Installing Enterprise Agents on Cisco Routers with Docker
Due to recent platform-wide naming, navigation, and URL changes in the product, you may notice some discrepancies between the product and the screenshots displayed in our technical documentation. The instructions and actual pages in the product are still valid and haven’t changed. Please bear with us as we update our screenshots to better match the in-product experience. See the full scope of changes on Naming and Navigation Menu changes - Summary List.
This article provides an overview of the steps to install a ThousandEyes Enterprise Agent on a supported Cisco router using Docker. The Docker agent is a signed ThousandEyes Docker image that can be quickly launched using Cisco application hosting.
Prerequisites
To review the supported Cisco routers and hardware requirements, see the Support Matrix.
Installation Steps
Deploying an Enterprise Agent on a Cisco router requires the completion of three steps. These steps are detailed in the sections below:
Install the Enterprise Agent on the Cisco router, using one of three available methods (bootflash, direct, via local machine).
Configure the container's networking and account information.
Verify the agent is running.
For Cisco routers purchased before August 15th, 2021, the Docker image can be installed either directly from the ThousandEyes download servers, or by downloading the container image to a local machine and uploading it to the router via SCP, FTP, TFTP, or USB storage, depending on whether the router has direct Internet access or not.
Routers purchased after August 15th, 2021, can, in addition to the previous methods, install the Enterprise Agent via bootflash.
Install the Docker Image from Bootflash
If the router was purchased after August 15th, 2021, the router has the ThousandEyes Enterprise Agent available in bootflash.
Run the following command to install via bootflash, replacing
<app-name>
with your application identifier and<ARCH>-<VERSION>
with the router architecture and the current agent version:#app-hosting install appid <app-name> bootflash:apps/thousandeyes-enterprise-agent-<ARCH>-<VERSION>.cisco.tar
Install the Docker Image to the Router Directly
If the Cisco router has direct internet access, follow the steps below to install the Enterprise Agent:
Run the following command to install the image, replacing
<app-name>
with your application identifier and<ARCH>-<VERSION>
with the router architecture and the current agent version:router#app-hosting install appid <app-name> package https://downloads.thousandeyes.com/enterprise-agent/thousandeyes-enterprise-agent-<ARCH>-<VERSION>.cisco.tar
Your application should now be installed. You can check on it by running the following:
router#sh app-hosting list App id State thousandeyes_enterprise_agent DEPLOYED
The output looks like:
App id State --------------------------------------------------------- thousandeyes_enterprise_agent DEPLOYED
Install the Docker Image via a Local Machine
If the Cisco router does not have direct access to the Internet, follow the steps in the sections below to install the Enterprise Agent.
Download the Docker Image to a Local Machine
Download the Docker image from the ThousandEyes dashboard and copy it to your Cisco router using SCP, FTP, TFTP, or USB storage.
On your local machine, log into the ThousandEyes platform using a login belonging to the account group that will be associated with the appliance.
Navigate to Network & App Synthetics > Agent Settings and click Add New Enterprise Agent; then navigate to Cisco Application Hosting > Routers.
Download the .tar file matching the router architecture.
Use SCP, FTP, TFTP, or USB storage to copy the signed Docker image to the router's flash: directory.
Run the following command, replacing
<ARCH>-<VERSION>
with the router architecture and the current agent version:copy scp://<username>@<host>/thousandeyes-enterprise-agent-<ARCH>-<VERSION>.cisco.tar flash:
Run a checksum (md5) command to verify that the package transfer was successful, replacing
<ARCH>-<VERSION>
with the router architecture and the current agent version. The md5 output should match the latest md5sum. For example, the checksum for version 5.0.1 ise8e04b77483d1338d15b4acbb88f9761
.router#verify /md5 bootflash:thousandeyes-enterprise-agent-<ARCH>-<VERSION>.cisco.tar
Install the Docker Image from a Local Machine
Enable the IOx framework on the router. Enter one configuration command per line, and end with CNTL/Z:
router(config)#iox router(config)#end
Wait until all the services are running:
show iox-service IOx Infrastructure Summary: IOx service (CAF) : Running IOx service (HA) : Not Supported IOx service (IOxman) : Running IOx service (Sec storage) : Not Supported Libvirtd 5.5.0 : Running
Run the installation command, replacing
<app-name>
with your desired app name,<ARCH>-<VERSION>
with the router architecture and the current agent version, and specifying the location of the image file you want to use. In this example, we use thousandeyes_enterprise_agent:app-hosting install appid <app-name> package bootflash:thousandeyes-enterprise-agent-<ARCH>-<VERSION>.cisco.tar
If the image is hosted on an HTTPS server, you can run the following command to download the image, replacing
<ARCH>-<VERSION>
with the router architecture and the current agent version:app-hosting install appid <app-name> package https://downloads.thousandeyes.com/enterprise-agent/thousandeyes-enterprise-agent-<ARCH>-<VERSION>.cisco.tar
Your application should now be installed. You can check on it by running the following:
sh app-hosting list App id State thousandeyes_enterprise_agent DEPLOYED
Configuration
Docker supports both static IP address assignment and dynamic IP address assignment. You must configure a single virtual network interface card (vNIC) for the appliance using either a management interface or virtual port group interface.
There are two available configuration paths, detailed in the sections below:
Option One: VirtualPortGroup Interface
Configure the VirtualPortGroup interface with a private IP address and use as NAT inside:
(config)interface VirtualPortGroup0 (config)ip address 10.100.152.100 255.255.255.0 (config)ip nat inside
Configure NAT outside on the physical port interface:
(config)interface GigabitEthernet0/0/3 (config) ip nat outside
Create NAT rule:
(config)ip nat inside source list NAT interface GigabitEthernet0/0/3 overload (config)ip access-list extended NAT (config)10 permit ip 10.100.152.0 0.0.0.255 any
Configure the application, either with a static IP or with DHCP IP:
a. Configuration with Static IP:
Use a guest IP address to assign a static IP address. In this example, assign 10.100.152.120/24 from VirtualPortGroup 0 and use Google resolver:
(config)#app-hosting appid thousandeyes-enterprise-agent (config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0 (config-app-hosting-gateway0)#guest-ipaddress 10.100.152.120 netmask 255.255.255.0 (config-app-hosting-gateway0)#app-default-gateway 10.100.152.100 guest-interface 0 (config-app-hosting-docker)#name-server0 8.8.8.8 (config-app-hosting)#end
Next, set up the required Docker run options to specify account token. If you want to specify a hostname other than the router's name, do this here as well:
router(config-app-hosting)#app-resource docker router(config-app-hosting-docker)#prepend-pkg-opts router(config-app-hosting-docker)#run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=<Token>" router(config-app-hosting-docker)#run-opts 2 "--hostname Cisco-Docker" router(config-app-hosting)#start router(config-app-hosting)#end
b. Configuration with DHCP IP:
Make sure the DHCP server is running on the VirtualPortGroup interface.
(config)#app-hosting appid thousandeyes-enterprise-agent (config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0 (config-app-hosting-docker)#name-server0 8.8.8.8 (config-app-hosting)#end
Next, set up the required Docker run options to specify the account token same as the static IP assignment example above.
For a full list of the Docker configuration options, see Docker Agent Configuration Options.
Exit three times to completely exit out of config mode.
Use wr mem to ensure that your configuration changes have persisted across reboots:
router#wr mem Building configuration... [OK]
Option Two: Management Interface Configuration
Configure the management interface:
interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.82.139.212 255.255.255.0 negotiation auto
Configure the application, either with a static IP or with DHCP IP:
a. Configuration with Static IP:
Use a guest IP address to assign a static IP address. In this example, assign
10.82.139.211/24
from GigabitEthernet 0 and use the Google resolver:(config)#app-hosting appid thousandeyes-enterprise-agent (config-app-hosting)#app-vnic management guest-interface 0 (config-app-hosting-gateway0)#guest-ipaddress 10.82.139.211 netmask 255.255.255.0 (config-app-hosting-gateway0)#app-default-gateway 10.82.139.212 guest-interface 0 (config-app-hosting-docker)#name-server0 8.8.8.8 (config-app-hosting)#end
Set up the required Docker run options to specify the account token. If you want to specify a hostname other than the router's name, do this here as well:
router(config-app-hosting)#app-resource docker router(config-app-hosting-docker)#prepend-pkg-opts router(config-app-hosting-docker)#run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=<Token>" router(config-app-hosting-docker)#run-opts 2 "--hostname Cisco-Docker" router(config-app-hosting)#start router(config-app-hosting)#end
For a full list of the Docker configuration options, see Docker Agent Configuration Options.
b. Configuration with DHCP IP:
Make sure the DHCP server is running on the management interface:
(config)#app-hosting appid thousandeyes-enterprise-agent (config-app-hosting)#app-vnic management guest-interface 0 (config-app-hosting-docker)#name-server0 8.8.8.8 (config-app-hosting)#end
Set up the required Docker run options to specify the account token. If you want to specify a hostname other than the router's name, do this here as well:
router(config-app-hosting)#app-resource docker router(config-app-hosting-docker)#prepend-pkg-opts router(config-app-hosting-docker)#run-opts 1 "-e TEAGENT_ACCOUNT_TOKEN=<Token>" router(config-app-hosting-docker)#run-opts 2 "--hostname Cisco-Docker" router(config-app-hosting)#start router(config-app-hosting)#end
Exit three times to completely exit out of config mode.
Use wr mem to ensure that your configuration changes have persisted across reboots:
router#wr mem Building configuration... [OK]
Verification
With the (config-app-hosting)#start
command, the Docker container should have been started and should be running. You can verify this through the following options:
router# sh app-hosting list
App id State
thousandeyes_enterprise_agent RUNNING
Verify the Docker container’s details:
router#sh app-hosting detail appid thousandeyes_enterprise_agent
App id : thousandeyes-enterprise-agent
Owner : iox
State : RUNNING
Application
Type : docker
Name : ThousandEyes Enterprise Agent
Version : 5.0.1
Description : Perform active synthetic measurements to your business-critical applications. Get started at https://docs.thousandeyes.com/product-documentation/getting-started
Author : ThousandEyes [email protected]
Path : https://downloads.thousandeyes.com/enterprise-agent/thousandeyes-enterprise-agent-x86_64-5.0.1.cisco.tar
URL Path : bootflash:./thousandeyes-enterprise-agent-x86_64-5.0.1.cisco.tar
Activated profile name : custom
Resource reservation
Memory : 500 MB
Disk : 1 MB
CPU : 1850 units
CPU-percent : 9 %
VCPU : 1
Platform resource profiles
Profile Name CPU(unit) CPU(percent) Memory(MB) Disk(MB)
---------------------------------------------------------------------------
Attached devices
Type Name Alias
---------------------------------------------
serial/shell iox_console_shell serial0
serial/aux iox_console_aux serial1
serial/syslog iox_syslog serial2
serial/trace iox_trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 52:54:dd:e9:9e:9f
IPv4 address : 172.29.1.11
IPv6 address : ::
Network name : VPG0
In the ThousandEyes platform, go to Network & App Synthetics > Agent Settings and verify the Docker container’s IP address.
Modify the Docker Container
Stop the application:
router# app-hosting stop appid thousandeyes_enterprise_agent thousandeyes_enterprise_agent stopped successfully Current state is: STOPPED
De-activate the application:
router# app-hosting deactivate appid thousandeyes_enterprise_agent thousandeyes_enterprise_agent deactivated successfully Current state is: DEPLOYED
Modify the Docker options, and exit three times:
router(config)#app-hosting appid thousandeyes_enterprise_agent router(config-app-hosting)#app-resource docker router(config-app-hosting-docker)#prepend-pkg-opts router(config-app-hosting-docker)#<run-opts command> router(config-app-hosting-docker)#exit router(config-app-hosting)#exit router(config)#exit
Reactivate the application, and confirm that it’s activated:
router# app-hosting activate appid thousandeyes_enterprise_agent thousandeyes_enterprise_agent activated successfully Current state is: ACTIVATED
router#sh app-hosting list App id State --------------------------------------------------------- thousandeyes-enterprise-agent DEPLOYED
Start the application, and confirm that it is running:
router# app-hosting start appid thousandeyes_enterprise_agent thousandeyes_enterprise_agent started successfully Current state is: RUNNING
Frequently Asked Questions
What is the expected NTP behavior for a Catalyst 8000 series deployed Enterprise agent?
The enterprise agent on a Catalyst 8000 series switch uses the host system kernel clock. It also sends packets to pool.ntp.org to determine any clock offset. It does not try to adjust the host or container clock but will adjust measurement timestamps based on the clock offset.
Can the default external NTP source (pool.ntp.org) be changed to a customer's internal NTP source?
No. The agent uses pool.ntp.org to determine clock offset by default; this is currently not configurable.
How do I connect to the agent shell for Cisco agents?
To access the agent shell of a Cisco Enterprise Agent that is actively running, use the following command, replacing <app-name>
with your application identifier:
router#app-hosting connect appid <app-name> session
#
Once inside the agent shell, you can refer to the agent log for any further troubleshooting:
# tail /var/log/agent/te-agent.log
For more information on configuration options, see Docker Agent Config Options.
Can I use ThousandEyes troubleshooting utilities?
From Agent 4.0.2 onwards, te-agent-utils
are pre-installed on Cisco Enterprise Agents. For more information on the available utilities, see CLI Network Troubleshooting Utilities.
What are the default trusted default root certificates used by the Enterprise Agent Docker container when communicating with ThousandEyes services?
issuer=O = Cisco, CN = Cisco Licensing Root CA
issuer=O = Cisco, CN = Cisco Basic Assurance Root CA 2099
issuer=O = Cisco, CN = Cisco ECC Root CA
issuer=O = Cisco Systems, CN = Cisco Root CA 2048
issuer=O = Cisco, CN = Cisco Root CA 2099
issuer=O = Cisco, CN = Cisco Root CA M1
issuer=O = Cisco, CN = Cisco Root CA M2
issuer=C = US, O = Cisco Systems, CN = Cisco RXC-R2
issuer=C = US, O = Amazon, CN = Amazon Root CA 1
issuer=C = US, O = Amazon, CN = Amazon Root CA 2
issuer=C = US, O = Amazon, CN = Amazon Root CA 3
issuer=C = US, O = Amazon, CN = Amazon Root CA 4
issuer=C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
issuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R1
issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R2
issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R3
issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R4
How do I install CA certificates on Cisco devices?
For CA certificate installation instructions, see Installing CA Certificates on Enterprise Agents.
Last updated