Showing results for 
Search instead for 
Did you mean: 

can we execute telnet command on spine switch in ACI

Hi Team , 


In ACI environment, how can we execute telnet command on the spine switch to check if the destination host is listening on any port . 


Say example is the host connected to leaf , and If we want to test is listening on any port say tcp 455 , how can we check this in ACI environment , wht is the command . Will telnet 455 command works ? Is there any way ?


Regards , 



Hi @CK_Bengre ,

I don't think we have the ability to source the telnet traffic from a VRF or a specific interface.

Please let us know if you find a way to solve this.

VIP Advocate

HI @CK_Bengre  

Short answer: no.

Long answer: The spines are in the underlay, meaning you do not have any user VRF on spines. In other words, you will not be able to telnet to any hosts in overlay.


Stay safe,



Hi @CK_Bengre  ,

@Sergiu.Daniluk is absolutely correct. You can't see user-side traffic from the spine. I can demonstrate this easily with a show vrf command:


Spine2101# show vrf
 VRF-Name                           VRF-ID State    Reason
 black-hole                              3 Up       --
 management                              2 Up       --
 mgmt:inb                                5 Up       --
 overlay-1                               4 Up       --

Your spines will look EXACTLY the same as mine (perhaps missing the mgmt:inb if you haven't set that up)


Compare that to the same command on a leaf:


Leaf2201# show vrf
 VRF-Name                           VRF-ID State    Reason
 black-hole                              3 Up       --
 common:SharedServices_VRF              13 Up       --
 management                              2 Up       --
 mgmt:inb                                7 Up       --
 overlay-1                               4 Up       --
 Tenant01:Production_VRF                14 Up       --
 Tenant02:Production_VRF                11 Up       --
 Tenant03:Production_VRF                12 Up       --
 Tenant07:Production_VRF                10 Up       --
 Tenant08:Production_VRF                 6 Up       --
 Tenant10:Production_VRF                 8 Up       --
 Tenant11:Production_VRF                 5 Up       --
 Tenant12:Production_VRF                15 Up       --

Here you can see several user-side VRFs - so the view from a leaf is much closer to the user world than the spine.

Now - to the point of your question:

" check if the destination host is listening on any port."


Well, you  can't check if the destination host is listening on any port, but there is an iping utility that will let you at least ping a host. E.G, if is a host in VRF Tenant08:Production_VRF above, I could try this:

Leaf2201# iping -V Tenant08:Production_VRF
PING ( from 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=0.459 ms
64 bytes from icmp_seq=1 ttl=64 time=0.341 ms
64 bytes from icmp_seq=2 ttl=64 time=0.34 ms
64 bytes from icmp_seq=3 ttl=64 time=0.364 ms
64 bytes from icmp_seq=4 ttl=64 time=0.226 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.226/0.346/0.459 ms

However, there is no "i-somthing" command like "issh", "itelnet" or even "inc" that you could hope to use to test if a port was open or not, even from a leaf.


aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

Thank you .

Claudia de Luna
Rising star

Hi @CK_Bengre ,

As you know from @ecsnnsls @Sergiu.Daniluk  and @RedNectar telnet on the ACI fabric nodes is a non starter.    

In terms of alternatives I can think of three off the top of my head that might serve.

1. A virtual machine (VM) inside your fabrics compute or even outside assuming your hosts were reachable.

2. A VM running an automation framework like Ansible

3. A virtual network device 


Some examples below.


1. Would it be possible to spin up a VM from which to do your telnet test?  This could work from within the fabric and from a host outside the fabric if that met your test criteria.  This also puts things like nmap and netcat as @RedNectar suggested into play.  If its a Windows system you also have some options with PowerShell (Test-NetConnection <ip_address> -p <port_number>).

Here is an Ubuntu docker container which is spun up and installed telnet:

root@8bf9068bd06f:/# apt-get install telnet
Reading package lists... Done
Building dependency tree
Reading state information... Done
telnet is already the newest version (0.17-41.2build1).
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
root@8bf9068bd06f:/# telnet -h
telnet: invalid option -- 'h'
Usage: telnet [-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]
	[-n tracefile] [ -b addr ] [-r] [host-name [port]]
root@8bf9068bd06f:/# telnet 22
telnet: Unable to connect to remote host: Connection refused
root@8bf9068bd06f:/# telnet 23
telnet: Unable to connect to remote host: Connection refused
root@8bf9068bd06f:/# telnet 80
Connected to
Escape character is '^]'.

2. I was thinking you might want something a bit more automated.  Here is good discussion around this same topic but using Ansible.

Doing this in an Docker container with Ansible would be a quick way to do this and you could automate bringing up and tearing down the container as you needed it.

3. If you had some automation where you wanted to leverage a network device you could spin up a virtual network device.  Here is an example of a CSR1000v.

csr1000v-1#telnet ?
  WORD  IP address or hostname of a remote system
  <cr>  <cr>

csr1000v-1#telnet ?
  /debug             Enable telnet debugging mode
  /encrypt           Negotiate telnet encryption
  /ipv4              Force use of IP version 4
  /ipv6              Force use of IP version 6
  /line              Enable telnet line mode
  /noecho            Disable local echo
  /quiet             Suppress login/logout messages
  /route:            Enable telnet source route mode
  /source-interface  Specify source interface
  /stream            Enable stream processing
  <0-65535>          Port number
  bgp                Border Gateway Protocol (179)
  chargen            Character generator (19)
  cmd                Remote commands (rcmd, 514)
  daytime            Daytime (13)
  discard            Discard (9)
  domain             Domain Name Service (53)
  echo               Echo (7)
  exec               Exec (rsh, 512)
  finger             Finger (79)
  ftp                File Transfer Protocol (21)
  ftp-data           FTP data connections (20)
  gopher             Gopher (70)
  hostname           NIC hostname server (101)
  ident              Ident Protocol (113)
  irc                Internet Relay Chat (194)
  klogin             Kerberos login (543)
  kshell             Kerberos shell (544)
  login              Login (rlogin, 513)
  lpd                Printer service (515)
  msrpc              MS Remote Procedure Call (135)
  nntp               Network News Transport Protocol (119)
  onep-plain         Onep Cleartext (15001)
  onep-tls           Onep TLS (15002)
  pim-auto-rp        PIM Auto-RP (496)
  pop2               Post Office Protocol v2 (109)
  pop3               Post Office Protocol v3 (110)
  smtp               Simple Mail Transport Protocol (25)
  sunrpc             Sun Remote Procedure Call (111)
  syslog             Syslog (514)
  tacacs             TAC Access Control System (49)
  talk               Talk (517)
  telnet             Telnet (23)
  time               Time (37)
  uucp               Unix-to-Unix Copy Program (540)
  whois              Nicname (43)
  www                World Wide Web (HTTP, 80)
  <cr>               <cr>

csr1000v-1#telnet domain
Trying, 53 ...
% Connection refused by remote host


As with the container you could bring up the csr1000v do your testing and then tear it back down.

I hope something here is useful for you although I know they all require extra steps.


Good luck!