08-30-2021 12:23 PM
Over the years, our ACI deployment has picked up quite a lot of orphaned policy objects. For instance, when some people decomissioned switches or servers, they might forget to delete switch selectors, interface selectors or policy groups.
I have been going through trying to manually delete them when I find them but it would be nice to have a more automated way to do it. Does anybody either:
- Already have a script to find policy object that aren't used or
- Know of the best way to do this through a script?
Solved! Go to Solution.
08-30-2021 01:44 PM - edited 08-30-2021 01:45 PM
The script you are looking for is called acilint:
https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py
How to use it:
python3 -m venv ./venv source venv/bin/activate pip install acitoolkit
python acilint.py -l admin -p password -u https://1.2.3.4
Getting configuration from APIC.... Processing configuration.... Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned. Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned. Warning 001: Tenant 'mgmt' has no Application Profile. Warning 001: Tenant 'acitoolkit' has no Application Profile. Warning 001: Tenant 'Ansible' has no Application Profile. Warning 002: Tenant 'acitoolkit' has no Context. Warning 002: Tenant 'Ansible' has no Context. Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.
What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings
Stay safe,
Sergiu
08-30-2021 01:44 PM - edited 08-30-2021 01:45 PM
The script you are looking for is called acilint:
https://github.com/datacenter/acitoolkit/blob/master/applications/lint/acilint.py
How to use it:
python3 -m venv ./venv source venv/bin/activate pip install acitoolkit
python acilint.py -l admin -p password -u https://1.2.3.4
Getting configuration from APIC.... Processing configuration.... Error 001: BridgeDomain 't2' in tenant 'common' has no Context assigned. Error 001: BridgeDomain 't' in tenant 'common' has no Context assigned. Warning 001: Tenant 'mgmt' has no Application Profile. Warning 001: Tenant 'acitoolkit' has no Application Profile. Warning 001: Tenant 'Ansible' has no Application Profile. Warning 002: Tenant 'acitoolkit' has no Context. Warning 002: Tenant 'Ansible' has no Context. Warning 003: AppProfile 'default' in Tenant 'common'has no EPGs.
What does each error/warning level mean you can find here: http://datacenter.github.io/acitoolkit/docsbuild/html/acilint.html#errors-and-warnings
Stay safe,
Sergiu
08-30-2021 08:50 PM - edited 08-30-2021 10:32 PM
Hi @mmacdonald70 ,
Just a little note about some of the quirks acilint.py that @Sergiu.Daniluk mentioned.
Firstly, it is a great little utility. BUT...
def critical_001(self): """ This is an example of a compliance check where all EPGs are expected to be tagged with either 'secure' or 'nonsecure' and secure EPGs are not allowed to provide or consume contracts from nonsecure EPGs. """
But once you know the quirks, the output can be handy!
08-31-2021 01:00 AM
NoteToSelf: Looks like this is a good opportunity to improve this script. #WeekendProject
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide