Cisco App Hosting – DNS

A Guide to Internal App-Hosting and VLAN Segmenting

This guide covers the deployment of a Pi-hole Docker container directly onto a Cisco Catalyst 9300 switch using the IOx application framework.

1. The Preparation Phase: Architecture & Packaging

The Catalyst 9300 (specifically the x86-based models) requires images built for the linux/amd64 architecture.

• Pulling the Image: To avoid corruption and ensure compatibility, pull the image specifically for the amd64 platform on your workstation:docker pull --platform linux/amd64 pihole/pihole:latest
• Avoiding Binary Corruption: Do not use PowerShell redirection (>) to save the image. Instead, use the native Docker output flag:docker save -o pihole_raw.tar pihole/pihole:latest
• Packaging for Cisco IOx: Use ioxclient to wrap the tarball. On Windows, ensure you point the client to the Docker Named Pipe or TCP socket:.\ioxclient.exe docker package pihole_raw.tar .

2. Switch Configuration: The Networking Bridge

The Catalyst 9300 uses an internal interface called AppGigabitEthernet (typically 1/0/1) to bridge the physical switch fabric to the virtual IOx environment.

The “VLAN 1” Trap

A critical discovery in this deployment was that VLAN 1 (the default/native VLAN) is often reserved for switch control-plane traffic. Using it for App-Hosting can result in “Silent Drops,” where the switch sees the container’s MAC address but refuses to bridge traffic to physical ports.

Solution: Segment the container into a Data VLAN (e.g., VLAN 10).

Cisco CLI

interface AppGigabitEthernet1/0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
!
iox

3. Application Deployment & Environment Variables

On modern IOS-XE versions (17.x+), networking is often handled via Docker runtime options rather than the legacy guest-ipaddress CLI.

• Activation: The application must be “Activated” to bind the resources before it can be started.
• Runtime Options: Environment variables set the web password and internal DNS behavior.

Cisco CLI

app-hosting appid pihole
 app-vnic AppGigabitEthernet trunk
  guest-interface eth0
 app-resource docker
  run-opts 1 "-e WEBPASSWORD=yourpassword -e FTLCONF_LOCAL_IPV4=192.168.1.26"

4. Firewall Integration (Palo Alto Networks)

By setting the AppGigabitEthernet port to a specific VLAN, the container acts as a standard host on the network.

• DHCP Handover: In this setup, the Pi-hole was configured to pull an IP from the Palo Alto firewall.
• Static Reservation: To ensure DNS stability, a DHCP reservation was created on the Palo Alto using the container’s virtual MAC (starting with 52:54:dd...).
• DNS Scope: Once stable, the Palo Alto DHCP scope options were updated to point the primary DNS to the Pi-hole’s IP.

5. Troubleshooting Checklist

If the container is RUNNING but unreachable:

1. MAC Table Check: Run show mac address-table vlan 10. If the container MAC is missing from physical ports, the bridge is failed.
2. SVI Status: Ensure interface Vlan 10 is up/up on the switch. If no physical ports are active in that VLAN, use no autostate to keep the interface alive.
3. Security Policies: Disable ip verify source and ip dhcp snooping trust on the AppGigabit interface if traffic is being dropped.

Summary of the “Stack”