Manage and report on a Logical Router using NSX Controller, NSX Edge, and ESXi CLI commands

 

NSX Controller CLI commands

 
I could not find very many useful commands to manage or report on a logical router via the NSX Controller, but I will show you how to display the possible commands and their syntax. Open an SSH session to one of your NSX Controllers, and log in with the default user admin and your password.
 
I ran the command show control-cluster logical-routers and hit Enter to get a list of logical-router commands that you will see below.
 

nsx-controller # show control-cluster logical-routers

  Command keyword: stats
  Description: Stats of all logical routers on this controller

  Command keyword: connection 
  Description: Host status, including logical-router datapath version

  Command keyword: stats-sample
  Description: Latest samples of node statistics

  Command keyword: instance 
  Description: Logical router information. logical-router-id could be 'all'

  Command keyword: interface-summary 
  Description: Interface summary for a logical router

  Command keyword: interface  
  Description: Interface details identified by logical-router-id and interface-name

  Command keyword: routes 
  Description: Static routes for a logical router

  Command keyword: route   
  Description: Static route identified by logical-router-id, IP and prefix length. logical-router-id could be 'all'

  Command keyword: bridges  
  Description: Bridge instance information for a logical router. logical-router-id and/or bridge-id could be 'all'

  Command keyword: bridge-mac  
  Description: Bridge mac records for a bridge of a logical router. logical-router-id and/or bridge-id could be 'all'

  Command keyword: vdr-stats 
  Description: Stats of one logical router

  Command keyword: vdr-stats-sample 
  Description: Latest stats samples of one logical router

 
Let’s run through a few of them that may be helpful for the exam.
 
Command: show control-cluster logical-routers instance all
 
Functionality: Display all the logical routers, their ID, Name, Hosts, and Edge-Connection Service-Controller.
 
Example output
 

nsx-controller # show control-cluster logical-routers instance all
LR-Id      LR-Name            Hosts[]         Edge-Connection Service-Controller
0x570d4553 default+edge-3     10.127.128.215                  192.168.18.31
                              10.127.128.229

 
Command: show control-cluster logical-routers interface-summary logical-router-id
 
Functionality: Interface summary for a specific DLR.
 
Example output
 

nsx-controller # show control-cluster logical-routers interface-summary 0x570d4553
Interface                        Type   Id           IP[]
570d455300000002                 vxlan  0x138b       192.168.10.5/29
570d45530000000a                 vxlan  0x138c       172.16.20.1/24

 
Command: show control-cluster logical-routers routes logical-router-id
 
Functionality: Static routes for a logical router.
 
Example output
 

nsx-controller # show control-cluster logical-routers routes 0x570d4553
LR-Id       Destination        Next-Hop[]         Preference
0x570d4553  172.16.30.0/24     192.168.10.1       110
0x570d4553  0.0.0.0/0          192.168.10.1       1
0x570d4553  172.16.10.0/24     192.168.10.1       110
0x570d4553  172.16.31.0/24     192.168.10.1       110

 

NSX Edge CLI Commands

 
I believe that NSX Edge refers to both DLR and ESG commands. They are pretty much the same on both sides, the only difference is the ESG has more commands and little more functionality.
 
When you first log into the Edge device, you will see something similar to vShield-edge-1-0> The greater than sign specifies you are in exec mode. To get to privilege mode you will type enable then specify the Password. To go back to exec mode, you can type disable.
 

vShield-edge-1-0> enable
Password:
vShield-edge-1-0#

 
To auto populate commands, you will hit the ? to see what possible syntax options are available. For example, if I type show ? (No Need to hit enter) it will display my options.
 

vShield-edge-1-0> show
  accelerator      Show the status of accelerator.
  arp              Show arp cache.
  arp-filter       Show arp-filter table.
  clock            Show system clock
  configuration    Show configuration of features.
  counters         Show system counters.
  debug            Show running system debug information.
  eventmgr         Show event manager statistics
  fips             Show FIPS 140-2 security mode.
  firewall         Show firewall packet counters.
  flowtable        Show flow table
  hostname         Show system hostname.
  interface        Show interface information.
  ip               Show IPv4 information.
  ipset            Show ipset information.
  ipv6             Show IPv6 information.
  isis             Show IS-IS information.
  log              Show system logs.
  messagebus       Show message bus statistics
  nat              Show nat packet counters.
  process          Show running process information
  service          Show status information of services.
  service-monitor  Show monit status or summary.
  statistics       Show statistics information.
  system           Show current state of system.
  tech-support     Show system information for Technical Support.
  version          Show version.

 
If you type the word list then hit enter, it will display all possible commands.
 
Let’s run through some I feel are the most useful for this section.
 
Command: show arp
 
Functionality: Display arp cache
 
Example output
 

vShield Edge ARP Cache:
IP Address                              Interface  MAC Address        State
172.16.30.11                            vNic_3     00:50:56:96:4d:c7  STALE
192.168.18.1                            vNic_0     00:50:56:03:18:11  REACHABLE

 
Command: show interface
 
Functionality: Show interfaces and their statuses
 
Example output
 

vShield-edge-1-0> show interface
Interface VDR is up, line protocol is up
  index 2 metric 1 mtu 1500 
  HWaddr: be:60:6b:0e:0d:78
  inet6 fe80::bc60:6bff:fe0e:d78/64
  proxy_arp: disabled
  Auto-duplex (Full), Auto-speed (2191Mb/s)
    input packets 0, bytes 0, dropped 0, multicast packets 0
    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
    output packets 0, bytes 0, dropped 0
    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
    collisions 0

 
Command: show log reverse
 
Functionality: Display the log in reverse order
 
Command: show ip route
 
Functionality: Display routing table
 
Example output
 

vShield-edge-1-0> show ip route

Codes: O - OSPF derived, i - IS-IS derived, B - BGP derived,
C - connected, S - static, L1 - IS-IS level-1, L2 - IS-IS level-2,
IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

Total number of routes: 7

S       0.0.0.0/0            [1/1]         via 192.168.18.1
C       172.16.10.0/24       [0/0]         via 172.16.10.1
O   E2  172.16.20.0/24       [110/1]       via 192.168.10.5
C       172.16.30.0/24       [0/0]         via 172.16.30.1
C       172.16.31.0/24       [0/0]         via 172.16.31.1
C       192.168.10.0/29      [0/0]         via 192.168.10.1
C       192.168.18.0/24      [0/0]         via 192.168.18.40

 

ESXi cli commands

 
On ESXi the most useful command to manage/report on a Distributed Logical Router is net-vdr If you type this in the command prompt, you should get all of the possible arguments and what they do.
 

~ # net-vdr

Command Usage: net-vdr [options]
---------------------------
 --instance -a [-r vdrId] vdrName                                  Add a new VDR instance
 --instance -d vdrName                                             Delete a VDR instance
 --instance -l [--brief] vdrName                                   Dump the all [or specific] VDR instance info
 --instance -o getTunables vdrName                                 Get the tunables for a given VDR instance
 --instance -o setTunables -n  -v  vdrName            Set the tunables for a given VDR instance
 --connection -a -s dvsName -p vdrPort -c cnId[-m vmac]
      [-E srcPort/srcIp/srcMac/lacpV2 -U uplink1,uplink2,...]      Create the connection of vdr port with dvs switch
 --connection -d -s dvsName                                        Delete the existing connection of vdr port with dvs switch
 --connection -l                                                   Dump the connection info list
 --route -a -i destIp -M destMask [-g gwIp | -G lifName] vdrName   Add a route
 --route -d -i destIp -M destMask [-g gwIp | -G lifName] vdrname   Delete a route
 --route -l vdrName                                                Dump all the routes for a vdr instance
 --route -o resolve -i destIp [-M destMask] [-e srcIp] vdrName     Resolve a route in a vdr instance
 --lif -a -n name -s dvsName [-i Ip -M Mask] -t [vlan | vxlan]
 -v id [[-D designateIp] | -D vxlanMulticastIp] [-z] vdrName       Add a LIF
 --lif -d -n lifName -s dvsName vdrName                            Delete a LIF
 --lif -o setDI -n lifName -D [designated Ip] vdrName              Set/unset Designated Instance for LIF
 --lif -o [addIp | delIP] -n lifName  [-i Ip -M Mask] vdrName      Add or Delete Ip address for a LIF
 --lif -o [enableVxlanCP | disableVxlanCP] -n lifName  vdrName     Enable or Disable VXLAN Control Plane for LIF (VXLAN only)
 --lif -o [enable | disable] -n lifName vdrName                    Enable or Disable sedimented LIF for Data Traffic
 --lif -o enableRelay -n lifName --server-list  vdrName   Enable DHCP Realy
 --lif -o disableRelay -n lifName vdrName                          Disable DHCP Realy
 --lif -o vxlanMulticastIp -n lifName -D multicast Ip vdrName      Set VXLAN LIF Multicast Ip address
 --lif -o addBridge -B bridgeName [-r bridgeId] -n lifName vdrName Add LIF to bridge
 --lif -o delBridge -B bridgeName [-r bridgeId] -n lifName vdrName Delete LIF from bridge
 --lif -l [-n lifName] [--brief] vdrName                           Dump all the Lifs for a VDR instance
 --lif [-n lifName] --stats [--reset] vdrName                      Dump [or Clear] the statistics for Lifs in a VDR instance
 --nbr -a -i destIp -m destMac -n lifName vdrName                  Add a neighbor (a.k.a ARP) entry
 --nbr -d -i destIp -n lifName vdrName                             Delete a neighbor (a.k.a ARP) entry
 --nbr -l [-n lifName] vdrName                                     Dump all the neighbor (a.k.a ARP)entries for a VDR instance
 --nbr -o clearNbr [-n lifName] vdrName                            Clear all the neighbor (a.k.a ARP)entries for a VDR instance
 --cplane -a                                                       Activate the VDR control plane
 --cplane -d                                                       DeActivate the VDR control plane
 --cplane -o setcpIp -i controlPlaneIp vdrName                     Set the Control Plane Ip address for a VDR
 --cplane --stats [--reset] vdrName                                Dump[or Clear] the Control Plane stats for a VDR
 --bridge -a -B bridgeName [-r bridgeId] vdrName                   Add a bridge
 --bridge -d -B bridgeName vdrName                                 Delete a bridge
 --bridge -l [-B bridgeName] vdrName                               Dump all or specific bridge information in a VDR instance
 --stats -b [-B bridgeName] vdrName                                Dump the statistics for all or specific bridge in a VDR instance
 --mac-address-table -b [-B bridgeName] vdrName                    Dump the MAC address table for all or specific bridge in a VDR instance
 --mac-address-table -o clearMacTable -v vni -t vlan or vxlan
 -B bridgeName vdrName                                             Clear MAC address table for a bridge in a VDR instance
 --mac-address-table -b -m mac -v vni -t vlan or vxlan -p portId
 -f flags -B bridgeName vdrName                                    Add the MAC address to a bridge in a VDR instance
 --bridge -o setAgingTime|setFdbHoldTime|setFRPFilter|setUplinkFilter
-q configValue -B bridgeName vdrName                               Set the parameters for a bridge in a VDR instance
 --level -n log|extendedlog                                        Get VDR module log level or extended logging to console status
 --level -n [log | extendedlog] level                              Set VDR module log level or set extended logging(0-Disable,1-Enable)
 --preunload                                                       Prepare the module for unload
 --fl                                                              Dump the Fast Lookup (FL) tables used for packet forwarding
 --di --stats [--reset]                                            Dump the Designated Instance statistics
 -h                                                                Display this help text and exit


Options Format:
--------------
--instance          Instance Commands can also use -I
--route             Route Commands can also use -R
--conection         Connection Commands can also use -C
--lif               Lif Commands can also use -L
--nbr               Neighbor Commands can also use -N
--stats             Stats Commands can also use -S
--cplane            Control Plane Commands
--bridge            Bridge Commands can also use -b
--mac-address-table Bridge MAC address table commands
--tunables          VDR instance tunable parameters
--preunload         Prepare the module for unload. can also use -P
--brief             Summarized output of the command
-D                  Designated Instance or VXLAN Multicast IP 
-i                  IP Address 
-M                  Ip Mask 
-m                  Mac address 
-n                  Name 
-s                  Virtual Switch Name 
-p                  VDR port Id 
-v                  VLAN or VXLAN id or any value 
-z                  sedimented LIF (default is distributed)
-f                  mac entry flags
-r                  Reset option
--verbose|-V        More verbose logging

 
As you can see, there is quite a bit of information. It’s not necessary to memorize this all, just know how to navigate through the command. For example, if I was quickly looking for a command to add a route I could run the following:
 

~ # net-vdr | grep route
 --route -a -i destIp -M destMask [-g gwIp | -G lifName] vdrName   Add a route
 --route -d -i destIp -M destMask [-g gwIp | -G lifName] vdrname   Delete a route
 --route -l vdrName                                                Dump all the routes for a vdr instance
 --route -o resolve -i destIp [-M destMask] [-e srcIp] vdrName     Resolve a route in a vdr instance
--route             Route Commands can also use -R

 
It may not dump all of the commands, but you should be able to quickly find what you are looking for. Let’s run a few of these commands to see what they do.
 

Command: net-vdr -l -I
 
Functionality: List all of your DLR and a give brief description of them.
 
Example output
 

~ # net-vdr -l -I
VDR Instance Information :
---------------------------

Vdr Name:                   default+edge-3
Vdr Id:                     1460487507
Number of Lifs:             2
Number of Routes:           6
State:                      Enabled
Controller IP:              192.168.18.31
Control Plane IP:           192.168.1.175
Control Plane Active:       Yes
Num unique nexthops:        1
Generation Number:          0
Edge Active:                Yes

 
Command: net-vdr –route -l DRL_NAME
 
Functionality: Show all routes on DLR
 
Example output
 

~ # net-vdr --route -l default+edge-3

VDR default+edge-3 Route Table
Legend: [U: Up], [G: Gateway], [C: Connected], [I: Interface]
Legend: [H: Host], [F: Soft Flush] [!: Reject] [E: ECMP]

Destination      GenMask          Gateway          Flags    Ref Origin   UpTime     Interface
-----------      -------          -------          -----    --- ------   ------     ---------
0.0.0.0          0.0.0.0          192.168.10.1     UG       1   AUTO     764833     570d455300000002
172.16.10.0      255.255.255.0    192.168.10.1     UG       1   AUTO     764644     570d455300000002
172.16.20.0      255.255.255.0    0.0.0.0          UCI      1   MANUAL   861424     570d45530000000a
172.16.30.0      255.255.255.0    192.168.10.1     UG       1   AUTO     764644     570d455300000002
172.16.31.0      255.255.255.0    192.168.10.1     UG       1   AUTO     253303     570d455300000002
192.168.10.0     255.255.255.248  0.0.0.0          UCI      1   MANUAL   854709     570d455300000002

 
Command: net-vdr –lif -l DRL_NAME
 
Functionality: Show all LIFs on a specific DRL
 
Example output
 

~ # net-vdr --lif -l default+edge-3

VDR default+edge-3 LIF Information :

Name:                570d455300000002
Mode:                Routing, Distributed, Uplink
Id:                  Vxlan:5003
Ip(Mask):            192.168.10.5(255.255.255.248)
Connected Dvs:       DSwitch
VXLAN Control Plane: Enabled
VXLAN Multicast IP:  0.0.0.1
State:               Enabled
Flags:               0x2308
DHCP Relay:          Not enabled

Name:                570d45530000000a
Mode:                Routing, Distributed, Internal
Id:                  Vxlan:5004
Ip(Mask):            172.16.20.1(255.255.255.0)
Connected Dvs:       DSwitch
VXLAN Control Plane: Enabled
VXLAN Multicast IP:  0.0.0.1
State:               Enabled
Flags:               0x2388
DHCP Relay:          Not enabled

 
Command: net-vdr –nbr -l DLR_NAME
 
Functionality:
 
Example output
 

~ # net-vdr --nbr -l default+edge-3

VDR default+edge-3 ARP Information :
Legend: [S: Static], [V: Valid], [P: Proxy], [I: Interface]
Legend: [N: Nascent], [L: Local], [D: Deleted]

Network           Mac                  Flags      Expiry     SrcPort    Refcnt     Interface
-------           ---                  -----      ------     -------    ------     ---------
192.168.10.5      02:50:56:56:44:52    VI         permanent  0          1          570d455300000002
172.16.20.1       02:50:56:56:44:52    VI         permanent  0          1          570d45530000000a

 
You start to get the point, there is much more you can do, like create a DRL, create routes, add LIFs, and much more. Definitely play around with net-vdr commands, but remember, you can easily dump all of the arguments out and try to find a specific one you are looking for.
 

2 Comments

  1. Rajeev -  February 9, 2016 - 12:50 am 394

    show control-cluster logical-routers routes

    When i used the above command in my environment on the NSX controllers for some of the routes I can see the preference value as 30
    Not sure how the value is 30
    Any idea how the value of the preference is calculated.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top