Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6214
Views
7
Helpful
6
Replies

Login to Leaf via console port

Go to solution
vv0bbLeS
Level 1
Level 1

‎04-07-2021 12:33 PM

Hello all,

We have a fully deployed fabric, and all of our leaves have their console ports connected to a central Console Manager  (please note, I'm referring to the console port, not the management port).

 

I can connect to the console port on the leaves just fine via the Console Manager, but at the console login prompt on the leaf, I'm not sure what credentials to use, and for the life of me I haven't been able to find anything on the internet that explains it.

  • I have tried using "admin" and "password", and even "admin" and no password, but I am unable to get logged in via the console port.

 

Is there somewhere in ACI that you configure the console port settings for your leaves, or is it something that you setup locally on the leaf itself ( maybe on a per-leaf-model basis ), or ?

 

Thanks!

0xD2A6762E
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vv0bbLeS
Level 1
Level 1

‎04-08-2021 08:58 AM

Robert, thanks. I was able to figure it out. I had to use the local admin username and password that we had set on the APIC. Learned something new!   Thanks again!

0xD2A6762E

View solution in original post

0 Helpful
6 Replies 6

Go to solution
RedNectar
VIP
VIP

‎04-07-2021 02:30 PM

Hi @vv0bbLeS,

Hopefully someone else can confirm this, but I believe that there is no use for the console port on a Nexus ACI switch.  Out-of-band management (which is what a console port was traditionally used for) is now achieved via the 1Gbps Mgmt0 ethernet interface.

So what you get when you connect to the console is access to the underlying Unix/linux operating system.

So I'm guessing the username is root and the password can (probably) only be obtained via a TAC call.  And the TAC would want a pretty good reason for you needing it, and it would be via a token that would (probably) only last for 30 mins

Now, I must add a caveat here - this is mostly conjecture, but I'm 50% confident that I'm at least 50% correct.  I hope that has given me enough wiggle room to bow out gracefully if someone else comes along and completly contradicts me : )

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
weylin.piegorsch
Level 1
Level 1
In response to RedNectar

‎12-07-2023 11:12 PM - edited ‎12-31-2023 09:13 PM

I'll acknowledge there's mostly no reason to login to an ACI leaf/spine console port.  Nearly always, the inband (SSH from APIC to TEP address) and out-of-band (SSH to mgmt0) are fine for standard and contingency access.

However, console is key in situations where these don't work:

  • pre-install when a code conversion is needed (for example from NXOS, although admitedly recent ACI code seems to negate this but I need to invetigate that more)
  • during a reboot, when mgmt0 hasn't yet been programmed and inband TEP address hasn't yet been applied
  • factory wiping a chassis

The third I've used the most, especally the first time I bootstrapped a fabric and messed things up so bad that I had to wipe everything and start over (multiple times..... *sad face*).  That second condition I've used occassionally with TAC calls about faults where it won't join the fabric, usually ending in RMA.

I've also used the console during system upgrades:

  • always at least once per upgrade cycle, to see all the messages going by.  You can really learn a lot about the underlying system this way, if you know how to make reasonable interpretations about the messages.
  • occasioally to understand why it was taking so gosh darn long for a node to rejoin the fabric.  It's almost always because the various underlying firmware upgrades took longer than expected (record so far was somewhere around an hour for v5.2 -> v6.0), but I would never be able to figure that out without the console port. 

To answer @vv0bbLeS original question: default login is admin, with no password, but as discovered the moment it joins a fabric it takes on the fabric credential profile.

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎04-07-2021 02:49 PM

The console login credentials would be the same as you'd login via SSH (typically your admin user account).    However you login to your APIC, that's how you'd login to your switch.  The only other possible challenge you might have is if you are using multiple login realms (remote auth) and your switch can't reach the AAA server to authenticate you.  Is "local" auth is set as the default realm?

From your APIC CLI provide the output:

moquery -c aaaConsoleAuth

 

I still highly recommend always connecting console ports - in the event the switch fails to boot, or goes into Loader prompt, you have a means to recover it.  The mgmt interface requires the switch be fully booted to access, so having this console backdoor serves an important failsafe.

Robert

Go to solution
vv0bbLeS
Level 1
Level 1
In response to Robert Burns

‎04-07-2021 02:57 PM - edited ‎04-07-2021 02:58 PM

@RedNectar and @Robert Burns thank you all for your responses!

 

Robert, please see below for the output of the moquery command given. And I did try my regular SSH credentials but it did not accept them. Perhaps I was doing something wrong - I will try it again. And yes the Console Port would be used in a scenario that the OOB management network is down and the switch is otherwise unreachable, and in such a scenario I would also want to assume that my AAA server is unreachable also (if AAA is unreachable, what credentials would I use for the leaf Console Port? ). Thanks again!

 

apic1# moquery -c aaaConsoleAuth
Total Objects shown: 1

# aaa.ConsoleAuth
annotation     : 
childAction    : 
descr          : 
dn             : uni/userext/authrealm/consoleauth
extMngdBy      : 
lcOwn          : local
modTs          : 2017-02-06T04:10:45.507-05:00
name           : 
nameAlias      : 
ownerKey       : 
ownerTag       : 
providerGroup  : 
realm          : local
rn             : consoleauth
status         : 
uid            : 0

 

0xD2A6762E
0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to vv0bbLeS

‎04-07-2021 03:13 PM

Have you tried accessing from multiple workstations?  Sometimes win/Mac workstations play funny with keyboard strokes via console servers.  Your config looks good.  My suspicious is either your terminal window/app or your console server doing something with the keystrokes.  Are you copying & pasting your credentials or entering them manually?
Try a different workstation or a different terminal app (Putty/SecureCRT) etc. 

Also provide the output of:

moquery -c aaaLoginDomain

Just to confirm, this switch is successfully joined (discovered & active) in your fabric?

Robert

0 Helpful

Go to solution
vv0bbLeS
Level 1
Level 1

‎04-08-2021 08:58 AM

Robert, thanks. I was able to figure it out. I had to use the local admin username and password that we had set on the APIC. Learned something new!   Thanks again!

0xD2A6762E
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License