In an earlier blog, I discussed the power of CLI configuration in the cloud. Supplemental CLI gives you access to the complete set of CLI commands of any networking device supported in ExtremeCloud™ IQ. In this blog, I focus on using troubleshooting with CLI from the cloud.
I think we can all agree that one of the best aspects of management from the cloud is simplicity. ExtremeCloud™ IQ streamlines every aspect of network management, including troubleshooting. Numerous diagnostics utilities such as VLAN Probe, Client Monitor, and more are available within the graphical user interface (GUI) of ExtremeCloud™ IQ. Usually, the ExtremeCloud™ IQ GUI is sufficient for 98% of manual and automated troubleshooting tasks. However, the command-line interface (CLI) of a networking device provides more advanced troubleshooting capabilities.
The good news for power-user admins is that CLI troubleshooting is available from the cloud via SSH Proxy. As shown in Figure 1, an admin can use the Secure Shell (SSH) protocol to securely access managed devices (APs and switches) via a proxied connection through ExtremeCloud™.
An admin selects a managed network device in ExtremeCloud™ IQ for the creation and management of an end-to-end SSH tunnel. As shown in Figure 2, ExtremeCloud™ IQ queries the cloud SSH proxy servers to get an available port, generate credentials, and create a user. Via` the CAPWAP management protocol, ExtremeCloud™ IQ, sends the IP address of the SSH proxy server, random port, username, and credential to the AP or switch.
Security best practices frequently mandate that inbound SSH connections are blocked on firewalls. Therefore, the managed AP or switch initiates an outbound SSH session via the random port to an allocated SSH proxy server in the cloud. Port numbers used for the SSH session are random. The outbound ports that need to open on remote customer firewalls are 20000 - 20255 and 22.
As shown in Figure 3, an admin uses PuTTY or some other preferred SSH client to contact the SSH proxy server and begin the SSH session with the AP or switch through the proxy connection. ExtremeCloud™ IQ does not participate in the conversations during the SSH session and has no knowledge of the content inside the SSH tunnel. ExtremeCloud™ IQ manages the time-out and terminates any SSH sessions upon time-out. Any admin with sufficient privilege can also proactively terminate any SSH session via ExtremeCloud™ IQ.
During a proxy session, an admin can now run any CLI diagnostic commands in real-time. As with any command-line set, the “question mark” is your friend. For example, type show ? to display a detailed list of show commands.
SSH sessions should are used for CLI troubleshooting of individual networking devices; however, device configuration via SSH is discouraged because any device configuration local changes are not saved in the ExtremeCloud™ IQ database. Always remember that Supplemental CLI gives you the power of CLI configuration in the cloud
Not all cloud-based network management platforms are created equal, and some do not provide any CLI visibility. However, ExtremeCloud™ IQ provides a power-user admin CLI troubleshooting the cloud via SSH Proxy and advanced CLI configuration from the cloud with Supplemental CLI. Once again, simplicity is a crucial aspect of troubleshooting for cloud-driven networking. But rest assured that you still have a means of advanced SSH Proxy for the power-user administrator. Want to learn more about SSH Proxy and CLI troubleshooting? Please take a moment to watch this video: