Some Useful Commands for VMware NSX

Command Lines for the Logical Switches

From the NSX Manager.

Using the MTPutty or Putty to connect to the NSX Manager

To display the all logical switches created. This to displays the logical switches with their UUID, VNI, and transport zone name.

show logical-switch list all

To verify the hosts that have joined VNI 5002. This to displays the IP address of the controller responsible for the VNI 5002.

show logical-switch controller master vni 5002 connection

To verify the VTEP table for VNI 5002. The VTEP table should contain the ESXi hosts where the virtual machines are running.

show logical-switch controller master vni 5002 vtep

To Show the MAC table for the VNI 5002. The MAC table should contain the MAC addresses of the virtual machines, as well as the VTEP IP addresses. The VTEP IP address is the IP address of the VTEP on each ESXi host where the virtual machines reside.

show logical-switch controller master vni 5002 mac

Run the command to verify the ARP table for the VNI 5002.

show logical-switch controller master vni 5002 arp

Command Lines for the DLR (Distributed Logical Routers)

From the NSX Manager

To shows the DLR instances with details such as Edge Id, Vdr Name, and Number of LIFs. Verify that the controller has all the information about the DLR.

show logical-router list all

To display the information about the DLR. This information is retrieved from the master controller for the DLR. Note: Replace the edge_ID with the value shown from the previous command for the VDR ID the value appears as 0x0000####.

show logical-router controller master dlr edge_ID brief

To display the information about all the interfaces for the DLR. The output should match the information collected through the NSX plug-in in vSphere Web Client

show logical-router controller master dlr edge_ID interface

To display the detailed information about a particular interface. NOTE: Replace the edge_ID and interface_name_for_VXLAN_5001, recorded in previous steps.

show logical-router controller master dlr edge_ID interface interface_name_for_VXLAN_5001

To display the routes configured or learned by the DLR. The directly connected networks do not appear in the route table in the controller.

show logical-router controller master dlr edge_ID route

How To identify the host ID. This will show you all the hosts ID joining the Logical switch 5001

show logical-switch list vni 5001 host

To display all logical router connections on the host. The information displayed shows the virtual MAC address, the number of logical interfaces connected to the distributed port, and the physical MAC address of the uplinks.

show logical-router host host_ID connection

To display information about the DLR instance. This information is retrieved from the host. The output shows the number of logical interfaces, routes, and the master controller for the DLR instance. This information should match the control and management plane components.

show logical-router host host_ID dlr edge_ID brief

To display the detailed information about the DLR instance. The command displays the DLR name and ID, the master controller IP address, and the status of the control plane. The control plane should appear as Active. The Edge Active entry should appear as Yes if the DLR control VM resides on the host for which the command is executed.

show logical-router host host_ID dlr edge_ID verbose

Run the command to display the DLR interfaces. The information is retrieved from the master controller. You use the interface name to get information about the interface from the ESXi host.

show logical-router controller master dlr edge_ID interface

To display the information about the interface, such as the IP address, the VXLAN ID, the state of the interface, and the status of the VXLAN control plane. interface_name is the name of the interface for VXLAN 5001.

show logical-router host host_ID dlr edge_ID interface interface_name verbose

To display the routing table. This information is retrieved from the host and should match the output observed in the control plane.

show logical-router host host_ID dlr edge_ID route

To list all the VMware NSX® Edge™ instances and distributed logical routers created.

show edge all 

To display the OSPF neighbors, verifying OSPF adjacencies.

show edge edge_ID ip ospf neighbors

Replace the edge_ID, can get it from show edge all

To check the routing table on the edge

show edge edge_ID ip route


From the Distributed Logical Router

Using the MTPutty or Putty to connect to the Distributed Logical Router

To display information for all the interfaces of the DLR control VM. Note: Use the spacebar to scroll through the output, one page at a time.

show interface

To display the routes learned from the next-hop router, as well as through directly connected interfaces.

show ip route

To display the forwarding table. You should see the directly connected interfaces to the DLR and any other routes learned by the DLR control VM. The DLR injects multiple paths in the forwarding table to the same destination if ECMP is enabled for the DLR.

show ip forwarding

From the ESXI HOST

Using the MTPutty or Putty to connect to the Esxi hosts

To show that the necessary VIB is installed on the ESXi host. The commands verify whether the software component required for the DFW data plane is properly installed and loaded.

esxcli software vib list | grep nsx

To confirm that the firewall module is loaded on the ESXi host.

vmkload_mod –l | grep vsip

To show the status of the vsfwd agent. This service connects to NSX Manager to get the configuration details.

/etc/init.d/vShield-Stateful-Firewall status

To show all the running threads for the vsfwd agent. vsfwd uses multiple threads to perform different functions, such as firewall rule publishing, netcpa proxy, threshold monitoring, and IPFIX. It is normal to see several threads in this output.

ps | grep vsfwd

To show the IP address of NSX Manager provided to the ESXi host during its preparation.

esxcfg-advcfg –g /UserVars/RmqIpAddress

To verify whether vsfwd is communicating with the correct NSX Manager instance to get its configuration. The vsfwd agent should have several connections to the IP address of NSX Manager on port 5671. The connection state should appear as ESTABLISHED.

esxcli network ip connection list | grep 5671

To Verify that the firewall rules are deployed on a host and applied to virtual machines.

To show all the filters for all the virtual machines and VMkernel ports on the ESXi host.

summarize-dvfilter

To show all the DFW rules applied to the filter associated with the virtual machine. The output shows rule ID, protocol information, action, and address sets. Address sets are internal objects. Use the command in substep b to display the IP addresses included in an address set.

vsipioctl getrules –f filter_name

Run the command to display the IPv4 and IPv6 addresses included in the address sets associated with the filter.

vsipioctl getaddrsets –f filter_name

How to Capture the Trafic for the VMs on host those commands should be run from the SSH connection to the host

To capture traffic arriving to at port for VM on Host, you can get the VM01_port_ID from the “esxtop” command run on the same host

pktcap-uw –o VM01.pcap –-switchport VM01_port_ID –dir 0

To reads the VM01.pcap file and dumps the output to the screen.

tcpdump-uw –enr VM01.pcap
Posted in: NSX