Hi Team ,
In ACI environment, how can we execute telnet command on the spine switch to check if the destination host is listening on any port .
Say example 10.10.10.1 is the host connected to leaf , and If we want to test 10.10.10.1 is listening on any port say tcp 455 , how can we check this in ACI environment , wht is the command . Will telnet 10.10.10.1 455 command works ? Is there any way ?
Short answer: no.
Long answer: The spines are in the underlay, meaning you do not have any user VRF on spines. In other words, you will not be able to telnet to any hosts in overlay.
Hi @CK_Bengre ,
@Sergiu.Daniluk is absolutely correct. You can't see user-side traffic from the spine. I can demonstrate this easily with a show vrf command:
Spine2101# show vrf VRF-Name VRF-ID State Reason black-hole 3 Up -- management 2 Up -- mgmt:inb 5 Up -- overlay-1 4 Up --
Your spines will look EXACTLY the same as mine (perhaps missing the mgmt:inb if you haven't set that up)
Compare that to the same command on a leaf:
Leaf2201# show vrf VRF-Name VRF-ID State Reason black-hole 3 Up -- common:SharedServices_VRF 13 Up -- management 2 Up -- mgmt:inb 7 Up -- overlay-1 4 Up -- Tenant01:Production_VRF 14 Up -- Tenant02:Production_VRF 11 Up -- Tenant03:Production_VRF 12 Up -- Tenant07:Production_VRF 10 Up -- Tenant08:Production_VRF 6 Up -- Tenant10:Production_VRF 8 Up -- Tenant11:Production_VRF 5 Up -- Tenant12:Production_VRF 15 Up --
Here you can see several user-side VRFs - so the view from a leaf is much closer to the user world than the spine.
Now - to the point of your question:
"...to check if the destination host is listening on any port."
Well, you can't check if the destination host is listening on any port, but there is an iping utility that will let you at least ping a host. E.G, if 10.208.11.10 is a host in VRF Tenant08:Production_VRF above, I could try this:
Leaf2201# iping -V Tenant08:Production_VRF 10.208.11.10 PING 10.208.11.10 (10.208.11.10) from 10.208.11.1: 56 data bytes 64 bytes from 10.208.11.10: icmp_seq=0 ttl=64 time=0.459 ms 64 bytes from 10.208.11.10: icmp_seq=1 ttl=64 time=0.341 ms 64 bytes from 10.208.11.10: icmp_seq=2 ttl=64 time=0.34 ms 64 bytes from 10.208.11.10: icmp_seq=3 ttl=64 time=0.364 ms 64 bytes from 10.208.11.10: icmp_seq=4 ttl=64 time=0.226 ms --- 10.208.11.10 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.226/0.346/0.459 ms
However, there is no "i-somthing" command like "issh", "itelnet" or even "inc" that you could hope to use to test if a port was open or not, even from a leaf.
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
Hi @CK_Bengre ,
As you know from @ecsnnsls @Sergiu.Daniluk and @RedNectar telnet on the ACI fabric nodes is a non starter.
In terms of alternatives I can think of three off the top of my head that might serve.
1. A virtual machine (VM) inside your fabrics compute or even outside assuming your hosts were reachable.
2. A VM running an automation framework like Ansible
3. A virtual network device
Some examples below.
1. Would it be possible to spin up a VM from which to do your telnet test? This could work from within the fabric and from a host outside the fabric if that met your test criteria. This also puts things like nmap and netcat as @RedNectar suggested into play. If its a Windows system you also have some options with PowerShell (Test-NetConnection <ip_address> -p <port_number>).
Here is an Ubuntu docker container which is spun up and installed telnet:
root@8bf9068bd06f:/# apt-get install telnet Reading package lists... Done Building dependency tree Reading state information... Done telnet is already the newest version (0.17-41.2build1). 0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded. root@8bf9068bd06f:/# telnet -h telnet: invalid option -- 'h' Usage: telnet [-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user] [-n tracefile] [ -b addr ] [-r] [host-name [port]] root@8bf9068bd06f:/# telnet 10.1.10.102 22 Trying 10.1.10.102... telnet: Unable to connect to remote host: Connection refused root@8bf9068bd06f:/# telnet 10.1.10.102 23 Trying 10.1.10.102... telnet: Unable to connect to remote host: Connection refused root@8bf9068bd06f:/# telnet 10.1.10.21 80 Trying 10.1.10.21... Connected to 10.1.10.21. Escape character is '^]'.
2. I was thinking you might want something a bit more automated. Here is good discussion around this same topic but using Ansible.
Doing this in an Docker container with Ansible would be a quick way to do this and you could automate bringing up and tearing down the container as you needed it.
3. If you had some automation where you wanted to leverage a network device you could spin up a virtual network device. Here is an example of a CSR1000v.
csr1000v-1#telnet ? WORD IP address or hostname of a remote system <cr> <cr> csr1000v-1#telnet 220.127.116.11 ? /debug Enable telnet debugging mode /encrypt Negotiate telnet encryption /ipv4 Force use of IP version 4 /ipv6 Force use of IP version 6 /line Enable telnet line mode /noecho Disable local echo /quiet Suppress login/logout messages /route: Enable telnet source route mode /source-interface Specify source interface /stream Enable stream processing <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) msrpc MS Remote Procedure Call (135) nntp Network News Transport Protocol (119) onep-plain Onep Cleartext (15001) onep-tls Onep TLS (15002) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80) <cr> <cr> csr1000v-1#telnet 18.104.22.168 domain Trying 22.214.171.124, 53 ... % Connection refused by remote host csr1000v-1#
As with the container you could bring up the csr1000v do your testing and then tear it back down.
I hope something here is useful for you although I know they all require extra steps.