Cisco Secure Equipment Access Quick Start Guide for Industrial Routers

PDF

Configure and enable IOx on industrial routers

Updated: June 13, 2025

Overview

Learn how to configure and enable IOx on Cisco industrial routers to deploy and manage containerized applications and services at the network edge.

Enable IOx so that containerized applications and services can be deployed and managed on Cisco industrial routers.

IOx provides a container hosting environment on Cisco IOS XE-based industrial routers, allowing you to run edge applications such as Secure Equipment Access (SEA), Cisco Cyber Vision (CCV), and Edge Intelligence (EI). Proper network configuration is required to ensure these applications have connectivity and the necessary IP resources to function effectively.

Before you begin

  • Verify that your industrial router is running a Cisco IOS XE version compatible with IOx.

  • Ensure you have access to the router’s CLI with the necessary administrative privileges.

Procedure

1.

Configure the virtual interface, DHCP pool, and NAT rules on the router to enable network connectivity for IOx applications.

  1. Configure the VirtualPortGroup (VPG) interface.

    VirtualPortGroup0 is the virtual interface that connects IOx applications to IOS XE. IOx applications need IP connectivity through VirtualPortGroup0, including assignment of an IP address. An example configuration is given in the next line. You can change the IP address to suit your requirements. Enter these configuration commands on the router console, in the config mode. 
    ! Example
  conf t    
  interface VirtualPortGroup0
  description IOx Interface
  ip address 192.168.16.1 255.255.255.0
  ip nat inside
  ipv6 enable
  end

  2. Configure the DHCP pool.

    When the IOx applications start, they will request an IP address via DHCP. Therefore, you need to configure a DHCP pool for IOx applications. An example configuration of IP pool and DNS server is given in the next line. You can customize this configuration to suit your requirements. Ensure that the default router IP address is the same as the IP address previously configured for the VirtualPortGroup0 interface.

    ! Example
  conf t
  ip dhcp pool ioxpool
  network 192.168.16.0 255.255.255.0
  default-router 192.168.16.1
  dns-server 192.168.16.1 8.8.8.8 
  end

  3. Configure NAT (Network Access Translation).

    IOx apps use private IP addresses obtained from DHCP. They need NAT to access the Internet. Add NAT rules for the DHCP pool to enable IOx App traffic to access the internet.

    In the example below, assume that the connection to the Internet will be through Cellular 0/1/0. Make sure to change or adjust the interface if it is not Cellular 0/1/0. For example, it could be GigabitEthernet 0/0/0 or Cellular 0/3/0.

    ! Example of a NAT rule for using Cellular0/1/0 as an uplink:
  conf t       
  interface Cellular0/1/0
  ip nat outside
  ip access-list extended NAT_ACL
  10 permit ip 192.168.16.0 0.0.0.255 any
  route-map RM_WAN_ACL2 permit 10
  match ip address NAT_ACL
  match interface Cellular0/1/0
  ip nat inside source route-map RM_WAN_ACL2 interface Cellular0/1/0 overload
  end
2.

Enable IOx.

conf t
iox
end
3.

Verify that IOx is running correctly by running this command in exec mode:

show iox-service
! Example 1: When IOx is up and running, both the “IOx service (CAF)” and “dockerd” will be running.
Router#sh iox-service
IOx Infrastructure Summary:
---------------------------
IOx service (CAF)         : Running
IOx service (HA)          : Not Supported
IOx service (IOxman)      : Running
IOx service (Sec storage) : Running
Libvirtd 5.5.0            : Running
Dockerd v19.03.13-ce      : Running

IOx services are running on the router.

What to do next

Configure industrial routers to communicate with the Cisco IoT Operations Dashboard.