/ #nsx #operations 

NSX-V Central CLI for Operations & Troubleshooting

NSX for vSphere 6.2 brought a lot of new great features such as multi-vCenter support, traceflow, or L2 bridging interoperability with Distributed Logical Router. One of the new enhancement in the operations and troubleshooting category is the new NSX-V Central CLI which provides read-only commands available centrally on the NSX-V Manager to query all your NSX elements.

CLI commands already existed in earlier releases of NSX (pre-6.2), but you had to log into each of the elements composing the NSX infrastructure (controllers, edges, hosts). The new NSX-V Central CLI leverages existing communication channels (such as netcpa, vswfd, etc.) to retrieve operational data such as VTEP/MAC/ARP tables from the NSX Controllers, dynamic routing peer status, routing tables, distributed firewall vNIC rules and stats, edge status, and so on.

From NSX-V 6.2.1 release notes:

Central CLI reduces troubleshooting time for distributed network functions. Commands are run from the command line on NSX Manager and retrieve information from controllers, hosts, and the NSX Manager. This allows you to quickly access and compare information from multiple sources. The central CLI provides information about logical switches, logical routers, distributed firewall and edges.

NSX-V Central CLI Usage

Before starting, I suggest you to RTFM the NSX Command Line Interface Reference where all supported commands are described. :)

The central CLI is organized by function:

  • Logical Switches (LS)
  • Distributed Logical Router (DLR)
  • Distributed Firewall (DFW)
  • Edge Services Gateway (ESG)

You will need some information about your environment in order to use the central commands. The following commands will help you find the appropriate information.

  • To retrieve controllers information / ID: show controller list all

  • To retrieve clusters information / ID: show cluster all

    • To retrieve hosts information / ID in a specific cluster: show cluster cluster-id
  • To retrieve logical switches information / ID: show logical‐switch list all

  • To retrieve distributed logical routers information / ID: show logical‐router list all

  • To retrieve edges information / ID: show edge all

Example 1: you want to check information existing about a specific logical switch on a specified host.

nsx01-cap-z51.sddc.lab> show logical-switch host host-15 vni 10000 verbose
VXLAN Global States:
        Control plane Out-Of-Sync:      No
        UDP port:       8472
VXLAN network:  10000
        Multicast IP:   N/A (headend replication)
        Control plane:  Enabled (multicast proxy,ARP proxy)
        Controller:     10.51.10.72 (up)
        MAC entry count:        0
        ARP entry count:        0
        Port count:     1
        VXLAN port:     vdrPort
                Switch port ID: 50331655
                vmknic ID:      0

Example 2: you want to get interfaces information for a specific logical router.

nsx01-cap-z51.sddc.lab> show logical-router controller master dlr edge-374180e5-b7ba-457f-8e95-c70dc53546b7 interface
Interface                        Type   Id                       IP[]
27100000000c                     vxlan  10002(0x2712)            192.168.3.1/24
27100000000a                     vxlan  10000(0x2710)            192.168.1.1/24
271000000002                     vxlan  10003(0x2713)            192.168.0.6/24
27100000000b                     vxlan  10001(0x2711)            192.168.2.1/24
masterControllerIp=10.51.10.72

NB: I retrieved the logical router ID with a show logical-router list all.

Example 3: you want to verify that the OSPF peering was correctly established on your edge device and if the routes were propagated appropriately. You start by retrieving the concerned edge ID with show edge all .

nsx01-cap-z51.sddc.lab> show edge all
NOTE: CLI commands for Edge ServiceGateway(ESG) start with 'show edge'
      CLI commands for Distributed Logical Router(DLR) Control VM start with 'show edge'
      CLI commands for Distributed Logical Router(DLR) start with 'show logical-router'
      Edges with version >= 6.2 support Central CLI and are listed here
Legend:
Edge Size: Compact - C, Large - L, X-Large - X, Quad-Large - Q
Edge ID                                    Name                     Size Version Status
edge-1                                     EDGE-LB                  C    6.2.1   GREEN
edge-2                                     ESG-VPN                  C    6.2.1   GREEN
edge-374180e5-b7ba-457f-8e95-c70dc53546b7  DLR-UNI-01               C    6.2.1   GREEN
edge-3                                     PERIMETER-Z51-SINGLE     C    6.2.1   GREEN
edge-5                                     PERIMETER-Z51-ECMP1      C    6.2.1   GREEN
edge-6                                     PERIMETER-Z51-ECMP2      C    6.2.1   GREEN

Now that we retrieved all IDs, we can query the appropriate edge. Let’s query the “edge that is not married” (edge-3) for its routing table and the listing of its OSPF neighbours.

nsx01-cap-z51.sddc.lab> show edge edge-3 ip route
haIndex:              0

Codes: O - OSPF derived, i - IS-IS derived, B - BGP derived,
C - connected, S - static, L1 - IS-IS level-1, L2 - IS-IS level-2,
IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

Total number of routes: 7

S       0.0.0.0/0            [1/1]         via 10.51.0.254
C       10.51.0.0/24         [0/0]         via 10.51.0.10
C       169.254.1.0/30       [0/0]         via 169.254.1.1
C       192.168.0.0/24       [0/0]         via 192.168.0.1
O   E2  192.168.1.0/24       [110/1]       via 192.168.0.6
O   E2  192.168.2.0/24       [110/1]       via 192.168.0.6
O   E2  192.168.3.0/24       [110/1]       via 192.168.0.6
nsx01-cap-z51.sddc.lab> show edge edge-3 ip ospf neighbor
haIndex:              0
Neighbor ID      Priority  Address          Dead Time  State           Interface
192.168.0.6      128       192.168.0.5      38         Full/DR          vNic_1

I’ll not develop further the examples, I’m sure you got the idea! ;)

Query NSX-V Central CLI via API

PhilosoraptorWait, what? Yes, it’s possible to query the NSX Central CLI via API.

This method can be used by companies that don’t want to use the new central CLI only for troubleshooting, but also to operationalize its capabilities.

The request is the following:

POST https://NSX-Manager-IP-Address/api/1.0/nsx/cli?action=execute

Request body:

<nsxcli>
   <command>CLI Command</command>
</nsxcli>

Of course, you have to replace the different fields with your own values as I did below (where I used the same command as in the latest example).

<nsxcli>
   <command>show edge edge-3 ip route</command>
</nsxcli>

Get NSX Edge routing information by querying the central CLI via API

Resources:

Author

Romain

Staff II Technical Product Manager, technologist with 18+ years of Networking and Security experience in Data Center, Public Cloud & Virtualization (VMs and Containers). He is a double VCDX (DCV and NV, #120), VCDX panelist, frequent VMUG/VMworld speaker and contributor to the community via this blog or social media (follow him on Twitter @woueb).