06-11-2021 11:16 AM
Hi Team ,
In ACI environment, how can we execute telnet command on the spine switch to check if the destination host is listening on any port .
Say example 10.10.10.1 is the host connected to leaf , and If we want to test 10.10.10.1 is listening on any port say tcp 455 , how can we check this in ACI environment , wht is the command . Will telnet 10.10.10.1 455 command works ? Is there any way ?
Regards ,
CK
06-12-2021 01:33 PM
I don't think we have the ability to source the telnet traffic from a VRF or a specific interface.
Please let us know if you find a way to solve this.
06-12-2021 10:27 PM
Short answer: no.
Long answer: The spines are in the underlay, meaning you do not have any user VRF on spines. In other words, you will not be able to telnet to any hosts in overlay.
Stay safe,
Sergiu
06-13-2021 12:33 AM
Hi @Network_Sarovani ,
@Sergiu.Daniluk is absolutely correct. You can't see user-side traffic from the spine. I can demonstrate this easily with a show vrf command:
Spine2101# show vrf VRF-Name VRF-ID State Reason black-hole 3 Up -- management 2 Up -- mgmt:inb 5 Up -- overlay-1 4 Up --
Your spines will look EXACTLY the same as mine (perhaps missing the mgmt:inb if you haven't set that up)
Compare that to the same command on a leaf:
Leaf2201# show vrf VRF-Name VRF-ID State Reason black-hole 3 Up -- common:SharedServices_VRF 13 Up -- management 2 Up -- mgmt:inb 7 Up -- overlay-1 4 Up -- Tenant01:Production_VRF 14 Up -- Tenant02:Production_VRF 11 Up -- Tenant03:Production_VRF 12 Up -- Tenant07:Production_VRF 10 Up -- Tenant08:Production_VRF 6 Up -- Tenant10:Production_VRF 8 Up -- Tenant11:Production_VRF 5 Up -- Tenant12:Production_VRF 15 Up --
Here you can see several user-side VRFs - so the view from a leaf is much closer to the user world than the spine.
Now - to the point of your question:
"...to check if the destination host is listening on any port."
Well, you can't check if the destination host is listening on any port, but there is an iping utility that will let you at least ping a host. E.G, if 10.208.11.10 is a host in VRF Tenant08:Production_VRF above, I could try this:
Leaf2201# iping -V Tenant08:Production_VRF 10.208.11.10 PING 10.208.11.10 (10.208.11.10) from 10.208.11.1: 56 data bytes 64 bytes from 10.208.11.10: icmp_seq=0 ttl=64 time=0.459 ms 64 bytes from 10.208.11.10: icmp_seq=1 ttl=64 time=0.341 ms 64 bytes from 10.208.11.10: icmp_seq=2 ttl=64 time=0.34 ms 64 bytes from 10.208.11.10: icmp_seq=3 ttl=64 time=0.364 ms 64 bytes from 10.208.11.10: icmp_seq=4 ttl=64 time=0.226 ms --- 10.208.11.10 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.226/0.346/0.459 ms
However, there is no "i-somthing" command like "issh", "itelnet" or even "inc" that you could hope to use to test if a port was open or not, even from a leaf.
06-14-2021 07:49 AM
Thank you .
06-13-2021 06:15 AM
Hi @Network_Sarovani,
As you know from @ecsnnsls @Sergiu.Daniluk and @RedNectar telnet on the ACI fabric nodes is a non starter.
In terms of alternatives I can think of three off the top of my head that might serve.
1. A virtual machine (VM) inside your fabrics compute or even outside assuming your hosts were reachable.
2. A VM running an automation framework like Ansible
3. A virtual network device
Some examples below.
1. Would it be possible to spin up a VM from which to do your telnet test? This could work from within the fabric and from a host outside the fabric if that met your test criteria. This also puts things like nmap and netcat as @RedNectar suggested into play. If its a Windows system you also have some options with PowerShell (Test-NetConnection <ip_address> -p <port_number>).
Here is an Ubuntu docker container which is spun up and installed telnet:
root@8bf9068bd06f:/# apt-get install telnet Reading package lists... Done Building dependency tree Reading state information... Done telnet is already the newest version (0.17-41.2build1). 0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded. root@8bf9068bd06f:/# telnet -h telnet: invalid option -- 'h' Usage: telnet [-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user] [-n tracefile] [ -b addr ] [-r] [host-name [port]] root@8bf9068bd06f:/# telnet 10.1.10.102 22 Trying 10.1.10.102... telnet: Unable to connect to remote host: Connection refused root@8bf9068bd06f:/# telnet 10.1.10.102 23 Trying 10.1.10.102... telnet: Unable to connect to remote host: Connection refused root@8bf9068bd06f:/# telnet 10.1.10.21 80 Trying 10.1.10.21... Connected to 10.1.10.21. Escape character is '^]'.
2. I was thinking you might want something a bit more automated. Here is good discussion around this same topic but using Ansible.
https://devops.stackexchange.com/questions/1658/ansible-other-option-available-for-telnet-check-of-open-ports/1664
Doing this in an Docker container with Ansible would be a quick way to do this and you could automate bringing up and tearing down the container as you needed it.
3. If you had some automation where you wanted to leverage a network device you could spin up a virtual network device. Here is an example of a CSR1000v.
csr1000v-1#telnet ? WORD IP address or hostname of a remote system <cr> <cr> csr1000v-1#telnet 8.8.8.8 ? /debug Enable telnet debugging mode /encrypt Negotiate telnet encryption /ipv4 Force use of IP version 4 /ipv6 Force use of IP version 6 /line Enable telnet line mode /noecho Disable local echo /quiet Suppress login/logout messages /route: Enable telnet source route mode /source-interface Specify source interface /stream Enable stream processing <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) msrpc MS Remote Procedure Call (135) nntp Network News Transport Protocol (119) onep-plain Onep Cleartext (15001) onep-tls Onep TLS (15002) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80) <cr> <cr> csr1000v-1#telnet 8.8.8.8 domain Trying 8.8.8.8, 53 ... % Connection refused by remote host csr1000v-1#
As with the container you could bring up the csr1000v do your testing and then tear it back down.
I hope something here is useful for you although I know they all require extra steps.
Good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide