Cisco VIRL on Packet

What Is Cisco VIRL

Whether you are a networking professional or a student trying to learn and pass Cisco certifications, one of the challenges is getting your hands on the equipment. It is always a chicken or egg problem. You will have access to bunch of routers and switches after you landed a job but how do you gain the experience necessary to land on your dream job? There is no doubt that the best way to learn a technology is practicing in a lab. Without spending hundreds of dollars on eBay (like I did) buying used routers and switches to practice, not mentioning the space and power you’ll need to keep that physical rack running, people started looking for a solution to virtualize the lab environment.

Cisco Virtual Internet Routing Lab (VIRL) is a software tool Cisco developed to build and run network simulations without the need for physical hardware.

Under the hood, VIRL is an OpenStack-based platform that runs IOSv, IOSvL2, IOS XRv, NS-OSv, CSR1000v, and ASAv software images on its built-in hypervisor. VIRL provides a scalable, extensible network design and simulation environment using the VM Maestro GUI. Recently, I have seen extensive development and improvement made on the browser based operations using HTML5. If you want to run non-Cisco virtual machines, VIRL also has extensive ability to integrate with third-party vendor virtual machines such as MS Windows, Juniper, Palo Alto Networks, Fortinet, F5 BigIP, Extreme Networks, Arista, Alcatel, Citrix and more.

VIRL comes in two different editions – Personal Edition and Academic Edition. Both have the same features except the Academic Edition is cheaper. At the time of writing, Academic Edition costs $79.99 USD per year and Personal Edition costs $199.99 USD per year. VIRL has a license limit to simulate up to 20 Cisco nodes at a time. You may pay extra $100 USD to upgrade to 30 Cisco nodes maximum. To qualify purchasing the Academic Edition, you must be faculty, staff and students of any public or private K-12 institution or Higher Education institution.

Cisco VIRL is community-supported and is designed for individual users. For enterprise users who want TAC support, in-depth documentation, training and more, there is Cisco Modeling Labs (CML), an enterprise version of VIRL. Of course the CML costs much more.

Forms of Installing VIRL

There are three main ways you can install and run a Cisco VIRL lab – installing as a Virtual Machine, on bare-metal hardware, and on the cloud.
It is often a better option if you have access to enterprise-grade VM environment with high performance CPU, memory and storage system in a datacenter. If you just want to try VIRL or having a mobile lab that always goes with you, you can also install VIRL on your PC or Mac as a VM running in parallel with your existing system. Read Cisco VIRL Installation on VMware ESXi.

The second option is installing VIRL on a dedicated bare-metal computer to achieve maximum performance. If you are a student trying to learn network technologies, and you don’t need to simulate as many nodes at the same time, the second option may work better for you.

The third option is hosting your Cisco VIRL lab on the cloud. If you don’t have any servers or PCs to use, or you don’t want to deal with any hardware and the up keeping work, you can rent bare-metal servers on the cloud and pay an hourly rate as you go. “Packet” ( is a cloud based bare-metal and container hosting company that Cisco partnered with. It provides a fast and powerful on-demand bare-metal platform. In this session, I’ll be focusing on a step-by-step tutorial installing Cisco VIRL on

Planning VIRL Installation On

With the performance of resourceful bare-metal system offers, you can quickly and easily build and simulate a more complex and demanding network, where your in-house system would struggle for performance. offers four types  of server options: Type 0 through Type 3. Use Cisco VIRL’s resource calculator to estimate the amount of the CPU and memory you would need. To meet VIRL’s minimum system requirements Type 0 would be fine. Type 0 only costs $0.05/hour or $33.60/month, a lot less than most of dedicated server hosting options on the market. It is an extremely cost-effective way to get you started.

For network engineers want to mock up a production network, I recommend Type 1, which has enough CPU and amount memory to simulate up to 30 routers. (More memory is needed to run IOSXRv)

Installing VIRL On

There are two ways of deploying and managing VIRL on You can run VIRL on from your existing in-house VIRL server or run VIRL or directly from your workstation and laptop.

Before you start, make sure you have a valid VIRL license, and registered a account. Generate an API key on in your account portal. The API key will be used by the Terraform toolset from Hashicorp to provision and manage the VIRL install on The installation examples were based on VIRL version 1.2.64.

Run VIRL on Packet from Your Existing VIRL Server

This instruction is based on the assumption that you already have a working VIRL server in your environment. You wanted to “borrow” more computing power from You may be struggled by the performance issue on your local VIRL server or just wanted to try out the Cloud deployment option. Here are the steps to follow.

Step 1: Provision a VIRL remote server in UWM

Login to your local VIRL server UWM management console. http://IP-address/. Navigate to “VIRL Server > Remote Server”. Note: VIRL installation on requires you have a valid license and verified by SALT masters. It is a good idea to confirm the SALT status (“VIRL Server > Salt Configuration and Status”) before proceed.

  • API Key: copy and paste from your account on
  • Location: choose a closet datacenter to you to minimize the latency
  • Machine Type: check pricing and machine types. Select a machine type meet your simulation needs.
  • Dead Man’s Timer: in how many hours the machine shall be terminated by the system.

The DMT (Dead Man’s Timer) is a safeguard to avoid extensive charges in case you forgot terminiating your machine. Default value is 4 hours. The drawback is that all you data will be lost upon termination. Make sure you back up everything before the timer is up. Read how to import and export VIRL topology files.
Next you need to generate random passwords for your VIRL server or make your own ones.

Click on “Save” and the jobs will be scheduled to run. Press “Refresh” to check status and “OK” to return to the previous screen. Click “Launch” to trigger the provision process on The process takes a while to complete.

You can now see a server instance has been created under your account.

Step 2: Access VIRL server on

Once your VIRL server has been provisioned by, we can access it remotely. The recommended way of accessing the remote VIRL server is using OpenVPN.

Download a free OpenVPN desktop client for Windows or Tunnel Blick for Mac OSX.

Next we go back to your local VIRL’s UWM management GUI and go to “VIRL Server > Remote Server” and click on “Status” tab. Note you won’t be presented with this option until the provisioning tasks finished.

Here you may find all the parameters used to build the VIRL server on Take a note of the OpenVPN access IP address and login credentials at the bottom of Terraform secsion.

Scroll all the way to the bottom of the page. Download .OVPN profile. Now launch your desktop OpenVPN client and import the .OVPN profile. Double click on the profile to connect the VPN.

Now you have access to the VIRL server hosted on Login the UWM console by going to Credentials can be found on your local VIRL server, in “VIRL Server > Remote Server”, Terraform under Status tab. Now you have a fully working VIRL server hosted on

Step 3: Terminate VIRL server on starts charging you from the moment the provisioning trigger started. Do not forget terminiating your server after finishing your tasks. Be sure to save all your work before termination or they will be lost.
Go to you local VIRL server UWM, “VIRL Server > Remote Server” and click on “Terminate”.

Go to your account on and confirm the server has been terminated.
As you can see, Cisco has built and automated the provisioning process into VIRL server itself. It made the process a lot easier. If you do not have a local VIRL server, there will be a bit more involved.

Run VIRL on Packet Directly from Your Workstation / Laptop

If you don’t already have a VIRL server, and wanted to run everything on the cloud, follow the instructions below to deploy VIRL on As you will find that it is a lot more complicated to do this way. Many tools (free) needed to be downloaded and installed on your workstation. And you will need to type quite a few commands.
Before we get started, here are some terms and tools that we are going to use.
Virl_boxcutter: a self-contained “launcher” virtual machine image, used to bring up a VIRL Server on the platform.
Vagrant: is used to set up one or more virtual machines by importing pre-made images (called "boxes"), setting VM-specific settings (IP address, hostnames, port forwarding, memory, etc.) and running provisioning software like Puppet or Chef.
The “launcher” uses Vagrant (from Hashicorp) to control the operation of the “launcher VM”. Vagrant offers free plugin support for Virtualbox and for VMware AppCatalyst.

Step 1: Install tools on your workstation or laptop

  1. Install either Virtualbox for Windows, Mac or Linux, or Vmware AppCatalyst for Mac. (I used Virtualbox in this example)
  2. Install Vagrant for Windows, Mac or Linux. (For the current VIRL release, Windows users should install Vagrant 1.7.4. 1.8.x is not supported.)
  3. Once both tools are loaded, install Vagrant plugin from Windows PowerShell.
    vagrant plugin install virtualbox or
    vagrant plugin install vagrant-vmware-appcatalyst
  4. Install a Git client (i.e. SmartGit)

Step 2: Prepare “virl_boxcutter” virtual machine

Launch SmartGit and “clone” the repo at

It’ll download a folder called “virl_boxcutter” from GitHub to your local computer. Browse to the “virl_boxcutter\salt” directory.

Use Notepad or any text editor and create a text format file named “minion.pem”. Copy and paste your license key from “”. Make sure the “minion.pem” file does not have a “txt” extension.

In “virl_boxcutter” directory, rename “id.conf.orig” file to “id.conf”. Update the license ID and append domain name. The “id” field must be set to be the value from your VIRL license key xxxx ( without “” extensions).  The “append_domain” field is the domain field from your VIRL license key “” or “”. Save the changes and close. Here is how it looks like on mine. (I have a 30-node license)

id: 2D03FXXX

Make a copy of “” and rename it to “”. Open with a Notepad. You will need to update the “default” values to match your environment.


  1. packet_api_key: copy and paste the API key from your account at
  2. packet_machine_type: baremetal_1 through 4. Check for machine types and pricing
  3. dead_mans_timer: automatic machine termination in number of hours, default is 4 hours
  4. packet_location: where you want your VIRL server to be hosted from the available data centers. EWR1 == New York, SJC1 == San Jose, CA, AMS1 == Amsterdam.
  5. salt_master: specify SALT master datacenter
  6. packet_project_id: by default automatically creates a new project each time, if you don’t want this, insert project id and change the two variables in

Step 3: Launch Vagrant and build virl_boxcutter VM

On Windows PowerShell, go to “virl_boxcutter” directory. Issue the command “vagrant up”. It will launch Vagrant and pull down virl_boxcutter virtual machine, execute the provisioning scripts.

I ran into an issue when I issued the “vagrant up” command. My Vagrant version 1.7.4 does not support the latest Virtualbox 5.1. I had to downgrade to Virtualbox 5.0.

vagrant up

Once I resolved the issue, “vagrant up” started working. It takes a while to complete.

Step 4: Login virl_boxcutter VM and prepare for VIRL launch

Now virl_boxcutter virtual machine has been built. To login to it, we issue the command “vagrant ssh”. On a Windows computer, it does not have a native SSH client. Vagrant shows you how to use a SSH client to login instead.

PS D:\ISO\VIRL\virl_boxcutter> vagrant ssh `ssh` executable not found in any directories in the %PATH% variable. Is an SSH client installed? Try installing Cygwin, MinGW or Git, all of which contain an SSH client. Or use your favorite SSH client with the following authentication information shown below:

Port: 2222
Username: vagrant
Private key: D:/ISO/VIRL/virl_boxcutter/.vagrant/machines/default/virtualbox/private_key

Here we use Putty as our SSH client. Create a session host IP: over port 2222. Don’t forget attaching the private key.
Username: vagrant
Password: vagrant

Now we are connected to the boxcutter. Go in to “virl_packet” directory. cd virl_packet

Edit the file to suite your needs.

Edit or review the “” file

Once done, validate the “” file and make sure there is no errors.
terraform plan

Step 5: Provision VIRL server on

This command will instruct the boxcutter to start provisioning on and install the VIRL server.
terraform apply

Expect it to take ~30 minutes. When it completes, the system will report the IP address of your Remote VIRL server and login info.

If you missed the screen, you can bring up the information again using command.
terraform show

To access the VIRL server on, you can go to the UWM on web browser or SSH directly to it. root@ipaddress or ssh virl@ipaddress

Use OpenVPN to connect to the VIRL server and the simulated nodes. You can find the OpenVPN configuration file under virl_packet directory after VIRL server has been provisioned. You can import it into your OpenVPN desktop client.

Step 6: Terminate VIRL server on

To suspend the virl_boxcutter virtual machine. use “vagrant halt”.
vagrant halt

To terminate the server on, use “terraform destroy .”  Go to your account to confirm the server has been terminated so that it does not generate fees for you.

Next time to launch the VIRL server on, in Windows PowerShell and send command “vagrant up”. SSH to Vagrant by “vagrant ssh” or using Putty. “terraform plan .” to prepare and “terraform apply .” to deploy the serve on A heck of fun!

I wish Cisco would develop a more streamlined process without having to install VirutalBox and Vagrant on the computer. For those having trouble or do not want to install these tools on the computer, you might want to consider setting up a local copy of VIRL to just use its remote VIRL deployment feature. Since it is the server on doing the hard work simulating routers, you shouldn’t be too concerned about your local computer’s performance.

Post-installation Tasks

Prepare for license activation

Check if you have Internet connectivity by pinging
virl@virl:~$ ping

Also, verify your VIRL server can reach one of the Cisco SALT licensing servers on Internet. Cisco offers multiple SALT instances in the U.S. as well as in E.U. regions. Choose the one that is close to you.,,,,,,

We first try to ping the SALT server to make sure it is alive. Next, we Telnet to TCP port 4505 and 4506 to verify that your Internet firewall allows outbound traffic on those ports.
virl@virl:~$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=128 time=40.4 ms
64 bytes from ( icmp_seq=2 ttl=128 time=49.6 ms
--- ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2003ms
rtt min/avg/max/mdev = 40.474/45.072/49.671/4.603 ms

virl@virl:~$ telnet 4505
Connected to
Escape character is '^]'.

telnet> quit
Connection closed.
virl@virl:~$ telnet 4506
Connected to
Escape character is '^]'.

telnet> quit
Connection closed.

If you got results similar to above, you are good to go to the next step. Check if “KVM acceleration” can be used.
virl@virl:~$ sudo kvm-ok
INFO: /dev/kvm exists
KVM acceleration can be used

If your KVM check fails as shown below, go to the troubleshooting session for more information. virl@virl:~$ sudo kvm-ok INFO: Your CPU does not support KVM extensions KVM acceleration can NOT be used.

The next step is to make sure NTP server is configured and system time is being synchronized. SSH to the VIRL server. Make sure NTP is configured and the system is able to synch time. Verify the NTP service configuration file. sudo vi /etc/ntp.conf

You should find the following NTP servers defined at the bottom of the file. If not, add them.
server iburst
server iburst
server iburst
server iburst

Restart NTP service.

sudo service ntp stop
sudo ntpd –gq
sudo service ntp start

Use the NTP query command to ensure that NTP peering is established. It may take several minutes for the NTP daemon to establish peers. You may need to reenter the NTP Query command multiple times over the period of several minutes before a peer is indicated. You should see something like this when NTP peers are established. Note VIRL displays GMT time instead your local time.

If you passed all the tests above, you can attempt to activate the VIRL license.

License activation

If you haven’t already, follow the instruction in the previous chapter (Planning VIRL Installation – Obtaining VIRL Installation Images} and download your license key from your Cisco VIRL account portal. The VIRL license Salt-Key has the format “key-id.domain.pem”, for example “”.

Now we need to access the VIRL server’s management console to complete the remaining tasks. Fortunately it is all web-browser based. On any computer that has network connectivity to the VIRL server, could be your workstation, or any computer on the network.

Open a web browser such as Firefox and navigate to the URL using your VIRL server’s IP address. In my case it is If you are not sure what IP your VIRL server has, double click on the icon named “ip-address” on VIRL’s desktop. You IP is displayed after “inet addr:” in a xterm window.


Click “User Workspace Management” under “System Operations”. Your default username and password to login is:
Username: uwmadmin
Password: password

On the left side menu, select “VIRL Server > Salt Configuration and Status”. It shows the default configuration and some errors. Expect to see those errors until your VIRL license is activated. You may ignore them.

Go and click on “Reset keys and ID”. In the next screen you’ll enter the licensing servers and key information. Here is an example of mine.

  • Salt ID and domain: license file name without “.pem”.
  • Customer e-mail Address: your email address
  • List of Cisco salt master: insert multiple SALT server separated by comma.,,,,,,

Note: I have seen the SALT server domain names changed several times over last year. If you are unable to contact the SALT servers, check Cisco VIRL office website for the latest.

  • Master sign public key: keep default value
  • Minion private RSA key in PEM format: open your .pem file in any text editor such as Notepad, copy & paste the entire content here.

Click “Reset”. It’ll take a while for VIRL to check in with the SALT server to activate its license. Sometimes it fails for the first attempt. You can click on “Check status now” to refresh the status.

VIRL must have Internet access and be able to call home to the Cisco Salt Stack to activate VIRL license. It re-evaluates your license every 7 days.

Ubuntu OS update

VIRL runs on Ubuntu operating system. Ubuntu is a Debian-based Linux operating system. Just like you would update your Windows and Mac OS for security patches, it is a good idea to update the Ubuntu OS as well. Use the following commands to update.
sudo apt-get update # Fetches the list of available updates
sudo apt-get upgrade # Strictly upgrades the current packages
sudo apt-get dist-upgrade # Installs updates (new ones)

Reboot the VIRL server after OS update.
virl@virl:~$ sudo reboot now

Final verifications

After the OS has been updated, it is necessary to run a few more verifications to conclude that the VIRL server is ready for use. SSH to the VIRL server. Display the status of the OpenStack Neutron agents. Verify that each Neutron agent has “alive” column shows ‘:-)’. There should be a minimum of four Neutron agents present.

virl@virl:~$neutron agent-list

  1. Linux-bridge-agent
  2. Metadata agent
  3. DHCP agent
  4. L3 agent

virl@virl:~$sudo virl_health_status | grep listening

You may restart VIRL related services if you did not see the results expected.
virl@virl:~$sudo service virl-std restart
virl@virl:~$sudo service virl-uwm restart

To verify the license configuration in command line interface:
virl@virl:~$sudo virl_health_status | grep -A 4 -e hostid -e product

Congratulations! Your VIRL server is ready.

Default Credentials

For your convenience, here is a list of credentials used during our VIRL installation process. Please note username / password are case sensitive.

  1. SSH to VIRL Server: virl / VIRL  (username / password)
  2. User Workspace Management (UWM) admin: uwmadmin / password
  3. User Workspace Management (UWM) guest: guest / guest
  4. Live Visualization: guest (or simulation owner's user-id) / guest (or simulation owner's password)
  5. VM Maestro: guest / guest
  6. SSH to Vagrant: vagrant / vagrant

It concludes my tutorial on how to install Cisco VIRL server on

About the Author

Jack Wang, CCIE #32450, is the author of Cisco VIRL Book, Network Solution Architect, Technical Writer and Consultant at Speak Network Solutions. He has been designing and implementing enterprise and large-scale service provider networks as well as teaching and blogging about advanced technologies. His current focus includes software defined networking (SDN), data centers, Amazon AWS cloud integration, wireless, WAN architectures and design. Jack holds B.S. in Engineering and M.S. in Computer Science. Read full bio.