Cisco ACI Commands

====================

Introduction

The goal of this document is to provide a concise list of useful commands to be

used in the ACI environment. For in-depth information regarding these commands and
their uses, please refer to the ACI CLI Guide.

Please note that legacy style commands (show firmware, show version, etc) will not
be included in this guide. The below commands are new for ACI. Legacy commands may
be added later on, but the point of this document is to be short and sweet.

Formatting

This document is formatted in the following way: commands are surrounded by <> in
bold and possible user-given arguments within commands (if necessary) are
surrounded by () with a | in between multiple arguments. Brackets [] will be used
for mandatory verbatim arguments. A dash (-) will be the barrier between a command
and the explanation for a command. For example:

<show interface (interface ID)> - shows the status of a given interface as well
as statistics
interface ID is in () because it is a user-specified argument, you can put
any interface you want

<show platform internal [ns|alp] mac asic [0|1]> - show the MAC port status
ns|alp and 0|1 are in brackets because you must use either one of those
arguments

Command Completion and Help

Context sensitive help and command completion in ACI is a bit different than in
other command line interfaces from Cisco. Since iShell builds mostly on Bash,
these features tend to build off of the standard bash Programmable Completion
feature.

Tab - Use the tab key to auto complete commands. In cases where there are
multiple commands that match the typed characters, all options should be displayed
horizontally.

Example Usage:

admin@tsi-apic1-211:~> mo<Tab>
moconfig mocreate modelete modinfo modprobe modutil
mofind moprint more moset mostats mount
mount.fuse mount.nfs mount.nfs4 mountpoint mountstats mount.tmpfs
admin@tsi-apic1-211:~> mo
 This is more than just iShell, it includes all Bash commands. Hitting Tab
before typing any CLI command on the APIC results in:

admin@tsi-apic1-211:~> <Tab>
Display all 1430 possibilities? (y or n)

Esc Esc - Use Double escape to get context sensitive help for available ishell
commands. This will display short help for each command. [Side note: In early
beta code, Double Escape after typing a few characters would only show one of the
matching commands rather than all of them. This is addressed via CSCup27989 [Bug-
Preview for CSCup27989] ]

Example Usage:

admin@tsi-apic1-211:~> <Esc><Esc>
attach Show a filesystem object
auditlog Display audit-logs
controller Controller configuration
create create an MO via wizard
diagnostics Display diagostics tests for equipment groups
dn Display the current dn
eraseconfig Erase configuration, restore to factory settings
eventlog Display event-logs
fabricnode Commission/Decommission/Wipeout a fabric node
faults Display faults
firmware Add/List/Upgrade firmware
health Display health info
loglevel Read/Write loglevels
man Show man page help
moconfig Configuration commands
mocreate Create an Mo
modelete Delete an Mo
[snip]
admin@tsi-apic1-211:~>

man <command> - All commands should have man pages. [Side note: If you find an
iShell command without a man page - open a bug] The manual page for the commands
will give you more detailed info on what the commands do and how to use them.

Cisco Application Centric Infrastructure CLI Commands (APIC, Leaf/Spine)

Clustering User Commands

<controller> - shows the current cluster size and state of APICs
<cd /aci/system/controllers/1/cluster> <moset administrative-cluster-size (#)>
<moconfig commit>- changes the size of the cluster
<controller -d -t (ID)> - Decommissions the APIC of the given ID

<eraseconfig setup> - Factory resets APIC and after reboot will load into setup
script
<reload [controller|switch] (nodeID)> - Reboots the APIC of the given ID
<acidiag rvread> - shows replica which are not healthy
<acidiag rvread (svc) (shard) (replica)> - shows the state of one replica
<avread> - large output which will show cluster size, chassisID, if node is active,
and summary of replica health
<acidiag fnvread> - shows fabric node vector
<acidiag avread> - shows appliance vector
<acidiag verifyapic> - verifies APIC hardware
<ip link> - shows link status
<cat /proc/net/bonding/(ID)> - shows the status of bond link

<show dhcp internal info client> - shows dhcp client information to confirm dhcp
address from APIC

<fabricnode (nodeID) [commission|decommission|wipeout]> - commissions,

decommissions, or wipes out given node. wipeout will completely wipeout the node
including configuration. Use sparingly.

SSL Troubleshooting

<openssl s_client -connect (IP):12151> - tries to connect ssl between APIC and Node
and gives output of SSL information

<zgrep SSL svc_ifc_appliancedirector.bin.log*> -shows logging of DME-logs for node

<zgrep SSL svc_ifc_policyelem.log*> - shows policy-element logs for SSL
connectivity
Can also check logs in the /var/log/dme/log directory

Switch Cert Verification

<openssl asn1parse < /securedata/ssl/server.crt> - Next to PRINTABLESTRING, it will

list Insieme or Cisco Manufacturing CA. Cisco means new secure certs are installed,
Insieme means old unsecure are installed

<openssl x509 -noout -issuer -subject -dates -in /securedata/ssl/server.crt> -

Shows start and end dates of certificate. Must be within range for APIC to accept

<act_util key_pair show (#)> - Shows keypairs of specified cert

Switch Diagnostics
<show module internal event-history module (#)> - shows bootup tests and
diagnostics of given module
<show diagnostic content module (ID)> - shows ongoing tests of given module
<show diagnostic result module [all|(moduleID)]> - shows diagnostic result of given
module or all modules
<show diagnostic result module (moduleID) test (testID) detail> - shows diagnostic
result of given test on given module
<show diagnostic internal [diagmgr|diagclient|port_lb]> - show debug information
for the diagnostic modules

Debug Commands
<debug platform internal emon [heartbeat|kfsm|stats|traffic]> - shows debug output
of given argument
<debug platform internal emon [heartbeat|kfsm|stats|traffic] [enable|disable]> -
enables/disables given argument on all modules
<debug platform internal emon [heartbeat|kfsm|stats|traffic] interval get> - gets
the interval of given argument
<debug platform internal emon stats get (ID)> - EPC mon statistics
<debug platform internal emon kfsm state get (ID)> - EPC mon statistics
<debug platform internal marvell switch [0|1] status> - EOBC/EPC switch status (0:
EOBC, 1: EPC)
<debug platform internal broadcom switch status> - SC card broadcom switch status

Insieme ELTM VRF, VLAN, Interface Commands

<debug system internal [eltm|eltmc] trace output file> - dumps ELTM trace to output
file
<show system internal [eltm|eltmc] info trace> - dumps eltm trace to console
<show system internal [eltm|eltmc] info vrf (vrf)> - shows vrf table of given vrf
<show platform internal ns forwarding segments> -
<show platform internal ns forwarding epgs> -
<cat summary> - vrf summary, shows ID, pcTag, scope
<show system internal eltmc info vlan brief> - shows vlan information. Can
substitute (brief) for a vlan ID
<show sytem internal eltmc info interface (interface ID)> -

OSPF CLI Commands

<show ip ospf neighbors vrf (vrf|all)> - shows OSPF neighbors of given vrf
<show ip ospf route vrf (vrf|all)> - shows OSPF routes of given vrf
<show ip ospf interface vrf (vrf|all)> - shows ospf interfaces of given vrf
<show ip ospf vrf (vrf|all)> - shows ospf information of given vrf
<show ip ospf traffic vrf (vrf|all)> - shows ospf traffic of given vrf

External Connectivity
<show ip arp vrf (vrf)> - shows arp entries for given vrf
<show ip ospf neighbors vrf (vrf)> - shows ospf neighbors for given vrf
<show bgp sessions vrf (vrf)> - shows bgp sessions/peers for given vrf
<show ip ospf route vrf (vrf)> - shows ospf routes for given vrf
<show bgp ipv4 unicast vrf (vrf)> - shows bgp unicast routes for given vrf
<show ip static-route vrf (vrf)> - shows static routes for given vrf
<show ip route vrf (vrf)> - shows routes for given vrf
<l3 defip show> - shows external LPMs
<l3 egress show> - shows next hops towards NorthStar ASIC or external router
<show platform internal ns table mth_lux_slvd_DHS_HigigDstMapTable_memif_data
ingress> - HigigDstMapTable Indexed using DMOD/DPORT coming from T2. Provides a
pointer to DstEncapTable.
<show platform internal ns table mth_lux_slvg_DHS_DstEncapTable_memif_data ingress>
- DstEncapTable Indexed using the HigigDstMapTable�s result. Gives tunnel
forwarding data.
<show platform internal ns table mth_rwx_slva_DHS_RwEncapTable_memif_data ingress>
- RwEncapTable Indexed using the HigigDstMapTable�s result. Gives tunnel encap
data.

ISIS Fabric Unicast Debugging

<show isis protocol> - shows ISIS statistics
<show isis adjacency [detail] vrf (vrf)> - shows ISIS adjacencies for given vrf.
Can also add detail
<show lldp neighbor> - shows lldp neigbor status
<show interface (interface ID)> - shows interface status information and statistics
<show isis database [detail] vrf (vrf)> - shows isis database, can also add detail
<show isis route vrf (vrf)> - shows isis route information
<show isis traffic vrf (vrf)> - shows isis traffic information
<show isis dtep vrf (vrf)> - shows all discovered tunnel end points
<show isis statistics (vrf)> - shows isis statistics of given vrf
<show isis event-history [detail]> - shows isis event history
<show isis internal mem-stats [detail]> - shows isis memory statistics
<show tech-support-service isis> - provides isis tech-support output for TAC

ASIC Platform Commands

<show platform internal [ns|alp] mac asic [0|1]> - shows the MAC port status
<show platform internal [ns|alp] counters mac asic [0|1]> - shows the MAC port
counters
<show platform internal [ns|alp] counters asic-block [all|bax|lbx|lux|prx|qsx|rwx|
scx|top]> - shows ASIC block counters for given ASIC. Can also add [detail] for
more details
<show platform internal [ns|alp] interrupts> - shows interrupts for given ASIC

ASIC Platform Commands - T2 Specific

<show c rpkt> - shows receive counters for T2
<show c tpkt> - shows transmit counters for T2
<show c xe12> - shows per port packet type counters
<g chg ing_event_debug> - shows ingress drop counters
<g chg_egr_drop_vector> - shows egress drop counters
<s RDBGC(#)_SELECT bitmap=(hex)> & <g chg RDBGC(#)_SELECT> - setting register to
specific trigger. 9 registers per port (0-8)
ex - <s RDBGC3_SELECT bitmap=0x2000> <g chg RDBGC3_SELECT> - sets 4th register
to select RFILDR selector (bit 13)
<cstat xe17> - checking the stats for above command

ASIC Platform Commands - NS Specific

<show platform internal counters port> - shows port counters
<show platform internal counters port internal> - shows internal port counters
<show platform internal counters vlan> - shows vlan counters
<show platform internal counters tep> - shows per-tunnel counters
<show platform internal ns counters asic-block all> - shows ASIC block counters
<show platform internal ns forwarding list> - shows well-defined tables

Fabric Multicast - General

<show isis internal mcast routes ftag> - shows currecnt state of FTAG, cost, root
port, OIF list
<show isis database mgroup detail vrf (vrf)> - shows GM-LSP database
<show isis internal mcast routes gipo> - shows GIPO routes, Local/transit, OIF list
<show isis internal mcast statistics> - shows topology and compute stats, MRIB
update stats, Sync+Ack packet stats, Object store stats
<show isis event-history mcast> - shows isis multicast event history logs
<show isis event-history mcast-convergence> - more detailed than above command,
specifically dealing with forwarding events and forwarding updates

Fabric Multicast Debugging - MFDM

<show forwarding distribution l2 multicast> - flood/OMF/GIPi membership
<show forwarding distribution l2 multicast vlan (vlanID)> per BD

<show forwarding distribution l2 multicast gipi> - GIPi membership

<show forwarding distribution l2 multicast gipi (IP)> - specific
<show forwarding distribution l2 multicast gipi vlan (vlanID)> - per BD
<show forwarding distribution l2 multicast gipi (IP) vlan (vlanID)> - specific per
BD

<show forwarding distribution l2 multicast flood> - flood membership

<show forwarding distribution l2 multicast flood vlan (vlan ID)> - per BD

<show forwarding distribution l2 multicast omf> - OMF membership

<show forwarding distribution l2 multicast omf vlan (vlan ID)> - per BD

<show system internal forwarding distribution multicast ipmc> - IPMC membership

<show system internal forwarding distribution multicast ipmc 0x3> - specific IPMC
<show forwarding distribution multicast ipmc-sw>
<show forwarding distribution multicast ipmc-sw (ID)>

Fabric Multicast Debugging - L2 Multicast

<show system internal forwarding l2 multicast> - flood/OMF/GIPi membership
<show system internal forwarding l2 multicast vlan (vlanID)> - per BD

<show system internal forwarding l2 multicast gipi> - GIPi membership

<show system internal forwarding l2 multicast gipi (IP)> - specific
<show system internal forwarding l2 multicast gipi vlan (vlanID)> - per BD
<show system internal forwarding l2 multicast gipi (IP) vlan (vlanID)> - specific
per BD

<show system internal forwarding l2 multicast flood> - flood membership

<show system internal forwarding l2 multicast flood bd (bdID)> - per BD

<show system internal forwarding l2 multicast met> - MET membership

<show system internal forwarding l2 multicast met (ID)> - specific MET
<show system internal forwarding l2 multicast met flood> - flood MET
<show system internal forwarding l2 multicast met gipi> - GIPi MET
<show system internal forwarding l2 multicast met gipi bd (bdID)> - per BD
<show system internal forwarding l2 multicast met gipi (IP) bd (bdID)> - specific
per BD
<show system internal forwarding l2 multicast ipmc> - IPMC membership
<show system internal forwarding l2 multicast ipmc (ID)> - specific IPMC

Fabric Multicast Debugging - MRIB

<show ip mroute vrf (vrf)> - shows IP multicast routing table for given vrf

Fabric Multicast Debugging - MFIB

<show ip fib mroute ftag> - shows FTAGs
<show forwarding vrf all multicast route> - shows GIPO routes

Fabric Multicast Debugging - IGMP

<show ip igmp snooping groups> - shows multicast route information in IGMP
<show ip igmp snooping mrouter> - shows multicast router information IGMP
<show ip igmp snooping encap-db> - FD to BD vlan mapping. IGMP gets FD and G from
Istack. It needs to know the BD to create (BD, G)
<show ip igmp snooping vlan (vlanID)> - verify BD membership of a port in IGMP.
Only when ports are part of BD joins are processed
<show ip igmp snooping vtep-if-db> - verify the tunnel to IF mapping in IGMP. IGMP
uses this to get the groups on VPC and only sync them.

Fabric Multicast Debugging - MFDM

<show forwarding distribution ip multicast route vrf (vrf)> - shows IPv4 multicast
routing table for given vrf
<show forwarding distribution multicast vlan_db> - Verify FD to BD vlan mapping.
MFDM gets (FD,port) memberships from vlan_mgr and uses this information go create
BD floodlists.
<show forwarding distribution multicast bd_gipo> - BD to GIPO mapping. GIPO is used
by Mcast in Fabric
<show forwarding distribution multicast epg_gipo_prime> - FD-vxlan to GIPO mapping
<show forwarding distribution multicast vtep_if_db> - tunnel to phy mapping

Fabric Multicast Debugging - M2rib

<show l2 mroute> - shows multicast route information in M2rib
<show l2 mroute omf> - shows multicast route informatino in M2rib

Fabric Multicast Debugging - PIXM

<show system internal pixm info ltl-range start-ltl 0x0 ltl-cnt 4000> - RID to IPMC
mapping. IFIDX is RID and LTL is IPMC

Fabric Multicast Debugging - VNTAG Mgr

<show system internal vntag dvif-allocation> - IPMC to DVIF mapping. LTL is IPMC

EP Announce - Debugging
<show system internal epm announce>
<show system internal epm counters announce>
<show system internal epm vlan (vlanID) detail>
<show system internal epm vrf (vrf) detail>
<show system internal epm periodic>
<show system internal epm endpoint all>

iBash CLI
<show mac address-table>
<show endpoint [summary|address|interface|vlan|vrf]> - show endpoint information

BCM Table Dump

<bcm-shell-hw "l2 show">
<bcm-shell-hw "l3 l3table show">

Fabric QoS Debugging - CoPP CLI

<show copp policy>
<show system inernal aclqos brcm coppp entries unit 0> - CoPP statistics (red =
dropped, green = allowed)
<show system internal qos classes> - shows QoS classes configured
<show system internal qos vlan all> - shows QoS classes/policices configured per
vlan
<show system internal qos ppf [pinst|nodes]> - shows ppf details
<show system internal aclqos qos classes> - shows QoS classes configured in
hardware
<show system internal aclqos qos vlan (vlanID)> - shows the QoS DSCP/dot1p policy
configured for a vlan in HW
<show system internal aclqos qos policy summary> - shows QoS DSCP/dot1p policy
summary
<show system internal aclqos qos policy detail> - shows QoS DSCP/dot1p policy in
detail
<show system internal aclqos brcm tcam entries unit 0 group [efp-bpdu|efp-ctrl-pol|
efp-mark|ifp-ctrl|ifp-dscp|ifp-elmc-vleaf|ifp-span-port-vlan|ifp-span-port-vlan-
egress|ifp-span-vlan-egress|ifp-vni-udf|vfp-vni]> - shows T2 TCAM entries for
specified group
<show platform internal counters port (#)> - shows QoS counters on each port
<show platform internal counters port internal (#)> - shows QoS counters on each
port (internal)
<show platform internal counters class (#)> - shows QoS counters for each class for
all ports

MCP CLI
<show mcp internal info global> - shows the edge port config on the HIF (FEX)
ports, the internal VLAN mapping and the STP TCN packet statistics received on the
fabric ports
<show mcp internal info interface [all|interfaceID]> - shows mcp information by
interface
<show mcp internal info stats interface> - shows stats for all interfaces
<show mcp internal info vlan [all|vlanID]> - shows mcp information per vlan
<show mcp internal stats vlan> - shows stats for all vlans
<show mcp internal info msti [all|(region name) (instance ID)]> - shows mcp
information per msti region
<show mcp internal info stats msti> - shows stats for all msti regions

iTraceroute CLI
<itraceroute (destinationIP)
<itraceroute (destinationIP)
- Tenant traceroute for vlan
<itraceroute (destinationIP)
payload (pld-size)> - Tenant
(pld-size)> - node traceroute
vrf (vrf) encap vlan (vlan-encap) payload (pld-size)>
encapped source EP
vrf (vrf) encap vxlan (vxlan-encap) dst-mac (dst-mac)
traceroute for vxlan encapped source EP

ELAM Setup and debugging (follow commands in order)

<debug platform internal ns elam asic (#)> - starts ELAM on given ASIC
<trigger init ingress in-select 3 out-select 0> - sets trigger for ELAM
<set outer l2 dst_mac (destination mac) src_mac (source mac)> - sets source and
destination mac addresses
<start> - Starts capture
<status> - shows capture status
<report> - shows report of the capture

VMM Troubleshooting
<show vmware controllers> - shows VM controllers and their attributes such as
IP/hostname, state, model, serial number
<show vmware domain mininet (name) inventory> - shows hypervisor inventory of given
VM controller
<show vmware domain mininet (name) [inventory|policy|status]>
<show vmware domain mininet (name) inventory [hypervisors|portgroups|virtual-
machines|virtual-switches]>

TOR Sync Troubleshooting

<netstat -tp | grep epm>
<tcpdump -i kpm_inb>
<show system internal epm vpc>
<show system internal epm counters vpc>
<show system internal epm counter zmq>
<show system internal epm announce>
<show system internal epm counters announce>
<show system internal epm vlan (vlanID) [detail]> - can see which VLAN is learn
disable
<show system internal epm vrf (vrf) [detail]> - can see which VLAN is learn disable
<show system internal epm periodic> - see if timer is attached on the VLAN/vrf
<show system internal epm counters all>
<show system internal epmc counters all>

OpFlex Debugging
<vemcmd show openflex> - shows if OpFlex is online (status = 12 means OpFlex is
online, remoteIP is anycast IP, intra vlan is vlan used by VTEP, FTEP IP is the
iLeaf's IP)
<vem status> - check if DPA is running
<vemcmd show sod>
<vemcmd show port> - uplinks and vtep should be in forwarding state. PC-LTL of
uplink port should be non-zero
<vemcmd show pc> - Check port channel type
<vemcmd show lacp> - if port channel type is LACP, can use this command to see the
individual uplink LACP state
<esxcfg-vmknic -l> - verify if the VTEP received a valid DHCP IP address

SPAN Debugging
<vemcmd show span>

BPDU Debugging
<vemcmd show card> - shows if BPDU Guard/Filter is enabled or disabled
<vemcmd show bpdu-stats> - check if the bpdu-drop stats are incrementing on the
uplinks/virtual ports

VEM Misc Commands

<vemcmd show openflex> - show channel status
<vemcmd show port> - check port status
<vemcmd show bd> - check per EPG flood lists
<vemcmd show epp multicast> - check vLeaf multicast membership
<vemcmd show stats> - show packet stats
<vemcmd show packets> - show packet counters

<vemlog debug sfport all> - debug vxlan packet path

<vemlog debug sflayer2 all> - debug vxlan packet path
<vemlog show all> - show above logging output

<vempkt capture [egress|pre-ingress]>

<vempkt clear>
<vempkt start>
<vempkt stop>
<vempkt display brief all>
<vempkt display detail entry (#)>
<vempkt cancel capture all>

FEX Troubleshooting
<show fex> - shows all FEXs and their states
<show fex (#) [detail]> - gives detailed stats of given FEX
<show environment fex> - gives environmental stats of FEX
<show fex transceiver>
<show fex version> - shows FEX version
<show interface fex-fabric> - shows FEX fabric interface information
<show logging level fex> - shows logging information for FEX
<show interface transceiver fex-fabric> - shows transceiver information for FEX
<show system reset-reason fex> - show FEX reset reason
<show module fex> - shows FEX module information
<show system internal fex log | grep (anything)> - shows debugging information and
you can grep to find what you want
<show system internal fex internal event-history msgs> - use to find out which
service is failing the sequence and you can debug that process further