Chapter 3
ACI Command-Line Interfaces
This chapter covers the following topics related to ACI command-line interfaces (CLIs):
With the implementation of a REST API, ACI offers the ability to configure and manage a data center network as never before. With a fully function GUI written on top of the API, an ACI administrator has many options when it comes to managing, monitoring, and troubleshooting the ACI data center. Not all interactions with the APIC and switches require use of a REST client or GUI, however. Built into each node in the ACI fabric is a CLI that can be used to leverage existing knowledge of Cisco NX-OS with many common commands and a few new additions. Because the APIC and switches serve different purposes in an ACI solution, each provides unique CLI functionality that can be leveraged.
Throughout the book, you will see references to many different commands and the shell in which they are run. This chapter does the following:
Introduces the different CLI shells that exist within ACI
Shows how to access the different shells
Describes why certain shells should be used over the others
Shows how the different shells differ from traditional Cisco CLIs
APIC CLIs
The APIC provides two CLIs that can be used to monitor and troubleshoot the ACI fabric. This section describes in detail the CLIs available when a remote terminal session (either via Secure Shell [SSH] or Telnet) is initiated on an APIC controller. For security reasons, SSH is recommended, and it is the remote terminal session protocol of choice throughout this book.
NX-OS–Style CLI
Along with a GUI and REST API, an APIC also offers an NX-OS–style CLI built on top of a Bash shell that allows you to navigate and configure the ACI fabric as if you were on a traditional NX-OS device. Almost every configuration option that is exposed via the REST API is also configurable via the NX-OS–style CLI. Before diving into how to access the NX-OS CLI, you will find that there are some differences in operating the APIC NX-OS CLI versus the traditional NX-OS CLI on any other Nexus platform. The usage of the NX-OS–style CLI for an APIC differs from the traditional NX-OS CLI in these ways:
With the NX-OS–style CLI for an APIC, to make changes to a particular leaf switch, you must first navigate to that switch by using the leaf command followed by node ID.
The command syntax in certain cases is slightly different. For example, while specifying an Ethernet port in the NX-OS–style CLI for an APIC, you should type eth x/y instead of ethx/y.
With the NX-OS–style CLI for an APIC, when a configuration field consists of user-defined text, such as a password, special characters such as $ or ! should be escaped with a backslash (for example, $), or the entire word or string should be wrapped in single quotes to avoid misinterpretation by the Bash shell.
Some command shortcuts with the NX-OS–style CLI for an APIC are different due to Bash behavior:
Ctrl+D exits a session.
Ctrl+Z suspends a job.
Ctrl+C stops a command.
After initiating an SSH session to an APIC, the first shell you are dropped into is the NX-OS CLI (see Example 3-1).
Example 3-1 Accessing the APIC NX-OS CLI by Using SSH
terminal$ ssh username@apic-address-or-hostname apic1#
Table 3-1 lists and describes the most commonly used NX-OS CLI modes—the EXEC and global configuration modes—and provides examples of submodes. The table shows how to enter and exit the modes and the resulting system prompts, which help identify which mode you are in and the commands that are available to you in that mode.
Table 3-1 NX-OS CLI Modes with Prompts and Exit Methods
Mode |
Access Method |
Prompt |
Exit Method |
EXEC |
From the APIC prompt, enter execsh. |
apic# |
To exit to the login prompt, use the exit command. |
Global configuration |
From EXEC mode, enter the configure command. |
apic(config)# |
To exit from a configuration submode to its parent mode, use the exit command. |
DNS configuration |
From global configuration mode, enter the dns command. |
apic(config-dns) |
To exit from any configuration mode or submode to EXEC mode, use the end command. |
Just as on any NX-OS device, with the NX-OS–style CLI for an APIC, the ? character allows you to see what options are available, and the <TAB> character allows you to auto-complete commands. For example, to see the list of show commands, you could run show ? as shown in Example 3-2.
Example 3-2 Using the show Command to See a List of Command Options
apic1# show ? aaa Show AAA information access-list Show Access-list Information accounting Show accounting information acllog Show acllog information analytics Show analytics cluster configuration application Show Application Profiles Information audits Show audit-log information bridge-domain Show Bridge-domain Information callhome Show command for callhome catalog Show catalog information cli Show All Commands clock Show clock information <output omitted for brevity>
To see a list of commands that begin with a particular character sequence, type those characters followed by a question mark (?). Do not include a space before the question mark, as shown in Example 3-3.
Example 3-3 Using the show Command to See a List of Command Options Matching a Character Sequence
apic1# sh a? aaa Show AAA information access-list Show Access-list Information accounting Show accounting information acllog Show acllog information analytics Show analytics cluster configuration application Show Application Profiles Information audits Show audit-log information
To auto-complete a command after you begin typing, type <TAB>, as demonstrated in Example 3-4.
Example 3-4 Using <TAB> to Auto-Complete Commands
apic1# sh<TAB> apic1# show
From here, you can select a more specific option to view the contents. A good example of this would be viewing audit log entries on the fabric. You can type show audits to get the contents of the current audit log, which can be used to review all changes that have happened in the environment, as demonstrated in Example 3-5.
Example 3-5 Viewing Audit Log Entries by Using the NX-OS–Style CLI
apic1# show audits Creation Time : 2018-09-24T15:33:27.785-04:00 ID : 4295033379 User : admin Action : deletion Affected Object : uni/fabric/outofsvc/rsoosPath-[topology/pod-1/paths-101/pat hep-[eth1/27]] Description : RsOosPath topology/pod-1/paths-101/pathep-[eth1/27] deleted Creation Time : 2018-09-24T15:33:24.074-04:00 ID : 4295033378 User : admin Action : creation Affected Object : uni/fabric/outofsvc/rsoosPath-[topology/pod-1/paths-101/pat hep-[eth1/27]] Description : RsOosPath topology/pod-1/paths-101/pathep-[eth1/27] created
Along with show commands, a variety of other tools are exposed via the NX-OS CLI. Because the CLI is on the APIC, you can use it to run commands against one or more switches in the fabric by using the fabric command, which has the following syntax: fabric <nodeId> <show command>. nodeId can be a comma-separated list of more than one node ID to run the command against multiple switches at one time. Example 3-6 shows an example of output from the fabric command.
Example 3-6 Using the fabric Command to Execute a Command on Nodes 101 and 102
apic1# fabric 101,102 show interface mgmt 0 ---------------------------------------------------------------- Node 101 (leaf101) ---------------------------------------------------------------- mgmt0 is up admin state is up, Hardware: GigabitEthernet, address: 002a.100e.2054 (bia 002a.100e.2054) Internet Address is 192.168.4.12/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, medium is broadcast Port mode is routed full-duplex, 1000 Mb/s Beacon is turned off Auto-Negotiation is turned on Input flow-control is off, output flow-control is off Auto-mdix is turned off EtherType is 0x0000 30 seconds input rate 1000 bits/sec, 1 packets/sec 30 seconds output rate 848 bits/sec, 1 packets/sec Rx 386298 input packets 297387 unicast packets 13417 multicast packets 75494 broadcast packets 32067345 bytes Tx 296292 output packets 296276 unicast packets 8 multicast packets 8 broadcast packets 23768146 bytes ---------------------------------------------------------------- Node 102 (leaf102) ---------------------------------------------------------------- mgmt0 is up admin state is up, Hardware: GigabitEthernet, address: 002a.100e.22d4 (bia 002a.100e.22d4) Internet Address is 192.168.4.13/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, medium is broadcast Port mode is routed full-duplex, 1000 Mb/s Beacon is turned off Auto-Negotiation is turned on Input flow-control is off, output flow-control is off Auto-mdix is turned off EtherType is 0x0000 30 seconds input rate 1152 bits/sec, 1 packets/sec 30 seconds output rate 616 bits/sec, 0 packets/sec Rx 760965 input packets 585204 unicast packets 26324 multicast packets 149437 broadcast packets 63823992 bytes Tx 585152 output packets 585136 unicast packets 8 multicast packets 8 broadcast packets 49255940 bytes
In order to apply the configuration, you need to enter configuration mode, just as you do on any other Cisco platform. This is done by entering configure at the prompt, as shown in Example 3-7.
Example 3-7 Entering the Configuration Mode of the NX-OS CLI on an APIC
apic1# configure apic1(config)#
For many configuration commands, you can precede the command with the no keyword to remove a setting or to restore a setting to the default value. Example 3-8 shows how to create a blacklist policy to shut down an interface and how to remove the blacklist policy to restore the interface to its original state. It also demonstrates how to remove a previously configured DNS server from the configuration.
Example 3-8 Restoring a Configuration to the Default State by Using no
apic1# configure apic1(config)# leaf 101 apic1(config-leaf)# interface ? ethernet Ethernet IEEE 802.3z fc FC Interface port-channel Port Channel interface vfc Virtual Fiber Channel interface vfc-po VFC Port Channel interface vlan Vlan interface apic1(config-leaf)# interface ethernet 1/27 apic1(config-leaf-if)# shutdown apic1(config-leaf-if)# no shutdown apic1(config-leaf-if)# end apic1# apic1# config apic1(config)# dns apic1(config-dns)# address 192.0.20.123 preferred apic1(config-dns)# show dns-address Address Preferred ------------- --------- 192.0.20.123 yes apic1(config-dns)# no address 192.0.20.123 apic1(config-dns)# show dns-address Address Preferred ------------- ---------
In configuration mode, all configuration options are exposed. At any time, you can issue the where command to see your exact tree location, as shown in Example 3-9.
Example 3-9 Displaying the Current Working Path by Using the where Command
apic1(config-leaf-if)# where configure t; leaf 101; interface ethernet 1 / 27
Using the NX-OS–style CLI, you can use SSH to access any ACI switch connected in the fabric. This is achieved by initiating an SSH session to the TEP address of the leaf or spine or by using the hostname, as demonstrated in Example 3-10.
Example 3-10 Initiating an SSH Session to a Fabric Node via an APIC NX-OS–Style CLI
apic1# ssh admin@leaf101 Password: Last login: Thu Feb 14 13:38:44 2019 from 10.0.0.1 Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2018, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php leaf101# whoami admin
If you do not know the TEP address or hostname, you can view the details for each node by using the show switch command, as demonstrated in Example 3-11.
Example 3-11 Using the show switch Command to Retrieve Information About the Fabric Nodes
apic1# show switch detail ID : 101 Role : leaf Name : leaf101 Pod Id : 1 Address : 10.0.64.68 In-Band V4 Address : 0.0.0.0 In-Band V6 Address : :: OOB V4 Address : 192.168.4.12 OOB V6 Address : :: Serial Number : FDO202711U6 Version : n9000-13.2(3i) Up Time : 02:03:00:59.000 Fabric State : active State : in-service Valid Certificate : yes Validity Start : 2016-07-28T19:39:02.000-05:00 Validity End : 2026-07-28T19:49:02.000-05:00...
Bash CLI
Along with the NX-OS CLI, an APIC also offers a Linux Bash shell. The Bash shell exposes, but is not limited to, the following functionality:
Native Linux command set
File system and directory navigation
Originally, the Bash CLI was the only available CLI. When the NX-OS–style CLI was introduced in ACI Release 2.0, many commands that were offered in the Bash CLI were deprecated and added to the NX-OS CLI. However, because the Bash shell is a portal into the Linux operating system on which the APIC is built, the bash CLI can provide convenience under a variety of circumstances.
In order to access the Bash shell, type the command bash at the NX-OS CLI prompt, as shown in Example 3-12.
Example 3-12 Accessing the APIC Bash Shell
apic1# bash admin@apic1:~>
Once in the Bash shell, you have access to the native Linux environment, which exposes commands that would otherwise be unavailable in the NX-OS CLI shell. An example of this is the use of the route command, as shown in Example 3-13.
Example 3-13 Using the route Command to View the Linux Routing Table
admin@apic1:~> route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.4.1 0.0.0.0 UG 16 0 0 oobmgmt 10.0.0.0 10.0.0.30 255.255.0.0 UG 0 0 0 bond0.3093 10.0.0.30 0.0.0.0 255.255.255.255 UH 0 0 0 bond0.3093 10.0.32.65 10.0.0.30 255.255.255.255 UGH 0 0 0 bond0.3093 10.0.32.66 10.0.0.30 255.255.255.255 UGH 0 0 0 bond0.3093 169.254.1.0 0.0.0.0 255.255.255.0 U 0 0 0 teplo-1 169.254.254.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 oobmgmt
The command route is not recognized by the NX-OS–style CLI as it is only available as a Linux command. Furthermore, any time a command that includes a ? needs to be run, the NX-OS CLI interprets this as a need to view the available command options. For instance, maybe you want to query the API for audit logs by using the iCurl functionality that is built into the APIC. iCurl is discussed in detail in Chapter 13, “Troubleshooting Techniques,” but for now just know that you can achieve this by running the following command:
icurl 'http://localhost:7777/api/class/aaaModLR.xml?order-by=aaaModLR. created'
If you run this command via the NX-OS–style CLI, when the ? is entered, the CLI interprets it as a need to see all available commands. This sort of command should be executed in the Bash shell.
Bash shell commands can also be executed directly from the NX-OS–style CLI. In order to do this, you type bash -c “path/command” into the NX-OS CLI from any prompt, as shown in Example 3-14.
Example 3-14 Executing a Bash Command from the NX-OS CLI
apic1# bash -c "route" Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.4.1 0.0.0.0 UG 16 0 0 oobmgmt 10.0.0.0 10.0.0.30 255.255.0.0 UG 0 0 0 bond0.3093 10.0.0.30 0.0.0.0 255.255.255.255 UH 0 0 0 bond0.3093 10.0.32.65 10.0.0.30 255.255.255.255 UGH 0 0 0 bond0.3093 10.0.32.66 10.0.0.30 255.255.255.255 UGH 0 0 0 bond0.3093 169.254.1.0 0.0.0.0 255.255.255.0 U 0 0 0 teplo-1 169.254.254.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 oobmgmt
The Bash shell can also be useful for navigating the file system. For example, after a firmware upgrade, you might see the fault shown in Figure 3-1.
Figure 3-1 Fault Illustrating That the /firmware Directory Is Low on Space
You can leverage traditional Linux commands such as df (disk free) or du (disk usage) to determine the contents of the directory that is full. This is very helpful when determining what is eligible for removal to free up some used space, as demonstrated in Example 3-15.
Example 3-15 Finding Directory Sizes and Navigating the File System on an APIC by Using the Bash Shell
admin@apic1:~> df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_ifc0-boot 40G 8.8G 29G 24% /bin /dev/mapper/vg_ifc0_ssd-data 175G 6.1G 160G 4% /var/log/dme devtmpfs 63G 0 63G 0% /dev tmpfs 4.0G 140M 3.9G 4% /dev/shm /dev/mapper/vg_ifc0-firmware 40G 29G 8.5G 78% /firmware /dev/mapper/vg_ifc0-scratch 40G 103M 38G 1% /home tmpfs 63G 0 63G 0% /sys/fs/cgroup /dev/mapper/vg_ifc0-techsupport 40G 3.3G 34G 9% /data/techsupport tmpfs 16G 136K 16G 1% /tmp tmpfs 2.0G 320M 1.7G 16% /var/log/dme/log /dev/mapper/vg_ifc0-logs 40G 300M 37G 1% /var/log/dme/oldlog /dev/mapper/vg_ifc0-data2 493G 8.6G 461G 2% /data2 /dev/mapper/vg_ifc0-dmecores 50G 52M 47G 1% /var/log/dme/core tmpfs 63G 4.1G 59G 7% /var/run/utmp admin@apic1:~> cd /firmware admin@apic1:firmware> du | sort -rn | more 30142636 . 27309904 ./fwrepos 27309836 ./fwrepos/fwrepo
Keep in mind that when you are operating in a Bash shell, you can write Bash scripts to automate certain tasks or monitor your ACI fabric. For example, Example 3-16 shows a simple Bash script to monitor the size of the /firmware directory every two seconds.
Example 3-16 Using a Bash Script to Check the /firmware Directory Every Two Seconds
admin@apic1:~> cat check_firmware_directory.sh
#!/bin/bash
while true; do
time=$(date)
echo $time
cmd=$(df -h | grep firmware)
echo $cmd
sleep 2
done
admin@apic1:~> bash check_firmware_directory.sh
Mon Feb 18 13:54:19 EST 2019
/dev/mapper/vg_ifc0-firmware 40G 29G 8.5G 78% /firmware
Mon Feb 18 13:54:21 EST 2019
/dev/mapper/vg_ifc0-firmware 40G 29G 8.5G 78% /firmware
Mon Feb 18 13:54:23 EST 2019
/dev/mapper/vg_ifc0-firmware 40G 29G 8.5G 78% /firmware
...
Finally, the history command allows you to view all commands that have previously been run (see Example 3-17).
Example 3-17 Using the history Command to View Previously Run Commands
admin@apic1:~> history 1 route 2 fd -h ...
ACI Fabric Switch CLIs
For ACI fabric switches, three different CLIs can be used to view different aspects of the platform: iBash, VSH, and VSH_LC. The following sections describe the CLIs available when you use SSH to connect directly to an ACI spine or leaf switch.
iBash CLI
After initiating an SSH session to an APIC, the first shell you are dropped into is the iBash CLI, as shown in Example 3-18.
Example 3-18 Accessing the Switch NX-OS iBash CLI by Using SSH
terminal$ ssh username@node-address-or-hostname leaf101#
iBash is a unique implementation of the Linux Bash shell as it adds NX-OS–like functionality on top of the normal shell. The idea behind the iBash shell was to allow access to native Linux commands but also offer a full NX-OS–style CLI in one shell. The NX-OS commands leverage the REST API to fetch data and display it in an NX-OS–style format. Whenever a command is run from iBash, an HTTP GET request is sent to the API. The same applies for the NX-OS CLI on APIC when running show commands: The query is processed and returned, and the output is displayed to the user in a format that is representative of NX-OS.
There are no configure commands on any of the ACI switches because all configuration is managed and pushed by the APIC. In addition, because much of the configuration may be spread out across multiple security domains and tenants, you must authenticate to the switch by using an account with administrative access in order to access the iBash shell. This ensures that users who access the switch have the right to view all configuration, regardless of which security domain it belongs to. There is no way to limit the output of a command run via iBash based on security domain.
There are a few more differences that you need to be aware of when using the iBash shell on an ACI switch for the first time. The first difference is that when attempting to use the Tab key to complete commands, the first word in the command must be fully completed. This is because the first word dictates whether to interpret the command as a Bash command or an NX-OS command. Once the first word is completed, normal NX-OS functionality exists. Commands can be Tab-completed and abbreviated. If more than one option exists for an abbreviated command, the command is logged as ambiguous, just as in the traditional NX-OS CLI. Example 3-19 demonstrates the use of the iBash shell.
Example 3-19 Using Abbreviations and Command Syntax in the Switch iBash Shell
leaf102# sho clock bash: sho: command not found leaf102# show c Ambiguous command: "show c" leaf102# show clo 13:49:54.098469 EDT Tue Oct 23 2018 leaf102# show clock 13:49:32.143976 EDT Tue Oct 23 2018
Another major difference is in how you view available commands. Traditionally, you rely on the ? character to list all available command options. In iBash, however, the ? can be used in a normal Bash command like icurl, as demonstrated in the “Bash CLI” section, earlier in this chapter. In order to list all available command options in iBash, you use two Esc keystrokes, as shown in Example 3-20.
Example 3-20 Using <ESC><ESC> to Display All Available Command Options
leaf102# show <ESC><ESC> <CR> Carriage return all-ports Show all ports on VLAN brief All VLAN status in brief extended VLAN extended info like encaps fcoe FCOE Configuration id VLAN status by VLAN id internal Show VLAN manager internal reserved Internal reserved VLANs summary VLAN summary information
Because the switch CLI is now running in a Bash shell, you can use useful Bash commands directly on the switches as you would in any other Bash shell. A great example of this is the watch command. Suppose you want to monitor an interface for errors or other attributes. You can leverage the watch command to print the output of show interface at a given interval, as demonstrated in Example 3-21.
Example 3-21 Using the watch Command to Refresh Command Output on a One-Second Interval
leaf101# watch -n 1 "show interface ethernet 1/1" Every 1.0s: show interface ethernet 1/1 Mon Feb 18 10:55:07 2019 [?1034hEthernet1/1 is up admin state is up, Dedicated Interface Hardware: 1000/10000/25000/auto Ethernet, address: 002a.100e.2055 (bia 002a. 100e.2055) MTU 9216 bytes, BW 10000000 Kbit, DLY 1 usec reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, medium is broadcast Port mode is trunk full-duplex, 10 Gb/s, media type is 10G FEC (forward-error-correction) : disable-fec Beacon is turned off Auto-Negotiation is turned on Input flow-control is off, output flow-control is off Auto-mdix is turned off Rate mode is dedicated Switchport monitor is off EtherType is 0x8100 EEE (efficient-ethernet) : n/a Last link flapped 2d01h Last clearing of "show interface" counters never 1 interface resets 30 seconds input rate 0 bits/sec, 0 packets/sec 30 seconds output rate 272 bits/sec, 0 packets/sec Load-Interval #2: 5 minute (300 seconds) input rate 0 bps, 0 pps; output rate 272 bps, 0 pps RX 0 unicast packets 5944 multicast packets 0 broadcast packets 5944 input packets 1491944 bytes 0 jumbo packets 0 storm suppression bytes 0 runts 0 giants 0 CRC 0 no buffer 0 input error 0 short frame 0 overrun 0 underrun 0 ignored 0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop 0 input with dribble 0 input discard 0 input total drop 0 Rx pause TX 0 unicast packets 7386 multicast packets 122 broadcast packets 7508 output packets 2137474 bytes 0 jumbo packets 0 output error 0 collision 0 deferred 0 late collision 0 lost carrier 0 no carrier 0 babble 0 output discard 0 output total drops 0 Tx pause
This makes gathering output more hands free compared to rerunning the command(s) manually.
Bash also allows you to alias commands to avoid having to type commands that are repetitive or that might contain very long names, as demonstrated in Example 3-22.
Example 3-22 Setting Bash Environment Variables to Define Aliases
leaf101# v1="longVrfName:longVrfName"
leaf101# show ip route vrf $v1
IP Route Table for VRF "longVrfName:longVrfName"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
0.0.0.0/0, ubest/mbest: 1/0
*via 10.10.27.3, vlan34, [110/1], 2d03h, ospf-default, type-2
10.10.20.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 10.0.32.66%overlay-1, [1/0], 2d03h, static, tag 4294967295
10.10.20.1/32, ubest/mbest: 1/0, attached, pervasive
*via 10.10.20.1, vlan27, [1/0], 2d04h, local, local
The other switch CLIs—VSH and VSH_LC—are accessed via iBash. Some command shortcuts are also different due to the behavior of the iBash shell:
Ctrl+D exits a session.
Ctrl+C stops a command.
VSH CLI
Because the iBash CLI relies on querying the API to return data to the user, there might be times when you would like to query the NX-OS software directly to get access to command output that isn’t stored in the management information tree (MIT). In such cases, you can use the VSH shell.
The VSH shell exposes no Linux Bash functionality but rather provides direct access to the traditional NX-OS shell. Once you have used SSH to connect to an ACI switch, you can enter the VSH shell by typing vsh into the iBash CLI, as demonstrated in Example 3-23.
Example 3-23 Entering the Switch VSH Shell from iBash
leaf102# vsh Cisco iNX-OS Debug Shell This shell should only be used for internal commands and exists for legacy reasons. User should use ibash infrastructure as this will be deprecated. leaf102#
Notice the message stating that the shell might be deprecated in the future. It is important to understand that the iBash shell was intended to supersede the traditional NX-OS shell, and therefore development efforts to maintain the traditional NX-OS shell are not always prioritized. However, it is safe to run show commands in this environment, and in most cases, doing so can provide great value.
You can also run any vsh command directly from iBash. This is helpful in the event that you want to redirect the output to a file and store it somewhere in the Linux file system, as demonstrated in Example 3-24.
Example 3-24 Running VSH Commands from iBash and Redirecting to a File
leaf101# vsh -c "show clock" 14:05:58.838 EDT Thu Oct 25 2018 leaf101# vsh -c "show clock" > /tmp/clock.txt leaf101# cat /tmp/clock.txt 14:06:19.226 EDT Thu Oct 25 2018
If you are unsure of what commands are available, you can leverage the show cli list command and grep for certain keywords. For example, suppose you want to see all available commands that start with show ip. You can find these commands by using show cli list, as demonstrated in Example 3-25.
Example 3-25 Using show cli list in the VSH Shell to Find a List of Available Commands
leaf101# show cli list | grep "show ip" show ip interface <if> vrf <str> show ip interface <if> vrf <str> show ip interface <if> vrf all show ip interface vrf <str> show ip interface vrf <str> show ip interface vrf all ...
To get back into the iBash CLI from VSH, you simply type exit.
VSH_LC CLI
Both the iBash and VSH shells can be used to check the software state of an ACI switch. However, to run hardware-level commands, you use the VSH_LC shell.
For nonmodular switches, you can enter the VSH_LC shell by typing vsh_lc into the iBash shell, as shown in Example 3-26.
Example 3-26 Accessing the VSH_LC Shell from iBash
leaf101# vsh_lc vsh_lc module-1#
For modular switches like spines, each line card and fabric module has its own shell. In order to access it, you need to issue the attach module <X> command from the VSH shell, as shown in Example 3-27.
Example 3-27 Accessing the VSH_LC Shell of a Particular Module
spine201# vsh Cisco iNX-OS Debug Shell This shell should only be used for internal commands and exists for legacy reasons. User should use ibash infrastructure as this will be deprecated. spine201# attach module 1 Attaching to module 1 ... To exit type 'exit', to abort type '$.' module-1#
Just like VSH commands, VSH_LC commands can be run directly from iBash, as shown in Example 3-28.
Example 3-28 Running VSH_LC Commands from iBash and Redirecting to a File
leaf101# vsh_lc -c "show clock" 14:07:06.419 EDT Thu Oct 25 2018 leaf101# vsh_lc -c "show clock" > /tmp/clock.txt leaf101# cat /tmp/clock.txt 14:07:14.092 EDT Thu Oct 25 2018
Just like in the VSH shell, you can use show cli list in the VSH_LC shell, as shown in Example 3-29.
Example 3-29 Using show cli list in the VSH_LC Shell to Find a List of Available Commands
module-1# show cli list | grep forwarding | grep trace show system internal forwarding l2 multicast binlog traces show forwarding trace clear module <int> show forwarding trace clear show forwarding trace module <int> show forwarding trace ...
To get back into the iBash CLI from VSH_LC, you simply type exit from the base prompt. You can quickly get back to the base prompt by entering the command end.
Summary
For both the APIC and ACI fabric switches, there are a variety of command-line interfaces you can leverage to configure, monitor, and troubleshoot an ACI deployment. On an APIC, the NX-OS–style CLI can be used to configure the fabric, just as with the API or GUI, and the Bash shell allows you to access the Linux operating system of the APIC. For each switch in the ACI fabric, the iBash shell allows you to run read-only commands that leverage the API for the result. VSH can be used to access an NX-OS–style CLI directly, and VSH_LC allows you to run commands that poll the software and hardware that run on the line card(s) of the device. With the knowledge of all the CLI options available, many new doors open into the world of ACI. This chapter covers CLI usage of ACI; however, for overall application infrastructure provisioning, more sophisticated automation and orchestration techniques should be used to achieve application agility, as described in Chapter 8, “Automation and Orchestration.”
Reference
Cisco, APIC NX-OS Style Command-Line Interface Configuration Guide.
Note
There are no Key Topics or Review Questions for this chapter.