Solved: SSH Access to Leaf and Spine Switches

maced129 · ‎01-07-2021

Hello,

I am having trouble getting access to the CLI of the leaf and spine switches of my ACI fabric. I know you can perform show commands via the apic fabric command set but I am looking to execute the contract_parser.py script on the leafs to troubleshoot contracts and check out the viability of the tool that is supposedly included in the ACI image 3.2+ . Any login that I used I recieve a permission denied in the event log. APIC locally configured users and LDAP users aren't working. Any ideas or tips on how to tshoot?

(Source for contract_parser info: https://github.com/agccie/aci-contract-parser)

maced129 · ‎01-12-2021

Hi Alexander,

I was finally able to get it working - it turns out it was infact due to
the leaf switches OOB/INB connectivity not yet being set up properly.
Viewing the command "fabric XXX show aaa authentication" command on the
APIC I was able to see that the leafs were preferring an LDAP
authentication method - they do not yet have a route to those servers via
OOB/INB communication channels. Through Admin > Authentication config
section on the APIC GUI I set the login to "Local" instead of LDAP, waited
for the configuration to propagate to the leafs and I was able to get into
the leafs and execute the parser script!

Thanks for all your help!!

View solution in original post

Alexander09 · ‎01-07-2021

Hi,

Can you login to your apic via ssh and once you logged in, can you perform <<show switch>> and try to perform the following command <<attach leafname>> ?

Also verify if ssh is enabled as mgmt access through the gui -> Fabric > Fabric Policies > Policies > Pod > Management Access ?

cheers

Alexander

--
Alexander Deca

maced129 · ‎01-07-2021

Thanks for the reply. The command executes and SSH command to the leaf but it still has a login prompt which none of my login credentials work for. SSH is enabled in the management access in fabric policies.

Could this have something to do with the leafs OOB/INB mgmt connectivty for LDAP auth (my current primary auth method) or something?

Alexander09 · ‎01-07-2021

You can specify the domain during ssh << ssh -l apic#fallback\\admin 10.10.10.1 >>, this will use local authentication.

cheers

--
Alexander Deca

maced129 · ‎01-11-2021

Sorry for the delay,

Unfortunately no luck with that command. It must be something to do with
the OOB/INB connectivity and configuration.

Alexander09 · ‎01-11-2021

Hi,

On the APIC can you paste the output of <> ? And have you verified the gui, paste a screenshot of this as well ? (Fabric > Fabric Policies > Policies > Pod > Management Access)

Did you try to use the username rescue-user with no password (or with the initial password you have set when running the setup script on the APIC) ?

--
Alexander Deca

maced129 · ‎01-12-2021

Hi Alexander,

I was finally able to get it working - it turns out it was infact due to
the leaf switches OOB/INB connectivity not yet being set up properly.
Viewing the command "fabric XXX show aaa authentication" command on the
APIC I was able to see that the leafs were preferring an LDAP
authentication method - they do not yet have a route to those servers via
OOB/INB communication channels. Through Admin > Authentication config
section on the APIC GUI I set the login to "Local" instead of LDAP, waited
for the configuration to propagate to the leafs and I was able to get into
the leafs and execute the parser script!

Thanks for all your help!!

Alexander09 · ‎01-12-2021

Even though you should always be able to login with the <<ssh -l apic#fallback\\admin >> command if the leafs have been provisioned correctly or through the gui with username << apic:fallback\\admin >>.

But glad you have sorted it out!

--
Alexander Deca