NSX-V Central CLI for Operations & Troubleshooting
NSX for vSphere 6.2 brought a lot of new great features such as multi-vCenter support, traceflow, or L2 bridging interoperability with Distributed Logical Router. One of the new enhancement in the operations and troubleshooting category is the new NSX-V Central CLI which provides read-only commands available centrally on the NSX-V Manager to query all your NSX elements.
CLI commands already existed in earlier releases of NSX (pre-6.2), but you had to log into each of the elements composing the NSX infrastructure (controllers, edges, hosts). The new NSX-V Central CLI leverages existing communication channels (such as netcpa, vswfd, etc.) to retrieve operational data such as VTEP/MAC/ARP tables from the NSX Controllers, dynamic routing peer status, routing tables, distributed firewall vNIC rules and stats, edge status, and so on.
From NSX-V 6.2.1 release notes:
Central CLI reduces troubleshooting time for distributed network functions. Commands are run from the command line on NSX Manager and retrieve information from controllers, hosts, and the NSX Manager. This allows you to quickly access and compare information from multiple sources. The central CLI provides information about logical switches, logical routers, distributed firewall and edges.
NSX-V Central CLI Usage
Before starting, I suggest you to RTFM the NSX Command Line Interface Reference where all supported commands are described. :)
The central CLI is organized by function:
- Logical Switches (LS)
- Distributed Logical Router (DLR)
- Distributed Firewall (DFW)
- Edge Services Gateway (ESG)
You will need some information about your environment in order to use the central commands. The following commands will help you find the appropriate information.
-
To retrieve controllers information / ID:
show controller list all -
To retrieve clusters information / ID:
show cluster all- To retrieve hosts information / ID in a specific cluster:
show cluster cluster-id
- To retrieve hosts information / ID in a specific cluster:
-
To retrieve logical switches information / ID:
show logical‐switch list all -
To retrieve distributed logical routers information / ID:
show logical‐router list all -
To retrieve edges information / ID:
show edge all
Example 1: you want to check information existing about a specific logical switch on a specified host.
nsx01-cap-z51.sddc.lab> show logical-switch host host-15 vni 10000 verbose
VXLAN Global States:
Control plane Out-Of-Sync: No
UDP port: 8472
VXLAN network: 10000
Multicast IP: N/A (headend replication)
Control plane: Enabled (multicast proxy,ARP proxy)
Controller: 10.51.10.72 (up)
MAC entry count: 0
ARP entry count: 0
Port count: 1
VXLAN port: vdrPort
Switch port ID: 50331655
vmknic ID: 0
Example 2: you want to get interfaces information for a specific logical router.
nsx01-cap-z51.sddc.lab> show logical-router controller master dlr edge-374180e5-b7ba-457f-8e95-c70dc53546b7 interface
Interface Type Id IP[]
27100000000c vxlan 10002(0x2712) 192.168.3.1/24
27100000000a vxlan 10000(0x2710) 192.168.1.1/24
271000000002 vxlan 10003(0x2713) 192.168.0.6/24
27100000000b vxlan 10001(0x2711) 192.168.2.1/24
masterControllerIp=10.51.10.72
NB: I retrieved the logical router ID with a show logical-router list all.
Example 3: you want to verify that the OSPF peering was correctly established on your edge device and if the routes were propagated appropriately. You start by retrieving the concerned edge ID with show edge all .
nsx01-cap-z51.sddc.lab> show edge all
NOTE: CLI commands for Edge ServiceGateway(ESG) start with 'show edge'
CLI commands for Distributed Logical Router(DLR) Control VM start with 'show edge'
CLI commands for Distributed Logical Router(DLR) start with 'show logical-router'
Edges with version >= 6.2 support Central CLI and are listed here
Legend:
Edge Size: Compact - C, Large - L, X-Large - X, Quad-Large - Q
Edge ID Name Size Version Status
edge-1 EDGE-LB C 6.2.1 GREEN
edge-2 ESG-VPN C 6.2.1 GREEN
edge-374180e5-b7ba-457f-8e95-c70dc53546b7 DLR-UNI-01 C 6.2.1 GREEN
edge-3 PERIMETER-Z51-SINGLE C 6.2.1 GREEN
edge-5 PERIMETER-Z51-ECMP1 C 6.2.1 GREEN
edge-6 PERIMETER-Z51-ECMP2 C 6.2.1 GREEN
Now that we retrieved all IDs, we can query the appropriate edge. Let’s query the “edge that is not married” (edge-3) for its routing table and the listing of its OSPF neighbours.
nsx01-cap-z51.sddc.lab> show edge edge-3 ip route
haIndex: 0
Codes: O - OSPF derived, i - IS-IS derived, B - BGP derived,
C - connected, S - static, L1 - IS-IS level-1, L2 - IS-IS level-2,
IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
Total number of routes: 7
S 0.0.0.0/0 [1/1] via 10.51.0.254
C 10.51.0.0/24 [0/0] via 10.51.0.10
C 169.254.1.0/30 [0/0] via 169.254.1.1
C 192.168.0.0/24 [0/0] via 192.168.0.1
O E2 192.168.1.0/24 [110/1] via 192.168.0.6
O E2 192.168.2.0/24 [110/1] via 192.168.0.6
O E2 192.168.3.0/24 [110/1] via 192.168.0.6
nsx01-cap-z51.sddc.lab> show edge edge-3 ip ospf neighbor
haIndex: 0
Neighbor ID Priority Address Dead Time State Interface
192.168.0.6 128 192.168.0.5 38 Full/DR vNic_1
I’ll not develop further the examples, I’m sure you got the idea! ;)
Query NSX-V Central CLI via API
Wait, what? Yes, it’s possible to query the NSX Central CLI via API.
This method can be used by companies that don’t want to use the new central CLI only for troubleshooting, but also to operationalize its capabilities.
The request is the following:
POST https://NSX-Manager-IP-Address/api/1.0/nsx/cli?action=execute
Request body:
<nsxcli>
<command>CLI Command</command>
</nsxcli>
Of course, you have to replace the different fields with your own values as I did below (where I used the same command as in the latest example).
<nsxcli>
<command>show edge edge-3 ip route</command>
</nsxcli>
Resources: