address" from IOS.
2-) The next step would be to configure the external networking so that the router can be reached from outside
2a) Set up the external interface IP address
Copyiox-819-13(config)#interface GigabitEthernet0 // get into interface submode
iox-819-13(config-if)#ip address 1.100.30.113 255.255.255.0 // set the ip address/mask for this interface
iox-819-13(config-if)#ip nat outside // this interface is on the outside of NAT
iox-819-13(config-if)#no shutdown // make sure interface comes up
iox-819-13(config-if)#exit // exit interface submode
2b) Set the default gateway and route
Copyiox-819-13(config)#ip default-gateway 1.100.30.1
iox-819-13(config)#ip route 0.0.0.0 0.0.0.0 1.100.30.1
At this point the router should be pingable from outside the box on the external interface IP
3-) Now we set up IP addresses allowed inside the NAT
3a) For all the set of addresses which are gonna be inside a NAT and need to be translated, we will create an access-list
Copyiox-819-13(config)#ip access-list standard NAT_ACL // get into standard access-list submode
iox-819-13(config-std-nacl)# permit 192.168.0.0 0.0.255.255 // all IP addresses in 192.168.0.0/16 subnet qualify for NAT
iox-819-13(config-std-nacl)# exit //exit access-list submode
3b) We map the access list to the external interface on which the internal IPs will be translated
Copyiox-819-13(config)#ip nat inside source list NAT_ACL interface GigabitEthernet0 overload
NAT is configured. One last thing is remaining before IOx Infrastructure can be accessed externally. Since the IOx hosting infrastructure IP is behind a NAT, in order to access it we need to add a PAT entry
4-) We will map an external interface port to the port IOx hosting infrastructure is using
Copyiox-819-13(config)#ip nat inside source static tcp 192.168.3.2 8443 interface GigabitEthernet0 8443
After configuring whatever we have done so far, Local WebUI login page should be accessible externally at: https://{GE0-ip-address}:8443/
VirtualPortGroup configuration - Developer mode
In this scenario:
- The router is not used for actual routing. It is at the edge of the network.
- This mode suits developers who just need the application to have access to the external network
- The Application sits behind a NAT. So, a DHCP pool assigning a local IP address is configured on IOS.
1-) We configure the VirtualPortGroup interface which talks to the applications as follows. Here the VirtualPortGroup (VPG) is sitting behind the NAT. Alternative VPG configuration is also possible and shown in the next section.
Copyiox-819-13(config)#interface VirtualPortGroup0 // enter the VirtualPortGroup interface submode. Only VPG0 is allowed.
iox-819-13(config-if)#ip address 192.168.1.1 255.255.255.0 // set the ip address/mask for this interface
iox-819-13(config-if)#ip nat inside // this interface is on the inside of NAT
iox-819-13(config-if)#no shutdown // make sure interface comes up
iox-819-13(config-if)#exit // exit interface submode
2-) We will configure a DHCP network pool on IOS from which application can get an IP address via DHCP
2a) Configure the DHCP pool for the network (in this case 192.168.1.0/24). We also set up the NTP servers here
Copyiox-819-13(config)#ip dhcp pool iox-apps // enter the ip dhcp pool submode with name "iox-apps"
iox-819-13(dhcp-config)#network 192.168.1.0 255.255.255.0 // network pool serviced by this DHCP server
iox-819-13(dhcp-config)#default-router 192.168.1.1 // default route for a host
iox-819-13(dhcp-config)#domain-name sample.com // domain name for a client
iox-819-13(dhcp-config)#dns-server 171.70.168.183 // DNS server available to a DHCP client
iox-819-13(dhcp-config)#option 42 ip 171.68.38.65 1.100.30.113 // Configure option 42 to send NTP server details to the application. Here we give a public NTP server (1.ntp.esl.cisco.com) and a local NTP master as backup
iox-819-13(dhcp-config)#exit // exit the dhcp pool submode
2b) Exclude the addresses which you don't want to be assigned
Copyiox-819-13(config)#ip dhcp excluded-address 192.168.1.0 192.168.1.2
2c) Configure ntp master as backup
Copyiox-819-13(config)#ntp master
Alternative VirtualPortGroup configuration - Stationary mode
In this scenario:
- The router is used for actual routing. It is at the middle of the network.
- This mode suits users who need the application to have access to and be accessible from the external network.
- The Application does not sit behind a NAT.
- The VirtualPortGroup borrows the external interface IP address. Now it can be reached from outside the router.
- The Application gets its interface IP from an external DHCP server by relaying the DHCP request through the VirtualPortGroup. It will also get an external IP address.
We configure the VirtualPortGroup interface which talks to the application. In this scenario, since the DHCP server is external, all we need to do is configure the VirtualPortGroup with an IP helper
Copyiox-819-13#config t
iox-819-13(config)#interface VirtualPortGroup0 // enter the VirtualPortGroup interface submode. Only VPG0 is allowed.
iox-819-13(config-if)#ip unnumbered GigabitEthernet0 // borrow the ip from external interface by configuring this interface as unnumbered
iox-819-13(config-if)#ip helper-address 1.100.30.114 // set the IP address of the external DHCP server (it should be accessable from IOS)
iox-819-13(config-if)#no shutdown // make sure interface comes up
iox-819-13(config-if)#exit // exit interface submode
iox-819-13(config)#exit // exit configure mode
Mobile with Cellular Configuration
Characteristics of this mode:
- Router is mobile with Cellular connectivity (the only WAN link)
- VirtualPortGroup and Application are behind NAT, overloading cellular interface IP address
- Application obtains IP address from internal DHCP
- Application management model depends on the type of IP address subscribed from cellular service provider being public or private
Configuration essence:
- Configure Cellular interface instead of GigabitEthernet interface as the WAN link
- Modify references to Cellular interface (instead of GigabitEthernet) for default route, NAT address overload and PAT
- Assign VirtualPortGroup its own IP address
- Configure local DHCP pool for application
Cellular basics:
Below is a sample configuration to leverage the Cellular capability of c819. Please also refer to the following link for more details: Cisco 819 Cellular Configuration Guide
Copy// Define the Cellular modem AT command when dialer is initiated
iox-819-13#config terminal
iox-819-13(config)#chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
Copy// Configure the Cellular Controller
iox-819-13(config)#controller cellular 0
// Enable GPS features
iox-819-13(config-controller)#lte gps mode standalone
iox-819-13(config-controller)#lte gps nmea ip
// Enable link recovery for modem if desired and configure associated parameters
iox-819-13(config-controller)#lte modem link-recovery rssi onset-threshold -110
iox-819-13(config-controller)#lte modem link-recovery monitor-timer 20
iox-819-13(config-controller)#lte modem link-recovery wait-timer 10
iox-819-13(config-controller)#lte modem link-recovery debounce-count 5
Copy// Configure the Cellular interface
iox-819-13(config-controller)#interface cellular 0
iox-819-13(config-if)#ip address negotiated // IP address to be assigned by service provider
iox-819-13(config-if)#ip nat outside // set to be the NAT outside interface
iox-819-13(config-if)#ip virtual-reassembly in // enable virtual fragment reassembly ingress
iox-819-13(config-if)#encapsulation slip // select SLIP encap
iox-819-13(config-if)#load-interval 30 // specify interval for interface load calculation
iox-819-13(config-if)#dialer in-band // configure various DDR commands for modem
iox-819-13(config-if)#dialer idle-timeout 0
iox-819-13(config-if)#dialer string lte // specify dialer script (defined in chat-script)
iox-819-13(config-if)#dialer-group 1 // assign dialer-list (configured later)
iox-819-13(config-if)#no peer default ip address // no default IP address for point-to-point peer
iox-819-13(config-if)#async mode interactive // can be switched between asyn use and interactive
iox-819-13(config-if)#routing dynamic // participates in routing
iox-819-13(config-if)#exit
Copy// Create a dialer list for DDR about traffic of interest
iox-819-13(config)#dialer-list 1 protocol ip permit
Copy// Specify line for modem use
iox-819-13(config)#line 3
iox-819-13(config-line)#script dialer lte // specify chat script
iox-819-13(config-line)#modem inout // allow both direction for modem use
Configuration highlights for IOx to use Cellular as the WAN interface
Copy// Basics
iox-819-13#config terminal
// set default IP route using Cellular interface
iox-819-13(config)#ip route 0.0.0.0 0.0.0.0 cellular 0
// set NAT inside source access list and enable address overloading on Cellular interface
iox-819-13(config)#ip nat inside source list NAT_ACL interface cellular 0 overload
// add PAT entry for this NAT
iox-819-13(config)#ip nat inside source static tcp 192.168.3.2 8443 interface cellular 0 8443
Copy// VirtualPortGroup
iox-819-13(config)#interface VirtualPortGroup 0
iox-819-13(config-if)#ip address 192.168.1.1 255.255.255.0
iox-819-13(config-if)#ip nat inside
iox-819-13(config-if)#exit
Copy// Internal DHCP pool
// Please refer to examples in previous sections
Cellular IP address type
When user subscribes to cellular service, provider usually assigns private IP address by default. However there is an option to choose a public address instead. While similar IOS configurations works for both cases, the table below explains major differences and impacts to your IOx application:
| Public IP address | Private IP address | |
|---|---|---|
| Routing | Routable in internet space | Being private to provider’s domain, the address need to be translated to a public one before it is routable in internet space |
| Availability and cost | Please check with local providers for availability and any additional charge | Common provision offered by most providers |
| Static vs dynamic | Static | Usually dynamic, implying that address will most likely change each time router re-attaches to the Cellular network (for instance after router reloads or Cellular interface resets) |
| IOx application management | Same as Stationary Ethernet mode | Since router is behind provider’s NAT, user will not be able to access router’s web server port. Therefore application can only be managed locally via router’s console port or LAN switch ports with IOS virtual-service CLIs. |
Configuring user privileges on IOS
Before IOx Hosting Infrastructure is used for application management, either through Local WebUI or issuing REST API commands, the user has to authenticate himself with it. The IOx Hosting Infrastructure relies on IOS local user authentication for this purpose. This local user authentication is same as the one which allows user to identify himself/herself with IOS to get administrative access. Only the users who have configured a password with privilege 15 level on IOS are eligible to log on Local WebUI. In this section we will show how to configure user privileges for IOx.
To start off, the user first will have to configure a username and password on IOS. To to this, log on to your router and issue the following commands:
Copy// Enter the configure terminal mode
iox-819-13#config t
Enter configuration commands, one per line. End with CNTL/Z.
// Add privilege level 15 for user: johndoe. "secret" means password - which is entered right after: !john^*!doe!123!
iox-819-13(config)#username johndoe privilege 15 secret !john^*!doe!123!
// Enter end to get out of configure terminal mode
iox-819-13(config)#end
*Oct 17 18:58:06.173: %SYS-5-CONFIG_I: Configured from console by console
// Check if the user was added by doing a section search for username in running-config
iox-819-13#sh run | sec username
username johndoe privilege 15 secret 5 $1$vQHM$Q6FFDsfgsk4YMTKEt75KF0
After adding your user, you should be able to login to the Local Manager UI.
Enabling Serial Port
ISR8xx has either a built-in 12-in-1 serial connector on the faceplate or on the WIM-1T module that can be plugged into a platform with WIM slots. An external serial device connected to the host platform can be exposed to IOx applications.
Data Flow on ISR8xx
Serial data flow for containerized applications on C8xx consists of these segments:
- connection between the line termination in IOS and host Linux, enabled by raw TCP configuration
- connection between raw TCP port and virtual TTY port on host
- connection between virtual TTY port and application
IOS Configuration
Raw-socket TCP needs to be enabled on the serial interface and the corresponding async line. Here is the sample configuration on c819/c88x/c89x.
Copyinterface Serial0
physical-layer async
no ip address
encapsulation raw-tcp
line 7
raw-socket tcp client 192.168.3.2 32000
Here is the sample configuration on C800m with WIM-1T serial module installed extension module slot 0.
Copyinterface Serial0/0/0
physical-layer async
no ip address
encapsulation raw-tcp
!
line 3
raw-socket tcp client 192.168.3.2 32000
Below shows the sample configuration on C800m with WIM-1T serial module installed extension module slot 1.
Copyinterface Serial0/1/0
physical-layer async
no ip address
encapsulation raw-tcp
end
line 19
raw-socket tcp client 192.168.3.2 32001
where, “192.168.3.2” is the host IP address configured under iox submode, and port 32000|32001 is a fixed TCP port for raw tcp serial transportation. The table below shows the serial slot to TCP port mapping on ISR C8xx platforms.
Copy|ISR8xx platform SKU |Serial slot number | Raw-socket TCP port number|
| -------------------|:--------------------:| -------------------------:|
|C819, C88x, C89x |0 (faceplate mounted) | 32000 |
|C800m |0 | 32000 |
| |1 | 32001 |
Troubleshooting Guides
Follow the steps below to troubleshoot serial device access issue.
- From IOS side, verify that raw TCP is enabled on serial interface and async line, and the TCP connection is established between IOS and the host Linux using the below show and debug commands* show raw-socket tcp sessions
- show raw-socket tcp statistics
- show interfac s0/slot#/0
- debug raw-socket tcp packet
Verify serial interface status
Copynano-161#show int s0/1/0
Serial0/1/0 is up, line protocol is up
Hardware is Serial in async mode
MTU 1500 bytes, BW 9 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation RAW-TCP, loopback not set
Keepalive not set
DTR is pulsed for 5 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interface" counters 1d22h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/10 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
54 packets input, 71698 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
54 packets output, 71698 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=down DTR=down RTS=up CTS=down
Verify raw socket connection
Copynano-161#show raw-socket tcp sessions
-------------------------------------------------- TCP Sessions ------------------------------------------------------
interface tty socket mode local_ip_addr local_port dest_ip_addr dest_port up_time idle_time/timeout vrf_name
Se0/1/0 19 0 client 192.168.3.1 61651 192.168.3.2 32001 00:04:18 00:00:36 /5 min --------
nano-161#show raw-socket tcp statistics
--------------------------------------------- Network-Serial Statistics ------------------------------------------------------
Interface tty sessions network_in_bytes network_out_bytes network_to_tty_frames tty_to_network_frames vrf_name
Se0/1/0 19 1 15372 15326 5 13 --------
-------------------------------- CEF Connections Statistics -----------------------
tty_id network_in_frames network_in_bytes network_out_frames network_out_bytes
0 0 0 0 0
0 0 0 0 0
Enable raw socket debugging and capture the debugging trace
Copy*Jan 6 06:35:13.107: [From Network]<-- received 3 bytes on socket 0 from 192.168.3.2 port 32001
*Jan 6 06:35:13.107: 68 69 0A
*Jan 6 06:35:13.107: [To Serial]<-- sending 3 bytes from socket 0 to interface 19
*Jan 6 06:35:13.127: [From Serial]--> received 3 bytes from interface 19 tty 19
*Jan 6 06:35:13.127: 68 69 0A
*Jan 6 06:35:13.127: [To Network]--> dispatched 3 bytes on socket 0 to ip 192.168.3.2 port 32001
Restrictions
- Serial signalling is always terminated by IOS. Terminal line settings including baud rate, data bits, parity bits, and flow control needs to be configured in IOS.
- RS485 support is not supported natively on ISR8xx. An external RS485 to RS232 converter needs to be connected.
- Back pressure is not supported, it is up to the application to make sure the peak data rate does not exceed the baud rate to avoid data loss.