Useful NSX CLI commands
I'm not going to repeat run of the mill install stuff, but just commands that I've found / people have pointed me to when I've hit issues. I'll add some API stuff in another post at some point as there's a bunch of stuff not in the CLI at all yet too.When controllers don't deploy (or deploy then get immediately deleted):
Check disk space on specified datastore
Check /var/log/netcpa.log on the ESX hosts for IP pool allocation issues on controllers
Frequently issues arise because of connectivity NSX Manager to Controllers, and the most common of all: DNS and NTP issues.
In the Manager CLI there's a handy 'show running-config' these days, which doesn't show a whole lot but will show if you fat fingered it's own network settings.
'show manager log follow' tails the main log file, which aids with all kinds of deployment debugging as the errors can be more verbose than in the GUI.
To troubleshoot MTU issues:
‘esxcli network interface list’ ‘esxcli network nic list’ and ‘ping ++netstack=vxlan x.x.x.x -d -s 1600’ where x.x.x.x is the IP of another hosts VTEP.
‘esxcli network interface list’ ‘esxcli network nic list’ and ‘ping ++netstack=vxlan x.x.x.x -d -s 1600’ where x.x.x.x is the IP of another hosts VTEP.
vCNS commands that may work:
esxcli network vswitch dvs vmware vslan network mapping list --vds-name=myvds --vxlan-id=5001
esxcli network vswitch dvs vmware vxlan list
esxcli network vswitch dvs vmware vxlan config stats set --level 1
esxcli network vswitch dvs vmware vxlan stats list --vds-name=myvmware
esxcli network vswitch dvs vmware vxlan vmknic multicastgroup list --vds-name=myvds --vlan-id=100
esxcli network vswitch dvs vmware vxlan network stats list --vds-name=myvds --vxlan-id=5001
The dvfilter is the bit that sits between the vmnic and the vswitch and does the packet filtering (and presumably steering in the case of the PANW integration)
summarize-dvfilter - gives back a list of filters present on the host
pktcap-uw --dvfilter $filter-name can then be used to sniff traffic, with --PreDVFilter or --PostDVFilter to help figure out if a rule is not doing what is expected.
pktcap-uw -A Broader packet capture on ESXi
vsipioctl getfwrules -f $filter_name
ESXi - Controller is TCP/1234
Equivalent of a 'sh cam dy' or sh mac-addr'
net-vdr -b –mac default+edge-1
On Edge, debug packet display interface Nic_0 host_192.168.1.1
show log follow
show service ipsec site
Rene's huge page of links:
http://vcdx133.com/2014/10/05/nsx-link-o-rama/
Logging:
When trying to introduce micro-segmentation to a running environment especially, and for debugging for ever after, not to mention for security auditing, logging is somewhat vital.
NSX has lots of logs all in different places, so redirecting them all to Log Insight / some central location is the way to go, to configure add the log host on NSX manager, and the Edges.
The distributed firewall is distributed :) So add on every ESXi host:
esxcli system syslog config set --loghost=‘udp://192.168.110.241:514' on every ESXi host
esxcli system syslog reload
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
esxcli network vswitch dvs vmware vslan network mapping list --vds-name=myvds --vxlan-id=5001
esxcli network vswitch dvs vmware vxlan list
esxcli network vswitch dvs vmware vxlan config stats set --level 1
esxcli network vswitch dvs vmware vxlan stats list --vds-name=myvmware
esxcli network vswitch dvs vmware vxlan vmknic multicastgroup list --vds-name=myvds --vlan-id=100
esxcli network vswitch dvs vmware vxlan network stats list --vds-name=myvds --vxlan-id=5001
The dvfilter is the bit that sits between the vmnic and the vswitch and does the packet filtering (and presumably steering in the case of the PANW integration)
summarize-dvfilter - gives back a list of filters present on the host
pktcap-uw --dvfilter $filter-name can then be used to sniff traffic, with --PreDVFilter or --PostDVFilter to help figure out if a rule is not doing what is expected.
pktcap-uw -A Broader packet capture on ESXi
vsipioctl getfwrules -f $filter_name
ESXi - Controller is TCP/1234
Equivalent of a 'sh cam dy' or sh mac-addr'
net-vdr -b –mac default+edge-1
On Edge, debug packet display interface Nic_0 host_192.168.1.1
show log follow
show service ipsec site
Rene's huge page of links:
http://vcdx133.com/2014/10/05/nsx-link-o-rama/
Logging:
When trying to introduce micro-segmentation to a running environment especially, and for debugging for ever after, not to mention for security auditing, logging is somewhat vital.
NSX has lots of logs all in different places, so redirecting them all to Log Insight / some central location is the way to go, to configure add the log host on NSX manager, and the Edges.
The distributed firewall is distributed :) So add on every ESXi host:
esxcli system syslog config set --loghost=‘udp://192.168.110.241:514' on every ESXi host
esxcli system syslog reload
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
